Bringing Security into a Positive Light

(26/10/2007)

Information security managers have always had a healthy fear of the unknown threat. But over the last two years that fear has developed into a paranoia, an obsession that keeps them up at night sweating over thoughts of malware that may be slipping past their traditional anti-malware defenses without a blip on the radar. They spend all of their time trying to find better ways to block the threats, and yet most of their efforts end in futility anyway.

This is because the threats keep multiplying. The past several years have brought a wave of unending zero-day attacks designed specifically to silently steal information.
Organisations are not getting back-up from their traditional vendors, because these security companies are drowning in the flood of malware issued by crooks who are specifically programming malware to evade blacklist signatures.

Antivirus vendors have admitted as much to the media. “We're losing this game with computer criminals,” Eugene Kaspersky, the founder of Kaspersky Labs, said in a December 2006 interview. “There are just too many criminals active on the Internet underground.”

His thoughts were echoed by Mikko Hypponen, F-Secure’s director of anti-virus research, who in March was quoted by MSNBC as saying, “It’s getting harder and harder for us just to keep up with the amount of new malware coming in. Right now on a typical day we receive more than two a minute. There are thousands every day. The increase in three years has been tenfold.”

Compounding the near-constant barrage by the criminals is the fact that rogue users are increasingly opening up the enterprise to countless more risks by introducing applications and technologies with exploitable flaws. One big example is the proliferation of social networking sites whose users have become low-hanging fruit to attackers. Personal applications such as peer-to-peer file sharing applications expose enterprises to software licensing and copyright violations. The same goes for the unfettered use of removable storage devices, which brings the added risk of data leakage.

Sleepless security managers are left spinning their wheels in response to all of this, trying to reduce risks by responding to this attack here, that new exposure there. But this negative security model is just spinning them into a spiral of reactivity. IT resources are drained while security plays catch-up and never quite catches up.

“When a zero-day comes, you're behind the eight ball if you’re just relying on reactive defenses,” says Charles Kolodgy of IDC.

The numbers prove this to be true. Even though 99 percent of all enterprises had antivirus installed by 2005, 62 percent still suffered from an infection.

Clearly, the model is flawed. Analysts like Kolodgy believe that the only way organisations today will crawl from under the weight of unknown threats to their systems is to change the way they practice security. They must shift from the negative to the Positive Security Model.

Allowing the Known Good

The principle of positive security is simple. Rather than chasing every risk and threat in the environment with blocks and denials, the positive security practitioner blocks everything by default. Only the known good applications are allowed to run.
The unknown threat loses its power when it is blocked from systems automatically.

“If you're proactive you don't need to worry about what new thing is going to pop up tomorrow because you've already dealt with it,” Kolodgy says. “There isn't a gotcha.”
Network managers are already familiar with this positive approach—they’ve been practicing it with firewalls for years.

“In network security there is no question that a default-deny scheme is the best policy,” says William Bell, director of security at ECSuite.com. “The funny thing is that when you take that into the systems protection arena many people have failed to apply that same policy.”

Progressive security practitioners like Bell agree that traditional systems protections such as antivirus and anti-malware are too reactive to rely on alone.

Hackers and other malcontents can easily take advantage of the fact that these outmoded technologies must know about a particular type of attack before they can protect against it. This is the reactive approach’s Achilles heel, one that is being assaulted daily by malicious “boutique” attacks designed specifically to evade traditional defenses by sneaking in with new and unknown approaches.

“My philosophy is that our security should be able to stay ahead of emerging threats rather than just reacting to them,” Bell says.

He uses a combination of Lumension Sanctuary to develop a positive security approach at ECSuite.com that only allows systems to operate applications and devices that are approved, updated and configured correctly. Bell also uses PatchLink Update to rapidly test and deploy patches, and he uses PatchLink Developer Kit to code his own patches. This is especially useful when a critical vulnerability is discovered for which a patch has yet to be released.

“We believe in defense in diversity,” Bell says. “Sanctuary is our security blanket against any possible zero-day attacks, but on top of that, patching is the best way to eliminate vulnerabilities. This multi-layered approach helps us identify and remove vulnerabilities while maintaining a consistent baseline of security.”

Not only does such a comprehensive line of defense protect against unknown attacks, it also cuts off other risks such as data leakage through unauthorised devices or illegal downloading to corporate endpoints through peer-to-peer networking applications.

“This positive stance keeps our digital assets safe from both internal and external threats,” Bell says. “In large organisations, it may take a month to roll out every necessary patch. With PatchLink Update and Sanctuary in place, I can rapidly deploy patches—including those I script myself—with the insurance of ‘big brother’ protecting our patch cycle.”

Five Steps to Positive Security

So what does it take to get enact a Positive Security Model? Experience has shown that there are distinct steps on the path to being proactive.

Organisations must first understand what they’re up against. They must learn what is running on their systems and why. Some unconventional applications may have been installed by users to address critical business needs. Others are just there to satisfy users’ personal whims. Either way, these applications might be posing previously-unknown risk to the organisation.

In the past this discovery process has been a seemingly-impossible task, but the development of automated tools such as Lumension line of whitelisting, vulnerability and patch management tools has eased this pain point. Automation can take care of the heavy lifting required to shed light on system contents. From there, it is up to administrators to assess which applications and devices are crucial to core business practices and which are frivolous or too risky to run.

At this point, the organisation will need to focus its efforts on one of the most critical elements of positive security: the policy. A sound policy will set the baseline “known good” for an organisation.

The endpoint policy statements developed in this step should not imitate the broad IT “shelfware” policies of old. They should be systematic, actionable rules. They might ban the use of personal applications or limit the use of removable storage to certain times of day.

Many IT security professionals have avoided developing such detailed rule sets in the past because there was no easy way to enforce them.

Related topics:  Network Security   Security management and policies   Security threats and vulnerabilities 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources