4. Continuous adaptive risk and trust assessment (CARTA) strategic
approach
4
The intelligent digital mesh and related digital technology platforms and application
architectures create an ever-more-complex world for security. The continuing
evolution of the "hacker industry" and its use of increasingly sophisticated tools
including the same advanced technologies available to enterprises significantly
raise the threat potential.
Relying on perimeter defense and static rule-based security is inadequate and
outdated. This is especially so as organizations exploit more mobile devices, cloud-
based services, and open APIs for customers and partners to create business
ecosystems.
IT leaders must focus on detecting and responding to threats, as well as more
traditional measures, such as blocking, to prevent attacks and other abuses.
Security and risk management leaders must adopt a CARTA strategic approach.
This is vital to securely enable access to digital business initiatives in a world of
5. Continuous adaptive risk and trust assessment (CARTA) strategic
approach
5
Existing security decision making based on
initial one-time block/allow security
assessments for access and protection is
flawed. It leaves organizations open to zero-
day and targeted attacks, credential theft,
and insider threats. Trust (and risk) of digital
business must be dynamic, and assessed
continuously in real time as interactions take
place and additional context is gained. A
CARTA approach embraces the reality that we
can't provide a risk-based answer to security
questions such as access/blocking until: The
request is made, The context is known and The
relative risk and trust scoring of the entity and
its requested behavior are assessed.
6. Managing Risk and Security at the Speed of Digital Business
Recommendations
• Develop a compelling vision for risk and
security management based on establishing
trust and resilience.
• Adapt the strategic objectives of your risk
and security program to encompass the new
realities of digital business.
• Embrace the six principles of trust and
resilience.
• Develop and evolve an adaptive, context-
aware security architecture.
• Implement and manage a formal, process-
based risk and security management
program to support the digital business.
Key Challenges :
• Increasing adoption of digital
business strategies is challenging
conventional approaches to
security and risk management.
• Risk and security programs must
adapt to this new reality or face
being sidelined by the digital
business initiatives, ironically
exposing the enterprise to even
bigger risk.
6
7. The Foundations of Risk and Security in the Digital Business
World
7
The dramatic increase in the number
of elements (e.g., systems, devices,
things, data and dynamic
relationships) exposes scalability
issues with many traditional security
control solutions.
Security is often thought of as a
preventer But security is also an
enabler
8. Vision:
8
It is crucial that the vision is
customized by complementing
the basic ISMS model through
articulating the business,
technology and risk drivers that
are unique to the enterprise.
Within the context of digital
business, it is important to
acknowledge that the digital
business environment comes
with unprecedented risks that
go beyond IT operations,
encompassing the enterprise and
its ecosystem.
Address protect need for assets that IT no longer owns or controls
(e.g., cloud-based services or new mobile-based applications,outsourcing)
Plan for the unprecedented.
( Go beyond the ordinary, imagining responses to unprecedented but
plausible circumstances).
Support a bimodal IT strategy
(Baseline plan & predefined alternative plan)
Increase awareness among stakeholders to build trust and resilience
(People-Centric Security & mandatory training)
Make the people, processes and technology more resilient.
(Must get in early on projects to reduce inconvenience. )
9. Adapt the Strategic Objectives of Your Risk and Security
Program to Encompass the New Realities of Digital Business
9
The digital explosion is reshaping
organizational security and risk management.
The traditional model ascribed to for decades
has been based on the objectives of
confidentiality, integrity and availability (CIA).
However, in the digital business world, the CIA
model isn't enough.
Digital business is pushing the environment for
protecting data and infrastructure into the
physical world, merging functions focused on
data and information with functions that make
actual changes to people and their surrounding
environments.
