One of the toughest problems in information security is addressing advanced intrusions that have bypassed traditional security controls and now reside undetected on enterprise systems. With financially motivated attacks and state-sponsored “advanced persistent threats” both on the rise, intrusions can remain undetectable for extended periods of time.
We have reached a point where our systems must be considered to have been compromised, even if we don’t have a signature to prove it. All workloads are suspect, even if they appear to be healthy.
How do we protect ourselves in such an environment? There are multiple ways (defense in depth) to counter the threat of APTs; however, one important and radically new approach is to systematically reprovision server OS and application workloads from high-assurance repositories and templates. We call this SWR – short for “systematic workload reprovisioning”.
Rather than having to trust every production server, we can reduce the scope of trust to the high-assurance libraries, models, templates and files that are used to periodically reprovision the servers. This reduces the ability of the hacker to maintain their undetected foothold in our systems.
I’ve just published two research notes for Gartner clients that detail the SWR strategy. The first explains the concept and the second explores the implications and considerations for information security and operations management where SWR is adopted.
For some curmudgeonly information security and operations professionals, this approach will seem radical. “Take down perfectly good (ostensibly) server workloads? Heresy!”
However, there is a precedent in human physiology. The human immune system has a similar challenge with cancer — a situation where the instructions within the body’s own workloads (cells) are compromised and cause damage from within. Much like APTs, cancer isn’t detectable by the human immune system using traditional signature-based (antibodies) and the adaptive immune system (T cell and B cell) mechanisms.
The human immune system uses apoptosis — programmed cell death — as one of its strategies to counter the advanced and persistent threat of cancer (if apoptosis is inhibited, then cells have a greater chance of becoming cancerous). With apoptosis, all workloads (cells) are autonomically regenerated from a high-assurance set of instructions (DNA) located in the nucleus of the cell or another location within the body, such as the bone marrow for blood cells. Similar to an SWR strategy, apoptosis occurs when cells appear to be damaged, as well as when they appear to be healthy.
Why can’t information security take some lessons from the human immune system? We’ve been dealing with advanced threats for millions of years and routinely deal with threats that have bypassed our perimeter protection mechanisms.
Food for thought.
I’ll be talking about SWR next week at Gartner’s Information Security Summit in Washington DC. I hope to see you there.
Category: beyond-anti-virus next-generation-security-infrastructure virtualization virtualization-security
Tags: adaptive-security-infrastucture apts beyond-anti-virus defense-in-depth next-generation-security-infrastructure security-summit-na virtualization virtualization-security windows
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.