Gartner: adaptive security architecture to manage
advanced directional attack
Most companies will priority focused on the intercept in terms of security and protection and defense (such as anti-virus) and control (such as firewalls) based on strategy, will be dangerous out (but only part of the top right-hand corner of the diagram below four points).
Perfect defense, however, it is not possible (see "2020 security defense is futile: through thorough general monitoring and intelligence sharing to protect information security").Advanced directional attack can easily bypass the traditional firewall and prevention mechanism based on black and white list.
All institutions should last from now to recognize yourself in the risk of state.But the situation is, the enterprise fanaticism 100% defensive measures can work, they are more excessive dependence on the traditional prevention mechanism.
As a result, in the face of the inevitable violations, most enterprises only limited the ability of detection and response, follow is "lockout" time, loss bigger.
Figure 1: the four stages of adaptive defense system (prediction - > defense - > monitoring - > back)
In practice, the promotion of defenses, detection, response, and forecast service to deal with all kinds of attacks, whether advanced or not.More important is not close as fixed function, but should work in the form of intelligent integration linkage, for advanced threat, adaptive system should be continuously perfect protection function.
The key ability of adaptive protection architecture
1. "defense" refers to a series of policy sets, products and services can be used for defensive attack.This part of the key goal is to be attacked by reducing the surface to attack the threshold, and intercept attack action before the affected.
2. "detection" is used to find those who escaped the defense network attacks, the aspects of key goal is to reduce the threat caused by "lockout time", as well as other potential losses.Detection capability is critical, because enterprises should assume that he is in a state of being attacked.
3. The ability to "go back" for efficient investigation and detection function (or external services) remedy is found to transaction, in order to provide intrusion certification and attack source analysis, and generate new prevention measures to avoid the accidents in the future.
4. "the ability to predict" the system security system can learn from the hacker action under external monitoring, to take the initiative to lock in the existing system and the information threatening new attack, and the hole defined priorities and positioning.The information feedback to the prevention and detection function, so as to make up the whole process of the closed loop.
As a valuable framework, based on the adaptive protection architecture will help the enterprise to existing and future security division and determine the input is balanced.Don't let the noise of the current on the market "star" safe startup to determine the safety investment, institutions need to assess the current lack of safety input and the ability to decide where.Adaptive architecture can also help enterprises to screening and evaluating safety suppliers.There is no doubt that the supplier of the various security capabilities in strategic better than only provides the ability to unilaterally.
Security is a continuous process
In the era of sustained attack, the enterprise needs to be done to switch security thinking of the fundamental, from the "emergency response" to the "continuous response", the former argues that attack is occasional, one-off accident, while the latter thinks attack is uninterrupted, hackers infiltration system and the efforts of the information it is impossible to completely block, the system should be admitted to moments in attack.Under such cognition, we can recognize the necessity of continuous monitoring (see figure 2).
Figure 2. The adaptive security architecture requires continuous monitoring
Continuous monitoring and analysis is the core of the adaptive security architecture
As shown in figure 2, for advanced attack and achieve real adaptive and based on the response of the risk, the core of the next generation security procedures must be continuous, active monitoring and visualization analysis will continue to attack, it will produce large amounts of data.However, unless with the appropriate analysis (supplemented by external resources such as scene, threat intellisense and community information system to improve the accuracy of) is used to extract high execution suggestion, big data is just noise.Can use a variety of analysis methods to deal with these data, including heuristic method, statistical method, reasoning, modeling, machine learning, cluster analysis and bayesian modeling.
We believe that the future all the effective safety protection platform besides including traditional security event management information system, the core competence analysis system will be embedded in a specific field.
Enterprise monitoring should be converted to active, should cover as much as possible of the IT stack layer, including network activity, endpoint layer, system layer and the user interaction layer, application affairs layer.
Visualization should include the enterprise and the staff individual equipment, and support across the enterprise data center and external cloud services.The future defense not only has to go deep into the control layer, should also include monitoring and visualization (see figure 3).
Figure 3. The whole technical level of continuous monitoring
Compared with the traditional SIEM system can effectively monitor data, enterprise continuous monitoring of all entities and layer, produced by the data capacity is more big, turnover is higher and more diversified.
This is why Gartner research think that big data will lead to one of the reasons for the next generation security solutions (see "information security will become a big data analysis problems").Another reason is that, by 2020, to store for back analysis of monitoring data, 40% of the enterprises to establish a "safety data center".
After a period of storage and data analysis, and wisdom into the scene, external threats, and community, to establish a "normal" mode, and the data analysis can also be used to distinguish from normal mode deviation behavior.
With technical support, the ability will gradually become the mainstream, we believe that the adaptive protection architecture will be transformed into the mainstream, and as a supply platform integration of a large number of components, and provide easy to use embedded analysis engine.