The CIAS Model of Cybersecurity
10. Embrace the Six Principles of Trust and Resilience
Principle No. 1: Stop Focusing on Check-Box Compliance, and Shift to Risk-Based Decision
Making -> (BIA)
Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business
Outcomes -> (BPM)
Principle No. 3: Stop Being a Defender, and Become a Facilitator (trade offs)
Principle No. 4: Stop Trying to Control Information, and Determine How It Flows ->(BigData)
Principle No. 5: Accept the Limits of Technology and Become People-Centric
Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection
and Response(that perfect prevention is not achievable)
10
# STOP START
1- Focusing on Check Box Compliance Risk-Based Decision Making
2- Solely Protecting Infrastructure Supporting Business Outcomes
3- Being (Merely) a Defender Facilitating Operations
4- Trying to Control Information Enabling Information Flows
5- Viewing Technology as the End Becoming People-Centric
6- Trying to Perfectly Protect Investing in Detection and Response
11. Develop and Evolve an Adaptive, Context-Aware Security
Architecture
11
Twelve Critical Capabilities of Gartner's Adaptive Security Architecture
12. Implement and Manage a Formal, Process-Based Risk and
Security Management Program to Support the Digital Business
Component Purpose Content/Deliverables
Enterprise Security Charter Executive Mandate •Business Need
•Scope
•Accountability Statement
•Mandate for CISO
•Mandate for Program and Policy
Security Program Framework Terms of Reference/Reference Model •Vision Statement
•ISMS Description
•Principles
•Program Components
•Capabilities/Functions Taxonomy
•Security Architecture Framework
•Policy Framework
Annual Strategy Plan Plan of Action •Target State
•Current State
•Gap Analysis
•Roadmap of Technical, Strategic and BAU Initiatives
Governance Model Implementation of Accountability and Decision
Rights
•Policy Framework
•Steering Committees/Bodies
•Organization Model
•Executive/Assurance Reporting Framework
Process Model Operational/Maturity Improvements; Foundation
for Organization Model
•Process Catalog
•Maturity Model
12
14. Top 10 Technologies for Information Security
Cloud Workload
Protection Platforms
Remote Browser Deception
Endpoint Detection
and Response
Network Traffic
Analysis
Managed Detection
and Response
Microsegmentation
Software-Defined
Perimeters
Cloud Access
Security Brokers
OSS Security
Scanning and
Software
Composition Analysis
for DevSecOps
Container Security
14
15. 1. Cloud Workload Protection Platforms
Modern data centers support workloads that
run in physical machines, virtual machines
(VMs), containers, private cloud infrastructure
and almost always include some workloads
running in one or more public
cloud infrastructure as a service (IaaS)
providers. Hybrid cloud workload protection
platforms (CWPP) provide information
security leaders with an integrated way to
protect these workloads using a single
management console and a single way to
express security policy, regardless of where
the workload runs.
15
16. 2.Remote Browser
Almost all successful attacks originate from the public internet, and browser-based attacks are
the leading source of attacks on users. Information security architects can't stop attacks, but can
contain damage by isolating end-user internet browsing sessions from enterprise endpoints and
networks. By isolating the browsing function, malware is kept off of the end-user's system and
the enterprise has significantly reduced the surface area for attack by shifting the risk of attack
to the server sessions, which can be reset to a known good state on every new browsing
session, tab opened or URL accessed.
16
17. 3. Deception
Deception technologies are defined by the use of deceits, decoys and/or tricks
designed to thwart, or throw off, an attacker's cognitive processes, disrupt an
attacker's automation tools, delay an attacker's activities or detect an attack. By
using deception technology behind the enterprise firewall, enterprises can better
detect attackers that have penetrated their defenses with a high level of
confidence in the events detected. Deception technology implementations now
span multiple layers within the stack, including endpoint, network, application
and data.
17
18. 4. Endpoint Detection and Response
Endpoint detection and response (EDR) solutions augment traditional endpoint preventative controls
such as an antivirus by monitoring endpoints for indications of unusual behavior and activities
indicative of malicious intent.
18
19. 5.Network Traffic Analysis
Network traffic analysis (NTA)
solutions monitor network traffic,
flows, connections and objects for
behaviors indicative of malicious
intent. Enterprises looking for a
network-based approach to
identify advanced attacks that
have bypassed perimeter security
should consider NTA as a way to
help identify, manage and triage 19
20. 6. Microsegmentation
Once attackers have gained a foothold in
enterprise systems, they typically can move
unimpeded laterally ("east/west") to other
systems. Microsegmentation is the process of
implementing isolation and segmentation for
security purposes within the virtual data
center. Like bulkheads in a submarine,
microsegmentation helps to limit the damage
from a breach when it occurs.
Microsegmentation has been used to describe
mostly the east-west or lateral communication
between servers in the same tier or zone, but
it has evolved to be used now for most of
communication in virtual data centers. 20
21. 7. Software-Defined Perimeters
A software-defined perimeter (SDP)
defines a logical set of disparate,
network-connected participants within a
secure computing enclave. The
resources are typically hidden from public
discovery, and access is restricted via a
trust broker to the specified participants
of the enclave, removing the assets from
public visibility and reducing the surface
area for attack.
21
22. 8.Cloud Access Security Brokers
Cloud access security brokers (CASBs) address gaps in security resulting from the significant
increase in cloud service and mobile usage. CASBs provide information security professionals
with a single point of control over multiple cloud service concurrently, for any user or device. The
continued and growing significance of SaaS, combined with persistent concerns about security,
privacy and compliance, continues to increase the urgency for control and visibility of cloud
services.
