Risk based security

Those of us in the world of cybersecurity are facing increasingly dynamic threats from profit-driven and sophisticated cybercriminals. We are now living in a world where attacks are driven, more and more, by well-funded organised crime as well as nation states. Given the trends in strategic technology, has the time come for a more risk-based approach to security?

Writing for Net-Security.org, Bret Hartman, VP and CTO of Cisco Security Business Group, outlines some of the highlights from the whole concept of risk-based security and self-protection. Namely:

“In a digital business world, security cannot be a roadblock that stops all progress.”
“Organisations will increasingly recognise that it is not possible to provide a 100% secured environment.”
“Perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting.”

It's hard enough to embrace the reality of the situation as it now is: it is no longer a question of 'if' but 'when' an organisation gets attacked. Both the motives and the persistence of attackers have increased and, furthermore, their knowledge of classic security technologies and applications is becoming more and more sophisticated.

This challenge will only become harder to face as companies become more wedded with cloud computing and the Internet of Things (IoT). With the number of connected devices growing exponentially – expected to exceed 50 billion connected devices by 2020 – getting security right is crucial to companies.

The best place to start is with a security approach that is both threat-centric and operational – focusing on the threat itself rather than an easily circumvented set of standard policies. A good security system must provide broad coverage and rapidly learn and adjust to new attack methods. New platforms, like Intel's, are taking this on board – enabling large-scale event management and custom analytics. Their new Security BI platform stores server event log data and performs big data correlation to detect abnormalities in the system and flag them for review. This enables users to receive fast answers to security questions.

This all recognises the fact that, with so many potential threats, a system can never be 100% safe. By focusing on the threats that can cause the most damage to a business, you can improve “the effectiveness of security controls by expanding the use of automated, dynamic controls to block the most serious threats.” By adopting this approach, it is possible to reduce the complexity and fragmentation that can occur during an attack, while at the same time gaining superior visibility and control – before, during, and after an attack.

The good news is that, even as attackers become more sophisticated in their technique, the technologies necessary for staying ahead are vastly improving. Moves must be made towards a security approach that builds on a foundation of visibility and extensive data collection to learning through context and correlation.

Big Data and related technologies – from data warehousing to analytics and business intelligence (BI) – are transforming the business world. Big Data is not simply big: Gartner defines it as "high-volume, high-velocity and high variety information assets." Managing these assets to generate the fourth "V" – value – is a challenge. Many excellent solutions are on the market, but they must be matched to specific needs. At GRT Corporation our focus is on providing value to the business customer.


RISK-BASED SECURITY AND SELF-PROTECTION – TECH TRENDS #10

Are you aiming to make your environment 100% secure?

Well — there’s a danger you’re chasing an impossible goal.risk-based security and self-protection

In today’s digital business world, the goalposts switch with every trend, development and hacker innovation – the chances of making your security totally and reliably watertight are constantly in flux.

So if you can't be absolutely sure that any one can break through your defences, what can you do?

It’s time to stop focussing exclusively on battling back intruders and disasters and start thinking about what you’ll do if something does break through. In other words: it’s time to start rolling out sophisticated tools to handle risk assessment and mitigation.

And how does that work in the real world?

It means adopting a multi-faceted approach.

As Gartner predicted in a report released in 2014:

“Security-aware application design, dynamic and static application security testing, and runtime application self-protection combined with active context-aware and adaptive access controls are all needed in today’s dangerous digital world.

“This will lead to new models of building security directly into applications. Perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting.”

Let’s break it down.

Security-Aware Applications

We live in exciting, innovative times. The rise of X Applications means that home geniuses the world over can experiment with software and application development, adding to a living and ever-evolving catalogue of creation and development.

Trouble is, these aren’t always as secure as they could be. But simple modifications and add-ons can help.

For example, as the NSA explains, when it comes to crowd-sourced, Linux-based innovations, the “vast majority” of X Applications tend to be “unmodified, traditional, security-oblivious” – and even security-aware X Servers have their limitations.

But incorporating Windows Managers can offer the inputs needed to make security decisions that X Servers lack.

These Windows Managers create visual labels to alert the user as to which window has keyboard focus – and can even label these according to their security context. Modifying these can provide “suitable coverage” for Linux users, helping a low-security system to become security-aware.

Dynamic and Static Application Security Testing

Combining these two types of security testing can give essential insights that can’t be offered by relying on just one.

That’s because Static application security testing (SAST) approaches the problem by testing the application from the inside out, whereas Dynamic application security testing (DAST) tests from the outside in, helping you to assess the issues from all directions.

So what does that mean in practice?

SAST delves in an application’s byte code, source code and application binaries to search for vulnerabilities. DAST looks at the application in its running state. It comes at it from different angles – often unexpected and unplanned – to find any points where it might slip up.

Runtime Application Self-Protection (RASP)

RASP works by monitoring itself for malicious behaviour, reconfiguring itself automatically in certain situations without a person having to get involved.

It’s built into the application itself to shield you against real-time attacks, helping the application to defend itself well beyond network or endpoint perimeters. When the security conditions are met, RASP takes over the application and rolls out the necessary protection measures. These might include ending the user’s session, alerting security personnel or causing the application to shut down.

What’s more, by embedding RASP features into the server that the application runs on, these security measures don’t interfere with the application design itself.

Introducing these kinds of self-protection measures in your application won’t make you totally invincible – but they’re a big step in the right direction.