Can You Stop What You can’t See?


A few years ago when APT became a thing, there was a pretty big realization that the lack of context-awareness and visibility regarding activities and behaviours which takes place in the network is a problem. In the article, “No More Cyber Maginot Lines: We Need to Hunt Down Hackers Before They Strike“,  Nate Fick says,

“Attackers work hard to be stealthy—it’s in their DNA. An invisible attacker is a successful attacker.”

He elaborates further that defenders involved in threat hunting, a recent and growing enterprise security activity, must also be stealthy so that adversaries can’t spot and by-pass them. Threat hunting has evolved because of past and current difficulties in stopping threats from entering and executing in the network. For a good overview explanation of the kinds of activities going on and tools used by adversaries to perform them, check out “Savvy Hackers Don’t Need Malware“.

We also know there’s a need for better alignment of security with the business. This may be be something that is easier said, than done. One reason, is that ITsec doesn’t really map itself very well to all of the little “business unit” bubbles of the enterprise.

Here’s my theory on the reason why.

There is a disconnect between the business security rules based on human organization and activities, and as denoted by the language of business trust relationships, and the object-oriented world of IT which primary keys on files and directories.

There is an impact of this, which the article, “Context-aware security: Big benefits for networks, but no shortcuts”, seems to concur;

“In the era of advanced persistent threats (APTs) and other targeted attacks, a network security strategy that doesn’t adapt its policies according to this kind of information about identity, behavior, applications, devices and data has holes in its defence.

It calls context-awareness “network security nirvana” because,

Context helps you separate the signal from the noise.”

The idea seems self-explanatory at a basic level, but the article suggests a definition.

“Despite having no standard definition of context-aware security, the industry generally agrees on this: It’s a mechanism for applying granular, dynamic security policies based on a real-time analysis of supplemental information about identity, location, behavior, applications, devices, data and more.”

There’s a problem though,

 “… as the need for greater context grows and the technology to enable it marches forward, efforts to implement a context-based approach often stall due to operational challenges.”

In that article, Mike Rothman informs us,

Traditional approaches to network security haven’t kept up with the need for such analysis.”

I think the idea of contextual awareness] remains strong and very effective because just having a generic set of network security policies isn’t overly helpful… You’ve got a lot of complicated factors that make the old ways we used to do network security … not really sufficient for what we need to do today to [combat] the kind of adversaries we’re dealing with.”

“If you have a hard time with typical, traditional ports and protocols policies, you’re going to have a really hard time with application policies or anything based upon identity.”


User Context-awareness

What is Paul Carugati, from Motorola Solutions informs us that,

I need to have an understanding of who the user  is, where they’re <users> coming in from, where they’re <users> trying to go and what application they’re <users> using.

I put the <users> in for emphasis, but it sure looks like  he’s saying there’s a need for a user-centric level of visibility to defend the enterprise, don’t you think?

Carugati adds,

“These are all of the different points on the connect-the-dots page. I need all of these dots together to help me starting painting the picture,… One or two of these dots isn’t going to give me enough information to be able to take a step back and see what the [big] picture looks like.”

Doesn’t it seem that hitting the correct balance between enabling business activity and users, and minimizing business risks would probably be an easier chore if fine-grained context-awareness and visibility into user activities were possible. Healthcare is the poster child for what happens when this is done poorly, according to Cory Doctorow’s excellent article, “Healthcare workers prioritize helping people over information security (disaster ensues)“.  (Strongly recommended)

What’s obviously needed is some dot connecting assistance.

User-centric security provides context-awareness

KSE user-centric security provides more dots,…a lot more dots, for protecting against both the insider threat, DAVE_HumanErrorand the external attacker posing as one. Other things can add context as well of course, but user-centric security contributes needed context, especially when dealing with the insider threat. As what has become a classic infosec cartoon reminds us, current network security controls are not adequate for detecting unauthorized behaviours by regular users.

Trustifier designed the KSE model and framework specifically to address this problem. KSE has a fundamental capability to define and map relationships between users and groups of the business as well as the files, directories, networks and systems that they are using while performing activities. This is a unique design feature that enables security owners to formulate security rule setting  in human (users/groups/roles) terms using trust language of the business.

“KSE design enables alignment of the security rules and enforceable controls over user privilege and use of system resources and data, with the goals, objectives, and activities of the business.”

KSE is an authorization engine which utilizes context for setting the “rules of engagement” for managing operational privileges in a user-centric manner. Layers of authorization rules can be tailored on a per user basis to define, set and enforce operational privilege boundaries based on assigned user roles and tasks. With additional context to define business related behaviours and boundaries for them, it follows that rule and policy creation becomes more intuitive and tailorable. More effective rules can result. Visibility into network behaviours is improved, since layers of per user authorization rules extend beyond initial user access to data assets to what users can do with those assets.

Layered authorization rules that map to user activities can act as indicators of attempted unauthorized behaviours. A stealthy adversary will never know if any move he attempts will flag a security officer in real-time. At the first sign of anything suspicious, KSE, user-centric, immutable auditing capability allows one to zero in on someone’s suspicious behaviours in minutes. It also prevents those stealthy adversaries or insider threats from tampering with the logs to cover their tracks.

KSE is a reference monitor

These days, most people are aware of the insider threat. The recommended security mechanism to combat abuse of authorized privileges, is the reference monitor. A reference monitor is an authorization engine that facilitates creation and enforcement of per user security rules, as described in the previous paragraph.  Unfortunately, commercial systems lack this important control. Hence, insider attack has proven very difficult to prevent. It’s also very common for external adversaries to steal insider or administrative credentials. If proper internal controls meant an authorized user could not abuse his privileges, do you think an external attacker who had hi-jacked his credentials would be able to fare any better?

It’s necessary to add these internal controls to your systems by implementing KSE. You can learn more about it in this post, here. The reference monitor denies unauthorized behaviours it detects in real-time, working as part of a strong trusted computing base. Because KSE enables one to set rules to either allow or deny access on an intuitive per user basis, it’s the preferred control tool needed to set and enforce need-to-access and need-to-know rules, when combined with KSE labelled security (MLS) capability.

Don’t forget TUX AI

Mike Rothman also makes this point;

“You actually have to have the real context at that very moment, and that’s a dynamic thing,” he says. “You can build a scenario where you’re always kind of behind in developing and implementing those policies because business is changing faster than you can evolve your policies.

He’s right of course, and KSE user-centric security facilitates Screen shot 2016-06-30 at 11.31.34 AMsecurity management in this regard. What’s more, TUX AI that will deliver the next evolution of KSE, will be updating it’s security protections going forward in real-time, dynamically and continuously, from the moment you request a security measure. If you haven’t seen the TUX AI tour yet, it’s found on the Trustifier start page, here.

I’ve put forward a case that user-centric security adds the context-awareness and visibility needed to ward off both the insider threat and external adversaries that pose as them. It also facilitates a close mapping of security protections to user and business activities, so that one can optimize protection without impeding business tasks and activities. Perhaps a little more of this up front, will mean a little less need for threat hunting to become the “next frontier” moving forward. As always, you can learn more about KSE on our Web site and previous posts.




Can you stop what you can’t see? Is this the answer?



Recommended Reading

No More Cyber Maginot Lines: We Need to Hunt Down Hackers Before They Strike

Savvy Hackers Don’t Need Malware

Healthcare workers prioritize helping people over information security (disaster ensues)

Context-aware security: Big benefits for networks, but no shortcuts[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]