A hacker who recently stole U.S. military secrets about combat drones and tried to sell them on the black market apparently accessed the data by searching the Internet for misconfigured Netgear routers and exploiting a 2-year-old known vulnerability involving default login credentials. Clearly, even the military struggles to protect itself from threats and attacks.
The root of this data breach emanates from an old way of thinking about implementing security — one that relies on static risk and vulnerability management. These principles and practices, which are locked in a binary view of the world, are diminishing in effectiveness in the face of a dynamically changing threat landscape. Unlike the old world of black and white, and good and bad, grayness is the new the reality in security.
To deal with this gray zone, organizations need a new approach, one that continuously monitors, assesses, adapts, and responds to risk as needed in real time.
Research firm Gartner has defined this new approach as Continuous Adaptive Risk and Trust Assessment (CARTA). The firm predicts that by 2020, 25% of new digital business initiatives will adopt a strategic CARTA approach, up from fewer than 5% in 2017.
In a nutshell, Gartner sees CARTA as a way for organizations to manage the risks that come with the digital world by deploying security that moves at the speed of digital business.
How to Implement CARTA
Under CARTA, all systems and devices are considered potentially compromised and their behaviors are continuously assessed for risk and trust. Here are the five key components for deploying a CARTA-inspired security model:
The first step in implementing a CARTA-based security program involves gathering and maintaining a comprehensive and up-to-date asset inventory. Without this data, it is virtually impossible to assess risks and apply appropriate defenses. Asset management should be automated so an organization can efficiently keep track of devices — their type, model, location, functions, and configurations — and of software, notably versions, patches, problems, and a history of vulnerabilities.
Without such information, an organization cannot perform basic proactive security measures such as monitoring network activity, taking snapshots of current configurations, and preventing attacks. Asset information can also be used to restore devices and software if an attack occurs.
Strong asset management is only as strong as the process for managing trust relationships between various devices, software, and the people who use them. Accordingly, organizations need to understand, monitor, and manage how devices, software, and people interact on an hourly basis each day.
As trust and risk increases and decreases dynamically based on context and behavior, models of trust and risk should be created that observe patterns over time. If the risk score of a specific device or user gets too high and outweighs the trust (for example, a user who tries to download a massive amount of sensitive data to an unmanaged device), an organization has two choices: reduce the risk score or increase the trust score.
This consists of continuous assessment and prioritization of vulnerabilities for remediation. Because thousands of vulnerabilities are discovered each year, addressing all of them is not achievable. A more effective approach is to focus on the most serious, imminent, and executable threats. For example, remote code executions (RCEs) are among the most toxic threats to an organization. These should receive a high prioritization, especially when evidence from security intelligence feeds indicates a particular RCE vulnerability has been weaponized and is being actively exploited in the wild.
As always, the devil is the details. This has become increasingly important because cybersecurity is now also a concern of the C-suite and boards of directors. Being able to report security metrics in business terms is now a requirement in larger organizations. These metrics are also critical to senior management when they make the case for additional investments in security resources; shoring up cyber defenses requires fact-based evidence of threats, gaps, and risks that can be understood by a nontechnical audience.
This is the core component of any CARTA-based security program. In response to changing security conditions, organizations need to reassess their risk levels each month, certainly each quarter. A best practice is to be proactive and adaptive, leveraging a risk-based strategy to security that adapts to the changing network of devices and applications. In addition, since the network changes far more rapidly than policies and procedures in standard compliance frameworks, a risk-based approach should be implemented on top of frameworks that may change only once a year.
Digital transformation, which is being driven by cloud, mobile, and Internet of Things technologies, is making static approaches to enterprise security irrelevant. Defending a constantly expanding attack surface, which often lacks a perimeter, requires a dynamic and continuous approach to vulnerability and risk assessment, prioritization, and remediation.
CARTA provides a useful road map for implementing a security program that is capable of responding to the volume and velocity of threats and their polymorphic nature.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.