Adaptive Security Architecture
A brief sneak preview on IT World’s solitary Security Guard for Tomorrow
Employee #: 2336558
Data Engineering Practices
Before we begin…
A Cyber-assault on the United States’ biggest Bank JP Morgan Chase traded off more than 76 million clients holding a record and 7 million little scale organizations. One of the biggest interruption at any point happened, this biggest bank of the country has delicate information of client individual subtle elements as well as past that, which we call Sensitive data, for example, Credit Card details etcetera.
As for this, security dangers hurt the way the PC frameworks perform and work. In Other words, they assault a framework, a system and significantly more without a person’s learning. Conventional Systems, be that as it may, make utilization of anti-virus software, DMZs and firewalls to shield the Organizations from breaches. Yet again, with the ever-changing nature of technologies, hackers’ advance way ahead of us and drill down new ways to hack our systems, in a way that traditional systems fail to protect from advanced threats.
Before we begin, let’s familiarize with the various attacks that have been used by a hacker to harm our systems.
TYPES OF ATTACKS
These attacks are usually encountered in applications and sit in the equipment but are not known to the users. The Hackers access the user’s data and exploit them by attacking anonymously. Many a times, our systems seem to run normally but the harm is already done by the time the vendor realizes the fact, that his/her system in under attack. For Instance, Sony became one of the victim of Zero-day attacks where all its corporate information, top executive’s e-mails, sensitive data and many other business plans were shared in public.
This type of an attack mainly targets top most executives in an Organization such as a CEO. The attacker usually disguises himself and tricks the officials. It mostly comes in the form of an email or a web page that masquerades as if is authentic and crucial. For Instance, In the early 2016. Snapchat, a social-media application, became a predator of the whaling attack. A higher executive was tricked by a hacker who claimed himself as a CEO, thereby revealing the employee payroll information. This was immediately reported to the FBI later.
This also comes in the form of an email that seems to come from a person that you know but it isn’t. In other words, it’s an e-mail spoof. It’s from the same hackers that tend to access your credit card and your bank account details and other financial information on your PC. One of the most actively watched online websites, Netflix also fell prey to the spear-phishing attack in the year 2017. The users were targeted when they received e-mails asking them to update their payment information and that their accounts have been disabled.
Now that it would be a correct option to look at our traditional (or currently being used) security models!TRADITIONAL SECURITY MODELS
Traditional security models prevent and block attacks, these attacks are from hackers, viruses or other malware. These are not integrated properly, why? Because they focus only on blocking and preventing attacks
They don’t provide adequate protection mechanisms against advanced attacks thereby, making it a less intelligent approach.
So, what are its key challenges?
1276350103568500As mentioned, they primarily focus on prevention only techniques. With the growing mobile manpower, systems and information can be accessed from anywhere and anytime. Henceforth, more the threats, greater the cost invested in prevention only technologies i.e., As the threats become more powerful, we invest more on prevention only technologies, but, this kind doesn’t satisfy the current approach. Doing this, only prevents the threats from being attacked, but there are chances that they may come back later with a greater impact.
This results in limited visibility to detect advanced threats and by this, it means that it provides incident response, resulting in a wrong mindset.
Traditional security models use IDS/IPS models (Signature Based and Behavior Based Detection), DMZs and firewalls.
Owning a standalone Intrusion Detection / Prevention Systems (IDS/IPS) is not going to help us in averting ever-changing style of attacks. This is because the standalone IDS/IPS lacks context to distinguish between an event and a non-event. Context is also required to adapt to various changes taking place in the enterprise networks.
IMPACT OF TRADITIONAL MODEL
As we have seen that JP Morgan Chase were one of the victims of Security breaches, Verizon is yet another company that is investigating over 80,000 breaches every day. With the day to day changing network environments and technologies, adopting the traditional model is not recommended. As the figure indicates, when a breach occurs, there are certain advanced malware that bypass the firewall of the traditional model. Hence, malware once injected, sits for hours, days, months, sometimes years and take away all the necessary sensitive information before we realize, detect and remediate, therefore leading to breaches.
Based on these observations we bring out these recommendations that help build a new model to thwart these advanced attacks:
Choose ‘Continuous Response’ over ‘Incident Response’
Consume less on prevention techniques and fund more in detection, response and predictive analysis.
Develop a security operation that supports continuous monitoring
Favor Context-Aware protection platforms from vendors to provide and integrate detection, response, prediction and protection capabilities
Continuous threat protection process
Continuously monitoring on all IT Stacks
Adopt the topic of this white paper -> Adopt Adaptive Security Architecture!!