Adaptive protection architecture of six key input
In our revealed before 12 ability of adaptive protection architecture, to realize the six key input is also an inseparable part of the architecture, also need to carry out in the security selection decision (see figure 4).
Strategy: to define and describe the various organizational needs including system configuration, patch application demand, network activity, which allowed to execute, which should be banned, antivirus scanning frequency, sensitive data protection, emergency response, etc.These strategies often comes from internal guidance and external influence, such as management needs.Policy-driven enterprise security platform to active prevention and response senior threat.
"Scene" : based on the current conditions of information (such as place, time and state of vulnerability, etc.), scene perception ascension information security decision accuracy with additional information.To identify what attack escape traditional security protection mechanism, as well as help identify significant deviation from normal behavior and do not need to add a lot of false positives, use is critical to the scene.
"Community wisdom" : in order to better cope with senior threat, information should be aggregated, through community analysis and sharing based on cloud, ideally, should also have the similar industry and area information aggregation and analysis ability.This "crowdsourcing" intelligence can promote the overall protection of all participants, such as community intelligence used to answer the question: "what other companies as well as we? Before anyone else had this application/URL/IP address? Is there a our colleagues have developed a new method to detect the high threat and can be Shared with others?"
Therefore, a better community can allows businesses to share best practices, knowledge and skill.The scale of the community will benefit from the network effect.Some communities is self organization, such as the FS - ISAC, some of them are funded by the government, such
as north American computer emergency response team (us-cert);Other security vendor is created for partners and platforms developer ecosystem.
Threat intelligence: intelligence is the core of the dangerous source of trusted valuable subject, such as IP address, domain, URLs, files, applications, and so on.However, senior threat intelligence services should also be provided to enterprises on the organization target of the attacker/institutions such as intelligence (see "technical overview security threat intelligence service providers"), in addition, service providers should also provide the corresponding instruction, help companies targeted protection these attacks.Now more threat information in machine-readable format, so that we can more easily integrate directly into the network, Web, E-mail and vulnerability security platform (see "the threat of machine-readable information technology overview").
Vulnerability analysis: the information provided to the enterprise to its equipment, systems, applications, and interfaces used by the gaps were analyzed.In addition to including consistent loophole, analysis also includes exists in the enterprise customers and some unknown vulnerabilities in third-party applications, can be active, libraries, and its application interface tests to complete.
Supplier laboratories: most manufacturers provide the latest information security platform to support their protective solutions - for example, to provide protection on newly discovered threats, black and white list as well as the rules and patterns will be updated.
Adaptive 12 key functions in the process of safety protection
To achieve comprehensive adaptive security protection architecture, implementation of attack to intercept, prevention, detection and response, we think the following 12 special feature is necessary (see figure 5).
The following is the function of the 12 kinds of simple introduction, starting from the upper right quadrant first introduced in accordance with the clockwise direction of pointer, need to pay attention to the order does not represent important degree, they are equally important for full protection.
; Strengthening and isolation system: any initial function in the
information security architecture is a multiple technologies are
adopted to decrease the attack surface, limit the hacker contact
system, found vulnerabilities and the ability to execute malicious
Regardless of the application in the network protection wall (only allows access to certain port/ability) or control system application layer (only allows certain application execution, see "how to effectively deploy application control"), the traditional "default refused to" mode (white list) is a kind of effective function, data encryption system can also be seen as information system layer white list and reinforcement method.
; Vulnerability and patch management: used to identify and close
loopholes loopholes and path management function can also be
incorporated into this.Combined endpoint isolation and sandbox
technology, can take the initiative to limit the
network/system/process/mutual interface applications, is also
such another way (see "virtualization and control system for
advanced attack technology overview").
; Transfer attacks: simply put, the field function but for time in
the hacker attack and defense on asymmetric advantage, through a
variety of techniques to make the attacker is difficult to locate
the real system core and available loopholes, and hidden, confuse
the system interface, information (such as creating false system,
loopholes and information).
Mykonos Juniper networks bought by science and technology, for example, you can create an application layer image without holes, then provides an active target of honeypot.Unisys Stealth network system can be hidden, and CSG 's invotas solution integrates the rich variety of deviating from the technology.Although hidden security can not fundamentally solve the problem, this way is also regarded as a kind of layered, deep defense strategy.
; Accident prevention: the category covers a variety of mature
prevention methods to prevent hackers unauthorized into the system,
including the traditional form of a "black and white list against
malicious virus scan and \ host intrusion prevention system based
on network."Behavior" is another layer of application in this field
-- for example, to prevent communication system and the control
center, can be used from a third party known published service
information and intelligence and integrate into the network,
network management, or based on host controller.
