Risk

11/12/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

'CARTA': A New Tool in the Breach Prevention Toolbox

Gartner's continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs.

A hacker who recently stole U.S. military secrets about combat drones and tried to sell them on the black market apparently accessed the data by searching the Internet for misconfigured Netgear routers and exploiting a 2-year-old known vulnerability involving default login credentials. Clearly, even the military struggles to protect itself from threats and attacks.

The root of this data breach emanates from an old way of thinking about implementing security — one that relies on static risk and vulnerability management. These principles and practices, which are locked in a binary view of the world, are diminishing in effectiveness in the face of a dynamically changing threat landscape. Unlike the old world of black and white, and good and bad, grayness is the new the reality in security.

To deal with this gray zone, organizations need a new approach, one that continuously monitors, assesses, adapts, and responds to risk as needed in real time.

Research firm Gartner has defined this new approach as Continuous Adaptive Risk and Trust Assessment (CARTA). The firm predicts that by 2020, 25% of new digital business initiatives will adopt a strategic CARTA approach, up from fewer than 5% in 2017.

In a nutshell, Gartner sees CARTA as a way for organizations to manage the risks that come with the digital world by deploying security that moves at the speed of digital business.

How to Implement CARTA
Under CARTA, all systems and devices are considered potentially compromised and their behaviors are continuously assessed for risk and trust. Here are the five key components for deploying a CARTA-inspired security model:

Asset Discovery
The first step in implementing a CARTA-based security program involves gathering and maintaining a comprehensive and up-to-date asset inventory. Without this data, it is virtually impossible to assess risks and apply appropriate defenses. Asset management should be automated so an organization can efficiently keep track of devices — their type, model, location, functions, and configurations — and of software, notably versions, patches, problems, and a history of vulnerabilities.

Without such information, an organization cannot perform basic proactive security measures such as monitoring network activity, taking snapshots of current configurations, and preventing attacks. Asset information can also be used to restore devices and software if an attack occurs.

Trust Relationships
Strong asset management is only as strong as the process for managing trust relationships between various devices, software, and the people who use them. Accordingly, organizations need to understand, monitor, and manage how devices, software, and people interact on an hourly basis each day.

As trust and risk increases and decreases dynamically based on context and behavior, models of trust and risk should be created that observe patterns over time. If the risk score of a specific device or user gets too high and outweighs the trust (for example, a user who tries to download a massive amount of sensitive data to an unmanaged device), an organization has two choices: reduce the risk score or increase the trust score.

Vulnerability Assessment
This consists of continuous assessment and prioritization of vulnerabilities for remediation. Because thousands of vulnerabilities are discovered each year, addressing all of them is not achievable. A more effective approach is to focus on the most serious, imminent, and executable threats. For example, remote code executions (RCEs) are among the most toxic threats to an organization. These should receive a high prioritization, especially when evidence from security intelligence feeds indicates a particular RCE vulnerability has been weaponized and is being actively exploited in the wild.

Metrics
As always, the devil is the details. This has become increasingly important because cybersecurity is now also a concern of the C-suite and boards of directors. Being able to report security metrics in business terms is now a requirement in larger organizations. These metrics are also critical to senior management when they make the case for additional investments in security resources; shoring up cyber defenses requires fact-based evidence of threats, gaps, and risks that can be understood by a nontechnical audience.

Adaptability
This is the core component of any CARTA-based security program. In response to changing security conditions, organizations need to reassess their risk levels each month, certainly each quarter. A best practice is to be proactive and adaptive, leveraging a risk-based strategy to security that adapts to the changing network of devices and applications. In addition, since the network changes far more rapidly than policies and procedures in standard compliance frameworks, a risk-based approach should be implemented on top of frameworks that may change only once a year.

Digital transformation, which is being driven by cloud, mobile, and Internet of Things technologies, is making static approaches to enterprise security irrelevant. Defending a constantly expanding attack surface, which often lacks a perimeter, requires a dynamic and continuous approach to vulnerability and risk assessment, prioritization, and remediation.

CARTA provides a useful road map for implementing a security program that is capable of responding to the volume and velocity of threats and their polymorphic nature.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Christopher Acton is vice president of security services and customer success for RiskSense, a provider of vulnerability prioritization and management software. He is a security researcher and expert in web application, infrastructure and system security. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.