So… With that (a big) introduction, let’s begin our trip into ASA!!
ADAPTIVE SECURITY ARCHITECTURE
Traditional Systems fail to protect any organization’s data from advanced threats as they don’t monitor continuously. It is poorly integrated. Well, Adaptive Security Architecture brings a dynamic change in the IT security practices. With the mind –set of exiting the ‘incident response’ and implementing a ‘continuous response’ brings about a change with this concept, making it difficult for hackers to penetrate systems.
ADAPTIVE SECURITY ARCHITECTURE – a flexible measure to be able to protect an organization’s data, is said to have four elements: Predict, Prevent, Detect and Respond, that works intelligently by integrating together, thus, providing a complete protection from advanced attacks.
ASA thereby counters attacks and reduces impact and magnitude of potential threats. This model is designed to counter issues:
Viruses and other attacks spread faster than the development of defensive responses.
It should work intelligently as an integrated, adaptive system for complete protection against advanced threats. This renders visibility.
Adaptive Security Architecture benefits by giving a real-time evaluation of users by continuously monitoring waiting to detect the attacks and prevent it them then and there. Next, it focuses on filtering the issues based on priority level. This is followed by stopping a widespread attack. Not only this, it also helps in making the target of an attack smaller and slows down the rate of attack. It also portrays an act to respond to an attack quickly and promotes correctness of data intended to compromise data.
WHY ORGANIZATIONS SHOULD ADOPT ASA?
Prevention only fails
Advanced attacks are more dangerous and prevention only techniques cannot deal with them.
This brings in Context-aware security
A good platform to boost security decisions
Traditional monitoring practices are turning inadequate. But why? Here’s the reason:
Opting “continuous response” over “incident response”
Continuous monitoring expected including the IT Stacks
Most Organizations have many blind spots while implementing incident response techniques
Modern machine learning and big data concepts are required for continuous monitoring
Counters future security threatsPREFERENCE TOWARDS CONTINUOUS RESPONSE OVER INCIDENT RESPONSE
Continuous response is preferred because it’s been monitored continuously to detect advanced threats. We know that there are relentless attacks affecting the Organizations in a variety of ways, thereby, requiring constant analysis of the IT systems and network IT stacks enabling a truly adaptive and risk-based response to advanced attacks.
BIG Data and ASA
BIG-DATA is the future generation Cyber Security Solution. Context-aware intelligence is used in ASA which in turn uses BIG-DATA concepts. BIG-DATA is the only choice to cut down incident response. It results in large volume, velocity and variety of data than traditional systems can effectively monitor. It uncovers hidden patterns, correlations and other insights. The ability to work faster with efficiency is what that gives an organization a competitive edge they didn’t have before.
Protecting the network and security in an Organization is essential. Holding on the traditional models that provide you the anti-virus software’s and Firewall is not going to be of any help, as they provide a means of an incident response rather than continuous.
So, What’s the role of big data in ASA? The answer is Predictive analysis. So, what does this predictive analysis do? And how does it benefit us? The predictive analysis makes use of the historical data, analyzes using machine-learning algorithms to predict the outcome of the future. Some of the most common applications of predictive analysis include fraud detection, risk, operations and marketing.
Metadata gives us an approach for more adaptive system security. By gathering and assembling the system’s raw data, a guideline can be established, providing a means to identify breaches, take prompt active and passive defensive measures, and audit obligations if any.
In the real world, a lot of alerts are triggered by devices. With such massive volumes of data and the velocity of such data streams, this problem might even multiply. However, big data technologies do not allow for fast processing and analytics of different types of data. Which in turn can be used to provide, for instance, real-time anomaly detection based on scalable security analytics.
Its structured and unstructured data is one way where data is risky that may cause damage. Big data provides smart decision making and cost-effective measure to detect the fraudulent behavior before it affects the organization.
Big Data enables you to detect cyber threats faster and gives you the security analytics you need to act quickly. The Security Information and Event Management (SIEM) analyzes and correlates the data from every event across your IT environment. It then prioritizes them according to compliance and business risk and produces the resulting data in a customizable dashboard. Gain complete protection for your users, data, and applications.
Firstly, it is essential to protect your Organization against the never-ending Cyber-threats. To do this, visibility is a solution. It means it is necessary to gain visibility into the user and entity-based threats by identifying irregularities in their behavioral patterns. It does not stop with this, rather the ASA mitigates the threats by lowering the risk and impact of cyber-attacks.
