Attacks/Breaches

12/20/2017
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Worries? Let Policies Automate the Right Thing

By programming 'good' cybersecurity practices, organizations can override bad behavior, reduce risk, and improve the bottom line.

Cybersecurity and morality might seem like two entirely different universes. Yet there's something distinctly moralistic in the narrative that surrounds the security industry. It's a narrative that pits good against evil as starkly as any horror flick or morality play — with an emphasis on the dark side.

The security industry is engaged almost exclusively in the pursuit of the bad thing — the bad actor, the malware, the worm that turns PCs into zombies — and punishing it. All too often the remedy is to kill the bad without enforcing the good. But what if there were a different approach to security — a way to automate doing the right thing? To bring our better angels into the security narrative?

Much of the security industry adheres to this stomp-out-the-bad model, with mixed results. And with so much bad to go around, it's no wonder the cybersecurity market is booming. By one estimate, the market will be worth over $230 billion by 2022, up from nearly $138 billion today. Yet the cost and number of breaches are increasing even faster than security spending. It's what led VMware CEO Pat Gelsinger to tell VMworld 2017 attendees that the security industry has failed its customers — that the prevailing security model is "broken."

In fact, most security breaches and system failures are the result of people not operating systems correctly. They forget to do something or give themselves permission to do an action, then leave that permission open so that bad actors can take advantage of it. These missteps could be avoided by a security approach that automatically directs, guides, or encourages system operators to do the right thing or blocks them from doing bad things. It is an enlightened security leader who prioritizes and budgets for this kind of security policy enforcement; without active and automated enforcement of policy, the breaches keep coming, costs keep rising, and heads keep rolling.

To draw an analogy from the parenting world, the dominant security model today is the equivalent of raising kids only by punishing them when they do bad. A more effective approach is to encourage kids when they do the right thing — thereby building a decision-making framework in their frontal cortex that will override bad behavior. Similarly, by automating good practices in the security world, the system can override bad behavior, which will lead to a safer environment.

At the risk of stating the obvious, this approach is not based on some naïve denial of the existence of the bad actor, the malware — the dark side. In fact, when recently asked what malware a policy enforcement approach would catch, I responded simply that it doesn't; rather, assume the malware is already present and trying to do something bad. Once that assumption is accepted, you have the opportunity to turn the security model on its head into something far more powerful and resilient to zero-day attacks.

Let's say you want to protect workloads you have running in the cloud. The cloud, of course, is one of the big drivers of the rapid increase in security spending — particularly the increased deployment of cloud-based business applications. It's also a rich source of dark-tinged security narratives, particularly as it pertains to workloads. That's because workloads today can span multiple cloud platforms and are vulnerable to security breaches as they move beyond the boundaries of the data center. In the words of Forrester analyst Andras Cser, manual management of cloud workloads is essentially a death wish. That's what not to do.

But what sort of security policy would constitute doing the right thing in this context? And how could one have a policy that scales? A security policy is simply what you decide a priori is the correct behavior. You might decide to protect workloads by automating the enforcement of security policies based on contextual understanding of the people, data, and infrastructure that access and support the workload, and consistently enforce this across any cloud.

For example, consider a workload that is running in a bank's cloud data center in Europe and the workload is migrated to a cloud data center outside the EU. The data in the workload was accessible by a bank admin before the move, but now, policy and regulatory mandates (geofencing requirements for data sovereignty or GDPR) no longer permit a third-party system admin to access an encryption key to look inside private workload data, even though the workload was successfully moved to the new location. To protect the data from prying eyes, the bank could institute a policy delineating "who can access" based on "where a workload is located." It's the right thing to do, can be automated, and is easily enforceable, without manual intervention.

That's one way to automate good security practices — and it will certainly give our better angels a stronger voice in the security narrative. 

Related Content:

 

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnTMoran
100%
0%
JohnTMoran,
User Rank: Author
2/14/2018 | 8:03:25 PM
Re: People are weakest link
That's the key though; the goal of automation should be to support people, not to replace them.  When the goal is to replace them, you are almost always setting yourself up for failure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:29:54 AM
Re: Visibility tools
This helps to identify many potential policy errors that may have been committed unintentionally. This makes sense. As we discussed people are the weakest link anything we can do to help them will eventually help the environment.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:24:05 AM
Re: Visibility tools
Visibility tools can help you visualize network and policy flow. That is true. They also need to learn from the network since the threats would change.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:17:38 AM
Re: Visibility tools
identify, interpret and act on threats This requires a good intelligence on the automation part maybe a bot keep checking and acting on the unknown patterns.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:15:29 AM
Re: Visibility tools
The reality is that very few IT administrators have an accurate picture of what is actually happening in the network I would agree with that. If a complex network it would be hard to understand and have visibility to all the security details in the network, that is why automation is a good option.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:12:35 AM
People are weakest link
I like the automation of security policies to support people since they are the weakest link in the process.
JohnGiordani
50%
50%
JohnGiordani,
User Rank: Apprentice
12/20/2017 | 11:36:29 AM
Visibility tools
The reality is that very few IT administrators have an accurate picture of what is actually happening in the network and do not have automated tools that can quickly identify, interpret and act on threats. Network visibility tools help security professionals discover things about the network and user behavior that had never been considered before. Visibility tools can help you visualize network and policy flow. They can show how a particular type of traffic currently travels through the network, and what security policies that traffic affects. This helps to identify many potential policy errors that may have been committed unintentionally.
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.