You can’t secure what you don’t know. This is a fundamental security concept. Yet, in today’s world where nearly every aspect of our lives depends on mobile, web-based, and SaaS applications, it’s a principle that overlooked at best and violated at worst.
What does it mean to truly know the asset you’re trying to protect? It means having an intimate understanding of that asset, whether it’s a building, a human being, a network, or an application. That involves identifying “known bad”—the known threats and attacks that have already occurred—and balancing that with “known good”—the asset’s normal, expected habits, characteristics, and behavior.
This seems like a logical, almost obvious approach to take, yet, security solutions have not always worked this way. Most have been based on a negative security model, focusing only on known bad, and the limitations of these solutions have become apparent over the years. This has led to the perception of security as a prohibitor rather than an enabler, and to security solutions as a whole being viewed very negatively.
One problem with such solutions is that known bad events can only be identified and protected against after the fact. Think about when police or news media publicize a description of a bank robber—they can only do that after the bank has already been robbed. By then, the robber has had time to adopt a new disguise and modus operandi. The same can be said of many types of cyber attacks. By the time organizations have the knowledge and insight to deal with the current threat landscape, hackers have already moved on to identify and exploit other vulnerabilities.
Even so, for many years, the so-called bandage- or wrapper-based approach to security persisted. It was considered “good enough” because it provided a reasonable level of network or perimeter security for most organizations.
So, what’s changed? Why isn’t this approach good enough anymore?
Our world has become infinitely more complex. We’ve entered the age of the “webification” of applications. According to Netcraft, a decade ago there were nearly 50 million web applications; today there are nearly 1 billion. Imagine how many there will be in another 10 years. Today’s objects of attack are the mobile, web-based, and SaaS applications we so heavily depend on, not just the network.
Complicating this fact is that applications no longer reside within a tidy enterprise network perimeter, making a wrapper-based security model less effective and practical. This is not to say that protecting the network perimeter is unimportant, it’s just not adequate anymore.
Security solutions need to match the level of sophistication we’re dealing with today by understanding the fundamental nature, purpose, and characteristics of an application. They need to know how an application should look, behave, respond, and react. More to the point, however, they must be able to strike a balance between the known bad and the known good. So, rather than being an afterthought, they must be fundamentally involved in every aspect of the application flow, from the client all the way to the app server, wherever it resides. These characteristics are what define an intrinsic security solution.
The U.S. Secret Service can help illustrate this point. It’s their job to keep the President safe when he travels to an event, not by just watching out for bad guys—that would be a purely negative approach—but by also operating proactively. Well in advance of the event, they know every detail of the venue, they vet local organizers, and coordinate with local law enforcement. The route the President will travel and his exact arrival and departure times will be kept secret. Freeways will be shut down, and airspace will be restricted.
These are all examples of positive security measures the Secret Service takes, using the known good to their advantage. Ultimately, they balance known good with known bad to develop the most comprehensive and effective security strategy.
Enterprise security professionals would do well to follow the same principle. Whether the asset being protected is a human being or a critical business application, the goal of an intrinsic security system is essentially the same: to minimize risk, do no harm, and ensure the asset is able to function according to its purpose and design.
And that’s precisely why negative-based security solutions are falling short today: they aren’t able to protect applications in this way. With little to no knowledge of an application itself or its expected behavior, protocols, error codes, and more, it’s impossible for these systems to adequately evaluate and analyze threats.
What’s worse, such solutions can’t protect “surgically.” They don’t provide the visibility and knowledge required to apply protection precisely where it’s needed. Instead, they must apply known bad across a very broad spectrum, making them highly inefficient and diminishing their effectiveness.
In a simpler, less complex world, a negative-based approach to security might have been adequate. Clearly, it’s not enough anymore to add faster, bigger layers of security—in effect, more wrappers—that are ignorant of the applications they’re protecting. The intricacies of today’s Internet, networks, and applications today compel security professionals to adopt a radically different mindset so they can effectively secure what they do know. By embracing intrinsic security solutions, they gain intimate knowledge and control over applications and the underlying data, enabling them to ensure their privacy, integrity, and confidentiality.
By Preston Hogue, Director of Security Marketing Architecture, F5 Networks
BIO: Preston Hogue is the Director of Security Marketing Architecture at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System (ISMS). Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team and the company’s ISMS, which included PCI, SOX, OFAC, DDoS, and DMCA programs. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.