2016年1月19日,Tech-Tonics Advisors发布了一个题为《A Prioritized Risk Approach to Data Security》的报告,并发表到了icrunchdatanews上。
先谈谈的我一点个人理解:本文出发点是讲数据安全,但其实也是在讲一个整体网络与信息安全的方法论。这个报告其实讲了这么几点:
1)我们不可能阻止(prevent)每次攻击,我们也没有足够的资源保护所有的数据资产和系统。相反,新技术的应用带来了更多的攻击面。情况正在变得更糟,传统的“堡垒+壕沟”(Castal and Moat)的思路无力应对当前的局面,我们必须假设我们的网络已经遭受入侵,我们需要一套全新的安全防护思路。
2)这个全新的思路就是“遏制与响应”(Contain and Respond)。这个思路强调首先要对资产进行风险识别与排序,然后重点针对高优先级资产进行防护。而防护的方法是建立一个以数据为中心的多层次方法。
3)在进行威胁检测方面,需要更多的情报,其实更需要更多的情境信息(Context),通过持续监测获得对当前安全的可见性,并使得整个遏制和响应过程更加智能(Intelligent)。这里的智能是指超越传统基于签名的检测方法的新型方法,譬如关联分析、机器学习、高级行为分析和数据可视化(Correlations, machine learning engines and advanced behavioral analytics and data visualization)。
4)在SDX的时代,我们需要SDP(软件定义的边界),其实就是一种逻辑边界。
5)人是安全治理的重要组成部分,做安全必须将人这个对象纳入其中。【这里不是强调安全分析师,而是更广泛意义上的人在安全中的参与度】
看完以后,你会感觉跟Gartner的自适应安全架构(ASA)的思路大体类似【参考:Gartner:智能SOC/情报驱动的SOC的五大特征】。
阿里的品觉对此文进行了翻译,转载如下:
在网络安全方面,我们需要采用一种新的策略,它应该更偏重加强系统韧性,也就是系统的抗打击能力,而非一味地强调预防。对于安全团队来说,更重要的是迅速识别网络攻击并做出反应,尽量降低攻击风险对企业的影响,而不是试图阻止所有攻击的发生。旧有的“城堡和壕沟”策略无力应对新的威胁。
没有哪家公司能够阻止每一次网络攻击,没有那么多的资源来同时保护其所有的数据资产、设备和基础设施。高度虚拟化的分布式计算架构、云计算应用推广,以及越来越多用户通过移动平台上网,这些都消除了传统的网络边界,为网络罪犯和内贼提供了新的攻击面和攻击途径。这些危险分子利用各种漏洞,发起更加周密、独辟蹊径的攻击,把那些有权访问该价值数据资产的特权用户作为目标。
数据容器和微服务的增长以及物联网的兴起带来了新一波的应用和联网设备,使面临风险的数据量迅速增加。这些趋势降低了传统网络和边界安全解决方案的有效性,因为那些方案只能阻止前几代的恶意软件。
高级持续性攻击(APT)之所以得逞,是因为很多公司缺少具有凝聚力的安全策略来防止或迅速侦测到攻击行为。事实已经证明,传统的状态检测防火墙、入侵防御系统、网关、杀毒软件和反垃圾邮件解决方案都无法应对当前的威胁环境。
既然如此,随着APT扩大目标威胁面,各公司为什么还要继续将他们的大部分安全预算投资于以前的预防性技术?找到和根除当前威胁难道不是安全策略必须做到的吗?
一种侧重“遏制和响应”的策略
在这种情况下,安全团队必须将注意力和资源从预防转向加强韧性。这需要从思想上把他们的公司已经被黑客攻陷作为行动的前提。这种想法可以让他们做好更充分的准备,从而迅速识别攻击、遏制其扩散并从损失中恢复,将企业面临的风险降至最低程度。要建立一套着眼全局的风险优先排序法,把公司上下面临的各种数字安全风险都纳入考量。
“遏制和响应”安全策略以一种全盘考虑的风险优先排序法作为出发点。这些风险包括经营中断、知识产权损失、私人数据泄露、监管违规、实体设施和人身伤害以及声誉受损。
安全团队不应该指望阻止每一次威胁,而是应该集中力量抵御优先级别最高的风险,也就是那些对经营和财务最为不利的风险。一旦对各种风险进行重要性排序后,就要建立一套以数据为中心的多层次方法,围绕与各种风险有关的数据建立安全边界,把这些数据保护起来,消除特权用户面临的风险,提供识别内贼和可能被盗账户的信息。
就像风险被赋予不同的优先级别一样,与这些风险有关的不同数据资产也被赋予不同的保护和隐私要求。对黑客来说最有价值的数据――个人身份信息、知识产权、客户数据和机密财务信息――也是安全团队最需要保护的“瑰宝”。
不同于按照基础设施、应用、设备和用户划分的传统安全分层,风险优先排序法使安全团队可以将更多的资源和精力用于对公司最重要的资产。这种策略更偏重先发制人和情报,使安全团队能够更好地保护最具价值的数据资产,及时响应和解决安全事件,满足GRC(治理,监管,合规)要求。
它也有助于管理日益上升的安全和合规成本,包括团队技能。随着更多功能实现自动化,技能组合应该更多地倾向于情报――威胁分析、取证、事件响应。
需要更优质的情报
基于签名的传统防御方法仍然是安全策略的一个核心组成部分,它可以防范非靶向型恶意软件。但为了在虚拟化的云端和大数据环境中保护公司最具价值的数据资产,安全团队需要更大的可见性和更多的情报。具体来说,他们需要知道哪些数据处于这样的环境中,谁有权使用这些数据,数据何时试图离开,如何在满足GRC要求的同时监控这些数据及其用户。
包含最宝贵数据的数据库和数据仓库――以及容纳它们的服务器――是黑客攻击的首要目标,随着各公司日益整合大数据和传统数据,以便获得更深入的洞见和改善决策结果,对那些数据储存库的威胁将持续增加,使公司暴露于更多的风险中。很多数据也驱动着决策过程,无论这些决策是由人还是机器来做出,如果这些数据被篡改,那些由此产生的决策结果将是灾难性的。
如今,在大多数公司做决策时所使用的数据中,大数据占比不到15%,因此我们建议把大数据纳入范围更广泛的数据管理和数据治理计划。安全治理应该与这些计划的数据质量和组成部分联系起来。同样,保护大数据安全应该被纳入范围更广泛的安全策略,而不是另外再搞一套单独的大数据安全策略,因为这可能会制造出又一个数据竖井。
