Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/20/2017
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Worries? Let Policies Automate the Right Thing

By programming 'good' cybersecurity practices, organizations can override bad behavior, reduce risk, and improve the bottom line.

Cybersecurity and morality might seem like two entirely different universes. Yet there's something distinctly moralistic in the narrative that surrounds the security industry. It's a narrative that pits good against evil as starkly as any horror flick or morality play — with an emphasis on the dark side.

The security industry is engaged almost exclusively in the pursuit of the bad thing — the bad actor, the malware, the worm that turns PCs into zombies — and punishing it. All too often the remedy is to kill the bad without enforcing the good. But what if there were a different approach to security — a way to automate doing the right thing? To bring our better angels into the security narrative?

Much of the security industry adheres to this stomp-out-the-bad model, with mixed results. And with so much bad to go around, it's no wonder the cybersecurity market is booming. By one estimate, the market will be worth over $230 billion by 2022, up from nearly $138 billion today. Yet the cost and number of breaches are increasing even faster than security spending. It's what led VMware CEO Pat Gelsinger to tell VMworld 2017 attendees that the security industry has failed its customers — that the prevailing security model is "broken."

In fact, most security breaches and system failures are the result of people not operating systems correctly. They forget to do something or give themselves permission to do an action, then leave that permission open so that bad actors can take advantage of it. These missteps could be avoided by a security approach that automatically directs, guides, or encourages system operators to do the right thing or blocks them from doing bad things. It is an enlightened security leader who prioritizes and budgets for this kind of security policy enforcement; without active and automated enforcement of policy, the breaches keep coming, costs keep rising, and heads keep rolling.

To draw an analogy from the parenting world, the dominant security model today is the equivalent of raising kids only by punishing them when they do bad. A more effective approach is to encourage kids when they do the right thing — thereby building a decision-making framework in their frontal cortex that will override bad behavior. Similarly, by automating good practices in the security world, the system can override bad behavior, which will lead to a safer environment.

At the risk of stating the obvious, this approach is not based on some naïve denial of the existence of the bad actor, the malware — the dark side. In fact, when recently asked what malware a policy enforcement approach would catch, I responded simply that it doesn't; rather, assume the malware is already present and trying to do something bad. Once that assumption is accepted, you have the opportunity to turn the security model on its head into something far more powerful and resilient to zero-day attacks.

Let's say you want to protect workloads you have running in the cloud. The cloud, of course, is one of the big drivers of the rapid increase in security spending — particularly the increased deployment of cloud-based business applications. It's also a rich source of dark-tinged security narratives, particularly as it pertains to workloads. That's because workloads today can span multiple cloud platforms and are vulnerable to security breaches as they move beyond the boundaries of the data center. In the words of Forrester analyst Andras Cser, manual management of cloud workloads is essentially a death wish. That's what not to do.

But what sort of security policy would constitute doing the right thing in this context? And how could one have a policy that scales? A security policy is simply what you decide a priori is the correct behavior. You might decide to protect workloads by automating the enforcement of security policies based on contextual understanding of the people, data, and infrastructure that access and support the workload, and consistently enforce this across any cloud.

For example, consider a workload that is running in a bank's cloud data center in Europe and the workload is migrated to a cloud data center outside the EU. The data in the workload was accessible by a bank admin before the move, but now, policy and regulatory mandates (geofencing requirements for data sovereignty or GDPR) no longer permit a third-party system admin to access an encryption key to look inside private workload data, even though the workload was successfully moved to the new location. To protect the data from prying eyes, the bank could institute a policy delineating "who can access" based on "where a workload is located." It's the right thing to do, can be automated, and is easily enforceable, without manual intervention.

That's one way to automate good security practices — and it will certainly give our better angels a stronger voice in the security narrative. 

Related Content:

 

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnTMoran
100%
0%
JohnTMoran,
User Rank: Author
2/14/2018 | 8:03:25 PM
Re: People are weakest link
That's the key though; the goal of automation should be to support people, not to replace them.  When the goal is to replace them, you are almost always setting yourself up for failure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:29:54 AM
Re: Visibility tools
This helps to identify many potential policy errors that may have been committed unintentionally. This makes sense. As we discussed people are the weakest link anything we can do to help them will eventually help the environment.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:24:05 AM
Re: Visibility tools
Visibility tools can help you visualize network and policy flow. That is true. They also need to learn from the network since the threats would change.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:17:38 AM
Re: Visibility tools
identify, interpret and act on threats This requires a good intelligence on the automation part maybe a bot keep checking and acting on the unknown patterns.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:15:29 AM
Re: Visibility tools
The reality is that very few IT administrators have an accurate picture of what is actually happening in the network I would agree with that. If a complex network it would be hard to understand and have visibility to all the security details in the network, that is why automation is a good option.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/26/2017 | 9:12:35 AM
People are weakest link
I like the automation of security policies to support people since they are the weakest link in the process.
JohnGiordani
50%
50%
JohnGiordani,
User Rank: Apprentice
12/20/2017 | 11:36:29 AM
Visibility tools
The reality is that very few IT administrators have an accurate picture of what is actually happening in the network and do not have automated tools that can quickly identify, interpret and act on threats. Network visibility tools help security professionals discover things about the network and user behavior that had never been considered before. Visibility tools can help you visualize network and policy flow. They can show how a particular type of traffic currently travels through the network, and what security policies that traffic affects. This helps to identify many potential policy errors that may have been committed unintentionally.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16966
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
CVE-2019-9491
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
CVE-2019-16964
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
CVE-2019-16965
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
CVE-2019-18203
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.