Today I want to share my thoughts about the recurring discussions we all as security professionals often have about where to focus our efforts. One camp says “continuous monitoring is the new prevention”, indicating that they have already failed to protect their information resources, and thus the main focus should be on detecting and remediating attacks, rather than on actual prevention.
Another camp (“moat & castle”) says that we need to build high-assurance system that provably prevent certain attacks. Others again say that none of this works, and we need to focus on “compliance-driven security”, a nice term for paper-shuffling to meet some “best” practices (irrespective of whether it provides actual protection) in order to “save their a**” (that is, their personal a**). Yet again others say that none of any of this works, and that we should just pay cyber insurance. Yet others just buy random, expensive big-vendor products to “save their a** (“nobody gets fired for buying ” etc.) There are many more views, illustrating that the industry today really has little to offer in terms of real protection.
One of the main problems is that nobody really has reliable, comprehensive risk metrics for most/all attack vectors (i.e. nobody knows relibaly how big which risks really are), and no comprehensive mitigation metrics for most/all security products and measures (i.e. nobody knows reliably how much a given product/measure actually reduces which risks exactly) . So the industry is really selling a lot of “maybe’s” to maybe solve a lot of “maybe” problems – the only reliable number is the cost of security. The ongoing major hacks we read about illustrate that things are pretty ineffective overall.
I want to offer an alternative middle-ground viewpoint today that I feel would often help: We should focus on impact controlrather than just on either/or detecting/mitigating or protecting (we should do these too). In other words, why not assume that your defenses will be hacked, and then figuring out ways to ensure that the impact of compromises is limited. For example, if credentials get stolen (the recent US IRS hack is one of those examples), then the hacker acts as an authorized individual. Therefore, impact should be controlled for any activities of insiders and outsiders (irrespective of whether they are known to be malicious or benign).
The fine-grained access control and model-driven security discussed on this blog for years have really always been about exactly that: Minimize access to information resources to users based on fine-grained, contextual access policies, so that the impact of both accidental and malicious compromise remains limited. In the example of the abovementioned IRS hack, why did the stolen credential need access to so many records? In the Wikileaks case, why did Manning need access to so much information.
In other words, impact can be controlled by implementing reliable (true!) least privilege access control, so that only the minimum necessary information can be accessed. And I am not talking about least privilege in the “poor man’s solution” of privileged account management. I am talking about fine-grained, contextual access policies. This will usually require complex access control systems such as Attribute-Based Access Control (ABAC), which comes with the cost of being unwieldy and complex. Model-Driven Security (MDS), as discussed on this blog for years, helps make ABAC manageable, even in dynamically changing IT landscapes (e.g. SOA, M2M, IIoT etc.). (by the way, our OpenPMF product helps implement ABAC with MDS).
Please spread the word that we need to also control impact, rather than just (1) putting up defenses, and once compromised, much/everything can be stolen; (2) monitoring for compromises and hopefully mitigating before it is too late. (1)+(2) alone are clearly failing.