Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/12/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

'CARTA': A New Tool in the Breach Prevention Toolbox

Gartner's continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs.

A hacker who recently stole U.S. military secrets about combat drones and tried to sell them on the black market apparently accessed the data by searching the Internet for misconfigured Netgear routers and exploiting a 2-year-old known vulnerability involving default login credentials. Clearly, even the military struggles to protect itself from threats and attacks.

The root of this data breach emanates from an old way of thinking about implementing security — one that relies on static risk and vulnerability management. These principles and practices, which are locked in a binary view of the world, are diminishing in effectiveness in the face of a dynamically changing threat landscape. Unlike the old world of black and white, and good and bad, grayness is the new the reality in security.

To deal with this gray zone, organizations need a new approach, one that continuously monitors, assesses, adapts, and responds to risk as needed in real time.

Research firm Gartner has defined this new approach as Continuous Adaptive Risk and Trust Assessment (CARTA). The firm predicts that by 2020, 25% of new digital business initiatives will adopt a strategic CARTA approach, up from fewer than 5% in 2017.

In a nutshell, Gartner sees CARTA as a way for organizations to manage the risks that come with the digital world by deploying security that moves at the speed of digital business.

How to Implement CARTA
Under CARTA, all systems and devices are considered potentially compromised and their behaviors are continuously assessed for risk and trust. Here are the five key components for deploying a CARTA-inspired security model:

Asset Discovery
The first step in implementing a CARTA-based security program involves gathering and maintaining a comprehensive and up-to-date asset inventory. Without this data, it is virtually impossible to assess risks and apply appropriate defenses. Asset management should be automated so an organization can efficiently keep track of devices — their type, model, location, functions, and configurations — and of software, notably versions, patches, problems, and a history of vulnerabilities.

Without such information, an organization cannot perform basic proactive security measures such as monitoring network activity, taking snapshots of current configurations, and preventing attacks. Asset information can also be used to restore devices and software if an attack occurs.

Trust Relationships
Strong asset management is only as strong as the process for managing trust relationships between various devices, software, and the people who use them. Accordingly, organizations need to understand, monitor, and manage how devices, software, and people interact on an hourly basis each day.

As trust and risk increases and decreases dynamically based on context and behavior, models of trust and risk should be created that observe patterns over time. If the risk score of a specific device or user gets too high and outweighs the trust (for example, a user who tries to download a massive amount of sensitive data to an unmanaged device), an organization has two choices: reduce the risk score or increase the trust score.

Vulnerability Assessment
This consists of continuous assessment and prioritization of vulnerabilities for remediation. Because thousands of vulnerabilities are discovered each year, addressing all of them is not achievable. A more effective approach is to focus on the most serious, imminent, and executable threats. For example, remote code executions (RCEs) are among the most toxic threats to an organization. These should receive a high prioritization, especially when evidence from security intelligence feeds indicates a particular RCE vulnerability has been weaponized and is being actively exploited in the wild.

Metrics
As always, the devil is the details. This has become increasingly important because cybersecurity is now also a concern of the C-suite and boards of directors. Being able to report security metrics in business terms is now a requirement in larger organizations. These metrics are also critical to senior management when they make the case for additional investments in security resources; shoring up cyber defenses requires fact-based evidence of threats, gaps, and risks that can be understood by a nontechnical audience.

Adaptability
This is the core component of any CARTA-based security program. In response to changing security conditions, organizations need to reassess their risk levels each month, certainly each quarter. A best practice is to be proactive and adaptive, leveraging a risk-based strategy to security that adapts to the changing network of devices and applications. In addition, since the network changes far more rapidly than policies and procedures in standard compliance frameworks, a risk-based approach should be implemented on top of frameworks that may change only once a year.

Digital transformation, which is being driven by cloud, mobile, and Internet of Things technologies, is making static approaches to enterprise security irrelevant. Defending a constantly expanding attack surface, which often lacks a perimeter, requires a dynamic and continuous approach to vulnerability and risk assessment, prioritization, and remediation.

CARTA provides a useful road map for implementing a security program that is capable of responding to the volume and velocity of threats and their polymorphic nature.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Christopher Acton is vice president of security services and customer success for RiskSense, a provider of vulnerability prioritization and management software. He is a security researcher and expert in web application, infrastructure and system security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...