November 12, 2014 Leave a comment
Advanced Security – Part 1: Evolving Security from Business Barrier to Enabler
Advanced Security – Part 2
Organizations are increasingly concerned that historical industry best-practices are being stressed by the acceleration of new malware and the increasing reports of compromise via stealthy targeted attacks.
Attackers are laser-focused leveraging indirect and multi-pronged exploits to steal data or wreak havoc.
“This is fundamentally due to cybercriminals doing their homework on organizations and waging a fierce, persistent campaign to find any possible way to get a foothold in the organization.”, JD Sherry, VP Trend Micro
The insider threat has primarily morphed into phishing attacks which can leverage multiple internal security weaknesses and vulnerabilities to traverse the network and ex-filtrate data or intellectual property un-detected.
At the same time the attack surface is broad since security is horizontal and increasingly distributed – it covers many threat vectors across all extended business functions and essential services throughout the whole multi-location information technology and building infrastructure. Chances are that when the infrastructure was originally deployed it was secure, clean and, well organized. But as weeks, months, and even years pass, tactical changes in technology and the IT environment have probably occurred, weakening the security posture and opening it up to attack.
The result is that security infrastructure becomes much more complex and fragmented making it harder to protect. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. The bad guys continually evolve and innovate. All potential threat vectors need to be holistically examined and addressed across the extended enterprise. Without a proactive but practical security strategy and vital life cycle management processes in place – the system will inevitably become vulnerable and fail.
Addressing Multi-Dimensional Threats
The terms “advanced persistent threat” (APT) and “defense in depth” have been completely overhyped in the press and are distracting organizations from the very real problem of managing targeted attacks in a rational and balanced fashion.
Many organizations lack a complete understanding of defense in depth which limits budget and can lead to revenue impacting events. Many well-intended vendors seeking to position their solutions confuse the concept of defense in depth even further.
Defense in depth requires a strategic security approach that is adaptive, establishes business-driven rules and — leverages people, process and systems harmoniously. Integration is vital as a holistic security management system.
Enabling Business by Integrating Policy, People, Process and Technology
The Advanced Security Series of blogs will take a multi-pronged approach to effectively addressing this increasing threat together with associated significant challenges by establishing a practical core foundation that supports a clearer definition of defense-in-depth as well as discussing the advanced security best-practices and continuous improvement processes needed.
Evolving From Business Barrier to Enabler
How do organizations cut through the hype, filter the noise – of fear, uncertainty and, doubt (FUD) and deal with real and present threats? How do organizations develop an affordable and practical defensible security posture that supports the business based upon available budget and resources and – enables it to grow competitively while managing risk and protecting critical assets? How do organizations develop a continuous cycle to consolidate, integrate and organize mission critical infrastructure into a sustainable core while still enabling healthy chaos = innovation and rapid deployment on the edge?
The secret to success in security is typically simplicity, to have a well-designed and organized infrastructure that provides the appropriate layer of controls while enabling users a consistent ‘policy managed’ experience regardless of location, network transport or device. The challenge is in achieving and maintaining that goal.
“Security is a business enabler, you can drive faster with good brakes.”, Nigel Willson
Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI). IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.
Back to Basic Security Principles
The primary purpose of creating a security architecture is to ensure that business strategy and IT security are aligned. As such, the security architecture allows traceability from the business strategy down to the underlying technology. However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. As previously stated, complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations.
A Blueprint to Evolve, become Agile, Multi-functional, and Competitive
A security architecture is a design document describing the security components that will protect the enterprise, and the ways they relate and interact with each other. It represents a strategic planning horizon and guide that defines the desired state of an organization’s infrastructure. The architecture sets the context for planning, design, and implementation. It enables a company to evolve and to become agile, multi-functional, and competitive, allowing the seamless adoption of new capabilities and applications into a common infrastructure. Security architecture also facilitates budgeting for security solutions and personnel.
In summary, the security architecture provides:
- A way to evaluate applicability of new technologies, products, and services
- A framework for technology decision-making
- A macro view of IT systems and components, from the security perspective
- A statement of direction for IT
- A way to reduce and manage risk in the most cost-effective manner
- A way to facilitate compatibility and easier administration of systems
- A blueprint for future network growth
- A way to create and document consensus
- A methodology to force consideration of all design factors
- A guide for the creation of an enabling infrastructure for unforeseen new applications
Adaptive Security Architecture Lifecycle
The security architecture is used as a baseline for consensus and direction but it needs to be active and capable of being updated. This process allows the security architecture to adapt and be agile to support the needs of the business. It evolves and sets future objectives.
System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat. Creating an adaptive modular architecture leads to agility and flexibility as the organization grows.
Reference Design Architecture: Security Transformation
At the same time, using the architecture to develop an annual plan sets the stage for the projects that need to occur that year, and the improvements begin to converge towards and track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.
In Advanced Security – Part 2 we will further develop the theme of building a core foundation leveraging architecture and design principles together with defining a defensible security posture leveraging defense in depth as well as discuss advanced security best practices.
Nige the Security Guy Bio
Nigel is a Chief Security Architect with 30 years of international experience in Security Operations, Management, Research, Development and Security Services. He started his career as an assembler programmer who was contracted by the US DoD to develop secure operating systems with multi-level security and preclude covert channels. Nigel is a passionate evangelist who loves working with organizations to share thought leadership and practical strategy to help defend against advanced targeted threats.
Thanks for your Interest!
Nige the Security Guy.