How can you defend against attacks that leverage automation and are outpacing alerting mechanisms and manual-access controls?
Consider this: Ann arrives at headquarters with an iPad in hand and taps the Outlook icon to start the workweek. The security systems you deployed recognize Ann as an engineering manager who should get access not only to the company’s mail systems but to its development servers. A potential red flag – her device is identified as not her company-issued PC. But, this bring-your-own-device dilemma is no problem in your world.
Ann is redirected to remediation servers you’ve set up that will automatically scan her iPad for viruses and malware. Once it’s deemed clean, instructions are automatically sent to your network firewalls to grant Ann access. In a matter of seconds, Ann is perusing functional specifications on the company’s engineering servers. Later, she spends a few minutes catching up with friends and downloads an app she simply “must check out.”
That’s when Ann’s connectivity is disrupted. She’s redirected to a Web page on your remediation systems that informs her the app she recently downloaded has embedded malware. She is given detailed instructions on how to clean up her iPad and get back on the network.
Meanwhile, you are at a company offsite discussing plans on how to leverage the cost savings from transitioning the company away from managed to employee-owned devices.
This is not a fantasy world. This is the reality for many firms that understand the benefits of collaborative and automated security. They have implemented technologies based on open architectures in order to make this scenario their everyday world. The evolution and aim of this kind of open architecture – and what it means for the future of network security – is the focus of this discussion.
Sometime ago, the Trusted Computing Group (TCG), an international standards body, formed the Trusted Network Connect (TNC) subgroup with the goal of providing endpoint security and integrity. The efforts of this collaboration culminated in an open architecture that ensured multi-vendor interoperability among end-user devices, vendor-security architectures and security policies. This kind of interoperability and interactivity promised higher security for endpoints through broad security-information sharing.
IF-MAP or Metadata Access Protocol is the protocol which makes this kind of information sharing among security devices possible.
The notion behind IF-MAP is simple yet powerful. Through real-time information sharing among security devices, higher security is made possible. If every security device in the network – from end-user agents to firewalls, sensors, telemetry devices, vulnerability scanners and logging systems – can share information using a common protocol, then a comprehensive security picture can be stored in a central server(s).
Security vendors can then focus their efforts on leveraging this central store to create tools and management systems to automate security decision-making. They can also enable significant, if not total, visibility into the overall security posture of any network – be it dispersed, centralized, virtualized or in the cloud.
Now you may be asking if anyone has adopted this standard and how far vendors have gone in building out IF-MAP-based architectures. The truth is there are a number of certified products available today that are part of a growing list.
The scenario described at the beginning of this article is one that is achievable with generally-available solutions, but the march toward full security automation does not stop there. The journey is one that leads to systems collaborating to detect, disrupt, mitigate and even retaliate within seconds of an attack. This kind of automation does not live in the distant future, but rather begins now.
By implementing a broad network of IF-MAP-compliant and interoperable technologies and management systems, you will be able to respond to an actionable set of information.
The days of security automation conjuring up thoughts of false positives and disrupted business are long gone. A new generation of threats and attackers are leveraging automation and outpacing alerting mechanisms and manual-access controls. The efficient protections of today and the foreseeable future will leverage automation-based architectures.
The sooner, the better.