Controlling The Big 7Controlling The Big 7
With limited resources, funding, and expertise, focusing on protecting the Big 7 applications will enable security professionals to reduce a large portion of their attack surface
July 7, 2013
I'm fascinated with more effective prioritization of security team activities. It's logical that given the constraints security folks face daily, figuring out how to maximize the impact of any activity is an important place to spend time. As legendary investor Warren Buffett has indicated, his most important responsibility is to effectively allocate the capital of Berkshire Hathaway. Your job is to most effectively allocate the resources, funding, and expertise of your security team.
As I discussed in my last Vulns and Threats post, understanding attack paths is one means of prioritizing your efforts. Reducing your applicable attack surface by locking down devices and aggressively segmenting networks is another way to control risk. You can also reduce attack surface by specifically protecting the select few applications frequently targeted by attackers. I call these the Big 7.
These are the applications that everyone has and uses every day -- you know, the apps that you cannot lock down or otherwise control. The ones that if they don't work, your employees cannot do their jobs. As such, they make the best targets for attackers since you can't just turn them off or lock them down. I'm talking about the browser, Java, Acrobat Reader, and Microsoft Office (Outlook, Word, Excel, PowerPoint). If you can control those applications, then you can probably eliminate a significant portion of the attacks that compromise your machines.
So how do you protect these applications? By granularly profiling them to understand how the applications interact with the device and then watching for activities that don't fit the profile. Does that sound familiar? Of course it does: It's how HIPS (host intrusion prevention) was supposed to work. The problem was that old HIPS tried to cover too much of the opening system (basically, everything) and, as a result, threw a bunch of false positives. Customers got pissed and stopped using it.
By focusing efforts specifically on the Big 7, it's a manageable task to build and maintain those profiles. You can tune the rules to find and block anomalous behavior in those applications and stop malicious activity. Conceptually, if you could prevent the Big 7 from being compromised and ensure that even when your employees do stupid things (and they will) it won't result in a pwned device -- that dramatically reduces your attack surface.
Notice I said "conceptually" above because the controls that implement these concepts are still maturing. It's complicated and requires significant ongoing research to keep the application profiles current. You need to pay attention to user experience and walk the tightrope between protecting the users from themselves and breaking their applications. Finally, these tools need better enterprise management, reporting, and policy capabilities to scale to protect thousands of users and devices. None of these issues are showstoppers; rather, they indicate the early stage of development for a promising technology.
These capabilities are being implemented in a number of different ways. Whether it's another "agent" that runs on the device watching for those non-normal behaviors, a microvisor that isolates processes within the operating systems, or an application isolation technology that runs the applications in protected enclaves, the approach is the same. These new defenses focus much of their efforts on the Big 7, and this will have a big impact on how devices are protected during the next few years.
Mike Rothman is President of Securosis and author of The Pragmatic CSO
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage
Managed Security and the 3rd Party Cyber Risk Opportunity Whitepaper