Resilience - The New Cybersecurity Focus
As computer systems and networks have evolved and become more complex with requirements to support myriad devices, so has security software designed to protect them.
The first generation of security products focused on protecting end points and stand-alone systems. Techniques such as Trusted Computing, Access Control Lists and Cryptography were used to restrict access and thwart intruders. Second generation products followed shortly thereafter to provide protection within networks. Most commercially available products currently fall in this category.
From our experience, we contend that it is virtually impossible to thwart all potential intruders. First, the signature of the intruder is often not known as in “zero day” attacks. Second, intruders often have the capability of changing their signatures, thereby making themselves difficult to defend against. And, finally, with the existence of the internet and requirements to support many different types of devices, bullet proof software to protect this complex ecosystem from any kind of attack is virtually impossible to create.
Consequently, the focus of thinking on security has evolved to ensuring that systems should be designed to take more active measures to provide protection against attacks. Also, they should emerge relatively unscathed even when they have been penetrated by intruders. These are the goals of Third and Fourth generation security products.
Cyber Resilience refers to “an entity's ability to continuously deliver the intended outcome despite adverse cyber events”. Different products attain this goal in different ways and to different degrees but all have one feature in common their emphasis on perimeter defense to keep “the bad guys” out. Many products, typically third generation, use sophisticated methods to provide Moving Target Defense. These techniques enable the target system to present dynamic attack surfaces i.e. continually change how it appears to potential attackers to deceive and thwart them. Some products complement this capability with “honeypot” defenses where attackers are lured into traps and alarms triggered. A few products extend the dynamic attack surface paradigm and seek to minimize damage by deceiving attackers even after a system has been penetrated.
The SCIT approach, on the other hand, seeks to provide true Resilience by relying on a different truism – as described above, we believe all systems are vulnerable. Consequently, the goal of SCIT is to ensure that a system operates successfully even if its perimeter defenses have been penetrated. It does this by employing a continual rotation strategy in which processing shifts to a new, pristine server at pre-selected rotation intervals, thus removing any malware that may have compromised the server. This limits the dwell time that a malware may be resident on a server. Since hackers require time to navigate through their target system, this strategy ensures that intrusions are disrupted, thus limiting the damage. Further, servers taken offline are analyzed and alarms triggered when malware is detected.
Key benefits of this approach are
- Prior knowledge of the signature of the malware is not required. SCIT is effective across ALL malware/attacks.
- SCIT does not replace other perimeter defense strategies. Rather, it complements them and makes the target system more Resilient.
- The emergence of cloud computing and virtualization make SCIT a cost effective solution.
Patent Advisor at Winston & Strawn LLP
6 年The concept of a moving defense strategy is awesome!
Enterprise Security Architect at PepsiCo
6 年So looking at this and the point I see is doing X to stop Y, you have defined how you are going to protect against a threat. When I taught staff how to do penetration testing I always said "Remember two things. 1. Know the rules 2. Don't follow the rules". Meaning if a client says they are going to do X then you don't attack using Y because that is what they want, instead you attack by doing K. It doesn't matter what you do as soon as it is known . . . hackers (both malicious and non-malicious) try to figure out a way around it or to turn it into an advantage. What I feared was the IT department that was laughing at everything I tried, they knew their network, they monitored it and they knew when something odd was happening. Sadly in over 20+ years of doing pentesting this only happened a few times. Could this be a good tool, of course, but it is just a tool. Hopefully, for those that use it, it is integrated into their overall strategy/plan.
Global Technology & Operations Leader
6 年great article
Security is a matter of engineering, not compliance. Co-author NIST SP 800-160 Volume 1.
7 年More confusion of security and cybersecurity, but in a new domain. Just as the words “security” and “cybersecurity” are not ineterchangeable words, neither are “resilience” and “cyber resilience”. To grow the discipline one thing we need to get better with is the syntax