对网络流量的自动持续监控、应用层面的认知和针对用户的规则为IT环境中的活动提供了粒度。更加广泛、自动和智能的监测使安全团队可以更好地理解风险并对威胁进行优先排序。
相关性、机器学习引擎、高级行为分析和数据可视化将以这些粒度为基础,绘制出一幅容纳了用户、应用和端点的各种特性的情景。有了它,安全团队就可以建立正常和异常活动的基准。关键绩效指标(KPI)提供了异常行为模式的实时可见性,有助于实现更快、更准的事件响应。
软件定义边界(SDP)是一种相对较新的协议,为软件定义网络(SDN)创造出下一代的接入控制系统。基于云的SDP控制器能够建立网络和应用资源的逻辑边界,用户必须先通过身份验证才能进入这个虚拟边界。基础设施和应用仍然对潜在入侵者不可见。控制层面和数据层面的分离使安全团队可以在云端建立更加自动和周密的安全配置,动态地提供标准化的安全服务。
这些工具整合得越好,杀伤链就越自动化。统合分散的数据点可以为安全团队提供更多的有助采取行动的情报,加快事件响应速度和控制风险,也有助于整合内部威胁情报与来自云端和移动网络的外部服务。
自动化提供了适应新架构和流量增长的速度和规模,从而让安全团队反应更敏捷,治理更高效,成本更低,还有助于减少人为失误和更有效地进行补救。
人是数字安全治理的必要组成部分
最后,由于人常常是各种风险的共同因素,因此他们应该被纳入安全策略,就像被纳入有效的数据治理、灾难恢复和业务连续性计划一样。可以让他们认识到他们的弱点,提高他们的警觉,鼓励他们遵纪守法或者因为违规而处罚他们。
人们相信,企业展现出比同行更强大的安全治理能力将被视为竞争优势。这也包括企业对数字攻击的处理方式。比如企业如何向客户、监管机构和投资者告知攻击已经发生和他们正在或已经采取哪些防控措施,这对于维持安全治理和维护企业声誉至关重要。
维护安全人人有责,然而这个责任还是要落在安全团队的肩上。数字安全治理应该跟数据治理、灾难恢复和业务连续性一样被视作一项企业计划。但想要真正地产生效果,它必须得到高级管理层和董事们的支持和落实。如果企业在今后想要更安全地实现商业目标,此乃必然之路。
英文原文如下:
A new approach to security strategy is required �C one that is based more on resilience than on prevention. It’s become more important for a security team to quickly identify and respond to an attack to minimize the impact of risks to the business rather than trying to prevent attacks from occurring. The old castle-and-moat strategy simply cannot survive the new threat landscape.
No organization can prevent every cyberattack. And none has the resources to protect all of its data assets, devices and infrastructure uniformly. Highly virtualized distributed computing architectures, cloud-based applications and increasingly mobile users have opened new attack surfaces and vectors for cybercriminals and malicious insiders by erasing the traditional network perimeter. These bad actors exploit vulnerabilities with more sophisticated and innovative attacks that target privileged users who have access to valuable data assets.
The growth of containers and microservices and the emerging Internet of Things (IoT) ushers in a new wave of apps and connected devices, exponentially increases the amount of data at risk. These trends marginalize the effectiveness of traditional network and perimeter security solutions, which were designed to prevent earlier generations of malware.
Advanced persistent attacks (APTs) succeed because many organizations lack a cohesive security approach that might prevent or rapidly detect an attack. Legacy stateful firewalls, intrusion prevention systems, Web gateways, antivirus software and email anti-spam solutions have proven to be no match for the current threat environment.