; Accident detection: some attackers will inevitably to bypass the
traditional interception and prevention mechanism, then the most
important thing is to detect intrusion in the shortest possible time,
minimizing damage hackers and leak sensitive information.
A lot of technology available here, but most depends on the core competence of adaptive protection system analysis on the data collected by continuous monitoring, namely method from the act of normal network and endpoint detect abnormalities, detect is in danger of outgoing connections to the known entity, or the detection as a potential attack clues to the sequence of events and behavior characteristics.
Adaptive security architecture of the core function is continuous and close monitoring function, the analysis of those who are in conflict with the historical data of observation, so security operations analysis can identify the abnormal situation, not only that, in the development of continuous security operations center and skilled security operations analysts increasingly become one of the important core enterprise.
; Risk identification and sorting: once the potential problem is
detected, will need to be a sign of will attack in different entities
associated validation, for example, first observed in the sandbox
environment threat detection system based on network is observed
process, behavior and registered entity, etc., then compared with
the actual situation of port.
The ability to analyze the information in the network and endpoint is shortly before
security FireEye acquisition is one of the main reasons why Mandian, based on the internal
and external situation, such as users, roles, the sensitivity of the information will be processed
and assets will conduct business analysis, these transactions will be based on risk assessment,
and notify to the enterprise, and then through visual processing, operation analysis of such
security personnel can focus on high-risk problem priority the highest priority. ; Accident isolation: once the accident is identification,
identification and sorting, the categories of work will quickly
isolate infected systems and accounts and prevent its blocking
other systems.Commonly used isolation ability including, endpoint
isolation, blockade of the account, the network layer isolation and
closed system processes, and other systems perform the same
immediately to prevent malicious software or access the same
information from infection.
; Survey/forensics: when the infected system and account quarantined,
complete process through retrospective analysis events, using the
continuous monitoring of the acquired data, and the root cause and
all gaps will be solved.How to get a stronghold is a hacker?This
is an unknown vulnerabilities or no patching holes?The file or
executable programs contain attack?How many systems are
affected?Those information?In some cases, companies may want to
know more about the source of hacker and motivation - country
support?If yes, which country?Has a history of monitoring
information are needed to answer these details.For a full
investigation, a separate network flow data may not be sufficient
enough (again, for system monitoring need full port), combined with
advanced analysis tools are needed to answer.Also, if the
supplier's laboratory and the research team has released a new
signature/rules/model, also need to re-run the historical data to
determine whether the enterprise has also been a target, or the
attack still has not been detected.
; Design/pattern change: in order to prevent new attacks or infected
system, need to change some strategies and control -- for example,
closing loopholes, shut down the network port, character upgrades,
system configuration, user privileges to modify, modify user
training or enhance the strength of the information protection
options (such as encryption).
More advanced platform can also be automated to generate new features/rules/model to
deal with the latest advanced attack -- was found through the "customized protection".Before
the integration of the new rules, however, must first in the continuous monitoring of the historical data of simulated attack to take the initiative to test the rate of false positives and non-response rates.
; Repair/improvement: when modeling and decided to take effect, it
started to implement improvements.To take advantage of the emerging
security interaction system can be automatic implementation, some
response policy changes can be added to the security policy
enforcement points such as firewall, intrusion protection system
(IPSs), applied in the control system or the malicious virus.
Although some emerging security response linkage system design for automatically and the linkage of these improve the transaction, but at this early stage, companies still prefer by those safety commissioner, network security commissioner or endpoint support members to implement these changes.
; Baseline system: the system will change constantly;New system (such
as mobile devices and cloud services) will also be constantly were
introduced;New and withdraw from all user accounts;New
vulnerabilities constantly disclosed;The new application
deployment;Against new threats to adapt to the transformation has
been, therefore, we should also continue to terminal, server system,
cloud services, vulnerability, relationships, and the typical
interface to find reset baseline and mining.
; Attack prediction: this field is at the forefront and increasingly
important.By detecting the hacker's intentions, pay attention to
the hacker market and bulletin boards;Interest in the vertical
industry;And sensitivity to protect information categories and the
function of this area is to take the initiative to predict the future
attacks and target, make the enterprise can then adjust the safety
protection strategies to deal with.
Based on the collected information, for example, are more likely to have a specific application and OS, enterprises can take the initiative to implement the application firewall protection function, strengthens the certificate authority or take the initiative to block certain access types.
; Actively explore analysis: as the internal and external information
collection, to explore enterprise assets and risk assessment are
needed to predict threat, at the same time may need to adjust
enterprise strategy and control.
For example, when buying a new set of cloud services are required, what might be the risk?Whether need to supplement the control such as encryption?A new application of the risk