Attacks/Breaches

12/20/2017
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Worries? Let Policies Automate the Right Thing

By programming 'good' cybersecurity practices, organizations can override bad behavior, reduce risk, and improve the bottom line.

Cybersecurity and morality might seem like two entirely different universes. Yet there's something distinctly moralistic in the narrative that surrounds the security industry. It's a narrative that pits good against evil as starkly as any horror flick or morality play — with an emphasis on the dark side.

The security industry is engaged almost exclusively in the pursuit of the bad thing — the bad actor, the malware, the worm that turns PCs into zombies — and punishing it. All too often the remedy is to kill the bad without enforcing the good. But what if there were a different approach to security — a way to automate doing the right thing? To bring our better angels into the security narrative?

Much of the security industry adheres to this stomp-out-the-bad model, with mixed results. And with so much bad to go around, it's no wonder the cybersecurity market is booming. By one estimate, the market will be worth over $230 billion by 2022, up from nearly $138 billion today. Yet the cost and number of breaches are increasing even faster than security spending. It's what led VMware CEO Pat Gelsinger to tell VMworld 2017 attendees that the security industry has failed its customers — that the prevailing security model is "broken."

In fact, most security breaches and system failures are the result of people not operating systems correctly. They forget to do something or give themselves permission to do an action, then leave that permission open so that bad actors can take advantage of it. These missteps could be avoided by a security approach that automatically directs, guides, or encourages system operators to do the right thing or blocks them from doing bad things. It is an enlightened security leader who prioritizes and budgets for this kind of security policy enforcement; without active and automated enforcement of policy, the breaches keep coming, costs keep rising, and heads keep rolling.

To draw an analogy from the parenting world, the dominant security model today is the equivalent of raising kids only by punishing them when they do bad. A more effective approach is to encourage kids when they do the right thing — thereby building a decision-making framework in their frontal cortex that will override bad behavior. Similarly, by automating good practices in the security world, the system can override bad behavior, which will lead to a safer environment.

At the risk of stating the obvious, this approach is not based on some naïve denial of the existence of the bad actor, the malware — the dark side. In fact, when recently asked what malware a policy enforcement approach would catch, I responded simply that it doesn't; rather, assume the malware is already present and trying to do something bad. Once that assumption is accepted, you have the opportunity to turn the security model on its head into something far more powerful and resilient to zero-day attacks.

Let's say you want to protect workloads you have running in the cloud. The cloud, of course, is one of the big drivers of the rapid increase in security spending — particularly the increased deployment of cloud-based business applications. It's also a rich source of dark-tinged security narratives, particularly as it pertains to workloads. That's because workloads today can span multiple cloud platforms and are vulnerable to security breaches as they move beyond the boundaries of the data center. In the words of Forrester analyst Andras Cser, manual management of cloud workloads is essentially a death wish. That's what not to do.

But what sort of security policy would constitute doing the right thing in this context? And how could one have a policy that scales? A security policy is simply what you decide a priori is the correct behavior. You might decide to protect workloads by automating the enforcement of security policies based on contextual understanding of the people, data, and infrastructure that access and support the workload, and consistently enforce this across any cloud.

For example, consider a workload that is running in a bank's cloud data center in Europe and the workload is migrated to a cloud data center outside the EU. The data in the workload was accessible by a bank admin before the move, but now, policy and regulatory mandates (geofencing requirements for data sovereignty or GDPR) no longer permit a third-party system admin to access an encryption key to look inside private workload data, even though the workload was successfully moved to the new location. To protect the data from prying eyes, the bank could institute a policy delineating "who can access" based on "where a workload is located." It's the right thing to do, can be automated, and is easily enforceable, without manual intervention.

That's one way to automate good security practices — and it will certainly give our better angels a stronger voice in the security narrative. 

Related Content:

 

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnTMoran
100%
0%
JohnTMoran,
User Rank: Author
2/14/2018 | 8:03:25 PM
Re: People are weakest link
That's the key though; the goal of automation should be to support people, not to replace them.  When the goal is to replace them, you are almost always setting yourself up for failure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:29:54 AM
Re: Visibility tools
This helps to identify many potential policy errors that may have been committed unintentionally. This makes sense. As we discussed people are the weakest link anything we can do to help them will eventually help the environment.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:24:05 AM
Re: Visibility tools
Visibility tools can help you visualize network and policy flow. That is true. They also need to learn from the network since the threats would change.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:17:38 AM
Re: Visibility tools
identify, interpret and act on threats This requires a good intelligence on the automation part maybe a bot keep checking and acting on the unknown patterns.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:15:29 AM
Re: Visibility tools
The reality is that very few IT administrators have an accurate picture of what is actually happening in the network I would agree with that. If a complex network it would be hard to understand and have visibility to all the security details in the network, that is why automation is a good option.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:12:35 AM
People are weakest link
I like the automation of security policies to support people since they are the weakest link in the process.
JohnGiordani
50%
50%
JohnGiordani,
User Rank: Apprentice
12/20/2017 | 11:36:29 AM
Visibility tools
The reality is that very few IT administrators have an accurate picture of what is actually happening in the network and do not have automated tools that can quickly identify, interpret and act on threats. Network visibility tools help security professionals discover things about the network and user behavior that had never been considered before. Visibility tools can help you visualize network and policy flow. They can show how a particular type of traffic currently travels through the network, and what security policies that traffic affects. This helps to identify many potential policy errors that may have been committed unintentionally.
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.