So as APTs expand targeted threat surfaces, why do organizations still invest most of their security budget in yesterday’s preventive technologies? Security strategy needs to focus on finding and rooting out these modern threats.
In this environment, security teams need to shift their focus �C and resources �C from prevention to resilience. This entails accepting that their organization is already compromised. This perspective better prepares them to quickly identify an attack, contain it from spreading, and recover from any losses �C minimizing risk exposure for the business. A holistic approach to prioritizing risks takes into account risks across the entire organization.
A “contain and respond” security strategy starts with a holistic approach to prioritizing risks across the organization. These risks include business interruption, intellectual property loss, private data theft, regulatory noncompliance, physical plant and personal injury and reputational damage.
Instead to trying to prevent every threat, security teams target defenses against the highest priority risks �C those that can most negatively impact operations and finances. Once risks are prioritized, a multilayered data-centric approach establishes a secure perimeter around the data associated with risks, locks down the data, removes risk from privileged users and provides the information that identifies malicious insiders and possibly compromised accounts.
Just as risks have different priorities, it follows that the different data assets associated with those risks also have different protection and privacy requirements. The data of highest value to attackers �C personal identifiable information, intellectual property, customer-specific data and confidential financial information �C are also the most valuable “crown jewels” for the security team to protect.
As opposed to conventional security layering by infrastructure, application, device and user, a prioritized risk approach allows the security team to dedicate more resources and attention to the assets that are most important to the organization. This strategy is more proactive and intelligence-based, enabling the security team to better secure the organization’s most valuable data assets, respond to and remediate incidents in a timely fashion and meet GRC (governance, regulatory, compliance) requirements.
It also helps manage escalating security and compliance costs, including team skills. As more functionality is automated, more of the skill set should be skewed towards intelligence �C threat analytics, forensics and incident response.
Traditional signature-based defenses remain a core component of security strategy, protecting against non-targeted malware. But to protect the organization’s most valuable data assets in virtualized, cloud and big data environments, security teams need greater visibility and intelligence. Specifically, they need to know what data is going into these environments, who is authorized to work with this data, when data is attempting to leave and how this data and its users can be monitored while adhering to GRC mandates.
Not surprisingly, the databases and data warehouses that contain the most valuable data �C and the servers they reside on �C are the primary source of breaches. As organizations increasingly integrate big data with traditional data in their quest to gain deeper insights and improve decision outcomes, threats to these repositories will continue to increases, exposing the organization to more risk. Much of this data also drives decision-making �C by both people and machines. If that data were to be tampered with the resulting decision outcomes could be disastrous.
Since big data represents less than 15% of most organizations’ decision-making inputs today, it’s recommended that big data be part of broader data management and data governance initiatives. As such, security governance should be linked with data quality and integration components of these programs. Similarly, securing big data should be part of a broader security strategy rather than having a separate big data security strategy that potentially creates yet another data silo.
Automated continuous monitoring of network traffic, application-level awareness and user-specific rules provide granularity into activity in the IT environment. Monitoring that is more pervasive, automated and intelligent allows security teams to better understand risks and prioritize threats.
Correlations, machine learning engines and advanced behavioral analytics and data visualization create context based on granularity about users, applications and endpoint characteristics. These allow security teams to establish baselines of normal vs. abnormal activity. Key performance indicators (KPIs) provide real-time visibility into anomalous behavior patterns, driving faster and more accurate incident response.
Software-defined perimeter (SDP) is a relatively new protocol that creates a next-generation access control system for the software-defined network (SDN). A cloud-based SDP controller creates a logical boundary around network and application resources, and only grants access to this virtual perimeter after first authenticating user identity by their device and permissions. Infrastructure and apps remained concealed from potential intruders. Separating the control plane from the data plane allows security teams to build more automated and sophisticated security configurations and dynamically provision standardized security services in the cloud.
The better these tools are integrated, the more of the kill chain can be automated. Unifying disparate data points provides security teams with more actionable intelligence to speed incident response and contain risk. It also facilitates consolidating internal threat intelligence and external services from the cloud and mobile networks.
Automation provides speed and scale to keep up with new architectures and traffic growth. It improves agility and governance, reduces costs and helps security teams mitigate human error and remediate more effectively.
Finally, because people are usually the common denominator in risks, they should be included in security strategy �C as they are in effective data governance and disaster recovery and business continuity initiatives. They can be made aware of their vulnerabilities, trained to be more vigilant and incentivized to adhere to policies or penalized for transgressions.
It’s believed that a company’s ability to demonstrate stronger security governance relative to peers will become viewed as a competitive advantage. This includes how it responds to a breach. How a company informs customers, regulators and investors that an attack has occurred and what they are doing/have done to contain it is critical to maintaining security governance and preserving company reputation.
Security is everyone’s business; yet, responsibility still rests with the security team. Security governance should be considered as much a business initiative as data governance or disaster recovery and business continuity. But to be truly effective, it must be endorsed and practiced by senior management and board members. That is the only way common business objectives can be achieved more securely.