One of the toughest problems in information security is addressing advanced intrusions that have bypassed traditional security controls and now reside undetected on enterprise systems. With financially motivated attacks and state-sponsored “advanced persistent threats” both on the rise, intrusions can remain undetectable for extended periods of time.
We have reached a point where our systems must be considered to have been compromised, even if we don’t have a signature to prove it. All workloads are suspect, even if they appear to be healthy.
How do we protect ourselves in such an environment? There are multiple ways (defense in depth) to counter the threat of APTs; however, one important and radically new approach is to systematically reprovision server OS and application workloads from high-assurance repositories and templates. We call this SWR – short for “systematic workload reprovisioning”.
Rather than having to trust every production server, we can reduce the scope of trust to the high-assurance libraries, models, templates and files that are used to periodically reprovision the servers. This reduces the ability of the hacker to maintain their undetected foothold in our systems.
I’ve just published two research notes for Gartner clients that detail the SWR strategy. The first explains the concept and the second explores the implications and considerations for information security and operations management where SWR is adopted.
For some curmudgeonly information security and operations professionals, this approach will seem radical. “Take down perfectly good (ostensibly) server workloads? Heresy!”
However, there is a precedent in human physiology. The human immune system has a similar challenge with cancer — a situation where the instructions within the body’s own workloads (cells) are compromised and cause damage from within. Much like APTs, cancer isn’t detectable by the human immune system using traditional signature-based (antibodies) and the adaptive immune system (T cell and B cell) mechanisms.
The human immune system uses apoptosis — programmed cell death — as one of its strategies to counter the advanced and persistent threat of cancer (if apoptosis is inhibited, then cells have a greater chance of becoming cancerous). With apoptosis, all workloads (cells) are autonomically regenerated from a high-assurance set of instructions (DNA) located in the nucleus of the cell or another location within the body, such as the bone marrow for blood cells. Similar to an SWR strategy, apoptosis occurs when cells appear to be damaged, as well as when they appear to be healthy.
Why can’t information security take some lessons from the human immune system? We’ve been dealing with advanced threats for millions of years and routinely deal with threats that have bypassed our perimeter protection mechanisms.
Food for thought.
I’ll be talking about SWR next week at Gartner’s Information Security Summit in Washington DC. I hope to see you there.
Category: Beyond Anti-Virus Next-generation Security Infrastructure Virtualization Virtualization Security Tags: Adaptive Security Infrastucture, APTs, Beyond Anti-Virus, Defense-in-Depth, Next-generation Security Infrastructure, Security-Summit-NA, Virtualization, Virtualization Security, Windows