Secondly, Hosts infected with malware, bots or other unknown threats must be detected and identified. Then trying to contact Command and Control Servers or exfiltrate data would do the job. The DNS Malware Analytics pulls out malware data from DNS logs to detect breaches before damage is done.
Unmonitored applications leave holes in your defenses that many adversaries can exploit. Lose your application blind spots and get clear visibility into your applications by leveraging security analytics.
SECURE DECISION MAKING
We know that big data helps in secure decision making. How? Look at this figure.
Context: Context-aware intelligence is executed to upgrade security.
Vulnerability Insight: Provides vulnerabilities to insight and is done by testing.
Policy: Organization’s requirements to prevent and respond to advanced attacks.
Vendor Labs: Provides information feeds to support their protective solutions.
Community Intelligence: Required to protect information, collect, analyze and share information.
Threat Intelligence: To collect, compare and analyze the data under threat from multiple sources required to safeguard the data. Additionally, it also helps us to drill down the entire information about the threat.
Building Blocks of ADAPTIVE SECURITY ARCHITECTURE:
The adaptive security architecture comprises of four building blocks. These include prevent, detect, respond and predict – and each has three functional blocks for a total of 12 elements.
Minimize attack surface by combining techniques to prevent attacks. It also describes a set of policies and processes to prevent infiltration of the environment. This is done by finding vulnerabilities and get malware to attack. It also prevents incidents using threat intelligence. All the known, unknown and advanced threats are prevented using multiple protection layers. This is done through Endpoint isolation and “sandboxing techniques”, thus, limiting interaction of all the IT stacks with others.
Sandboxing techniques creates an isolated environment for running applications that could present a security risk. Endpoint isolation isolates at-risk endpoints to run investigation and resolves issues. E.g., Bromium Endpoint Isolation.
We waste hacker’s time and create false information, system and vulnerabilities to divert attackers. This makes it difficult for the hackers to penetrate the systems.
The network/host based IPS, behaviors characteristics (signature-based) that deals with the third-party communication and signature-based anti-malware scanning helps in preventing incidents.
Its major goal is to reduce time in threat detection. It detects incidents by preventing potential damages from becoming actual damages, implement continuous monitoring and security operations analytics to identify anomalies.
It confirms and prioritizes risks based on incident detection. i.e., once an incident is detected, prioritize based on risk.
Contain Incidents by isolating the compromised system or account from accessing other systems’, for example, Account lockout, network-level isolation, killing a system process etc., this results in better performance and efficiency.
Performs a drill-down, remediates issues discovered by detective activities. Improves risk posture, Investigates and forensics by providing a root cause analysis, forensic insights and preventative measures to avoid future incidents. Advanced analytic tools are used to answer questions based on these root causes.
Design /model change is done by modifying the policies and controls, bringing test changes with historical data before implementation.
Remediate/make change – If the test is successful, implement changes or automate the changes (optional).
Analyze and respond. This provides a feedback into prevention and detection capabilities. Forms a closed loop. Provides a baseline system by continuously re-base lining and device discovery and all IT stacks.
Predict Attacks: Based on the investigation, enterprise anticipates for attacks and targets to adjust its security protection strategies to compensate.
Proactive exposure analysis: Based on the analysis, determines what risks would be possible for the desired applications being discovered. Adjust the policies and controls accordingly.
Today, cyber security practices are not only on IT teams to do lists, but also on the CEOs’ and the company boards’ priority lists. It will be interesting to see if 2016 is touted as the year when there’s a fundamental shift in how companies change their IT security practices. This change must be urgently adopted before any other major cyber threats adversely impact enterprise business.
So… Let’s adopt ASA before being adaptive to vulnerabilities
With the increase in the complexities of digital business and the economy incorporated with an emerging and well-established “Hacker industry” significantly intensifies the organization’s threat surface. The beginning couple of paragraphs of this white-paper would have strongly elucidated this. Also, the reader would have got a reality check that relying on perimeter defense and rule-based security is inadequate – just inadequate, especially as organizations exploit more cloud-based services and open APIs for customers and partners to integrate with their systems. It is suggested that IT Professionals and top executives must focus on detecting and responding to threats. Also, bring in more traditional blocking measures to prevent attacks. Application software that are used for Self-Protection as well as user and object behavior analytics, will help fulfill the adaptive security architecture. In short, let us get conformed to the Stephan Covey’s first effective habit of the 7 habits –