If you are in the business of security, chances are your middle name is “control.” You could call it a behavioral bias, an occupational hazard, or just a tendency for those that are trying to keep some assembly of order in the chaotic world of cyber threats.
Regardless, our world is ultimately about controlling the bad guys. Or, trying to control the bad guys – if this was only possible.
But try we must, and we can certainly cut the possibility of risk down significantly if we put the right controls in place.
Security Controls Battle the Bad Guys
There is a never-ending battle between good and evil in the cyber world and to provide guidance, there are plenty of control sets on the market today. Security controls are safeguards and counteract or minimize security risks relating to digital property. Some examples include the SANS critical controls, ISO/IEC 27002, NIST, and the Cloud Controls Matrix from the Cloud Security Alliance.
All of these can be incredibly useful tools to guide blocked traffic, allowed traffic, and traffic that causes alerts. The more you can automate a control, the better off you will be. For example, if Internet Protocol (IP) 123.45.678.9 generates an alert, then every time a packet from that specific IP address comes across, a block will be executed. This process will continue to repeat at every firewall control point. Think of it like an army of Robocops that carry out consistent rules at various points across the network.
Sounds good, right? Well, the problem is that attackers continue getting smarter and finding new ways to evade these good, but somewhat static controls. Many would say this is because controls are published (by definition), therefore allowing the bad actors to know exactly what they are up against. The smart ones have countermeasures to evade static protections, whether it be to get around anti-virus, trick the Intrusion Prevention System (IPS), or perform brute force through a password sequence.
What we need are stronger controls. And we are starting to see this with the new wave of threat intelligence services that work in tandem with context-based security controls.
Threat Intelligence and Context-based Security Controls Unite
First, there are some great sources for threat intelligence coming from a variety of sources including security companies, the government and the open source community. Researchers are striving to identify new threats and get protection to the masses as quickly as possible. Key to the success is publishing intelligence in a variety of data structures, including STIX, TAXI and other standard industry formats to best describe threats in a way that can be aggregated and understood by others. We are seeing more companies aggregating and sharing this type of data, which is a critical step in the right direction.
Second, we are seeing actionable intelligence by way of automated contextual controls starting to emerge. Gartner analyst Lawrence Pingree covers this space and advocates for intelligence awareness security controls, which is supported by his in-depth research paper: Intelligence Awareness and Adaptive Security Response Will Transform Network Firewall Markets. In this report, the basic idea is to correlate data from various sources, including end points, advanced malware detection, IPS, and firewalls that can then be used as the context to recognize and comprehend threats.
Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls.
If you’re a control freak like me, this is all very good news.