22
23. 9. OSS Security Scanning & SW Composition Analysis for
DevSecOps
Information security architects must be able to automatically incorporate security controls without
manual configuration throughout a DevSecOps cycle in a way that is as transparent as possible
to DevOps teams and doesn't impede DevOps agility, but fulfills legal and regulatory compliance
requirements as well as manages risk. Security controls must be capable of automation within
DevOps toolchains in order to enable this objective. Software composition analysis (SCA) tools
specifically analyze the source code, modules, frameworks and libraries that a developer is
using to identify and inventory OSS components and to identify any known security
vulnerabilities or licensing issues before the application is released into production.
23
25. 10. Container Security
Containers use a shared operating system
(OS) model. An attack on a vulnerability in
the host OS could lead to a compromise of
all containers. Containers are not inherently
unsecure, but they are being deployed in an
unsecure manner by developers, with little or
no involvement from security teams and little
guidance from security architects. Traditional
network and host-based security solutions
are blind to containers. Container security
solutions protect the entire life cycle of
containers from creation into production and
most of the container security solutions
provide preproduction scanning combined
with runtime monitoring and protection.
25
26. Secure IIOT & enterprise IOT
IOT implementation best practice
26
27. IOT Security
2
Security Accidents
Examples
Security
Requirement
October 21, 2016, DDoS attack to Dyn’s
Managed DNS infrastructure.
In 2014, remote code execution vulnerability, affected
more than 150000 Webcam devices, because of weak
password.
Secure Booting Access Control Anti-DDoS
Device
Authentication
Secure
Software
Updates and
Patches
28. Forwarding layer (Data plan)
App layer
Business Application
Business Application
Business Application
Control
layer
SDN Controller
SDN Controller
29. Forwarding layer (Data plan)
App layer
Business Application
Business Application
Business Application
Control
layer
SDN Controller
SDN Controller
30. Forwarding layer (Data plan)
App layer
Business Application
Business Application
Business Application
Control
layer
SDN Controller
SDN Controller
31. Forwarding layer (Data plan)
App layer
Business Application
Business Application
Business Application
Control
layer
SDN Controller
SDN Controller
32. DDoS Attack Scenarios in SDN
Scenario 1: The controller
can be the target for the
attack.
Scenario 2: The system
resources of the controller
can be the target for
attackers.
Scenario 3: Switch
memory can be the target
for attackers.
Scenario 4: A link between
switches can also be the
target.
Scenario 5: A legal user
under a switch can be the
victim of an attacker (e.g.,
a server in a cloud-
computing environment).
34. Hardware authentication
The inadequacies of usernames and passwords are well known. Clearly, a more secure
form of authentication is needed. One method is to bake authentication into a user's
hardware .
35. Stronger authentication
3
USB Key SMS Code
OneKey
Confirmation OTP Token
Fingerprint Palmprint Iris Face
Keyboard Pressing Mouse moving track Handwriting Finger Pressing
Advantages
(1)Portable
(2)Secure
(3)Stable
(4)Unique
(5)Universal
(6)Convenient
(7)Collective
(8)Acceptable
Web API for “Human ontology
authentication” ?
37. Cipher Lock
Combination locks that use buttons that must be pushed in
the proper sequence to open the door
Can be programmed to allow only the code of certain
individuals to be valid on specific dates and times
Cipher locks also keep a record of when the door was
opened and by which code
Cipher locks are typically connected to a networked
computer system
Can be monitored and controlled from one central location
38. Cipher Lock Disadvantages
Basic models can cost several hundred dollars while advanced models can be
even more expensive
Users must be careful to conceal which buttons they push to avoid someone
seeing or photographing the combination
39. Tailgate Sensor
Uses infrared beams that are aimed across a doorway
Can detect if a second person walks through the beam array
immediately behind (“tailgates”) the first person
Without presenting credentials
41. Physical Tokens
Objects to identify users
ID Badge
The most common types of physical tokens
ID badges originally were visually screened by security
guards
Today, ID badges can be fitted with tiny radio frequency
identification (RFID) tags
Can be read by an RFID transceiver as the user walks
through the door with the badge in her pocket
43. Mantrap
Before entering a secure area, a person must enter the
mantrap
A small room like an elevator
If their ID is not valid, they are trapped there until the police
arrive
Mantraps are used at high-security areas where only
authorized persons are allowed to enter
Such as sensitive data processing areas, cash handling areas,
critical research labs, security control rooms, and automated airline
passenger entry portals
45. Video Surveillance
Closed circuit television (CCTV)
Using video cameras to transmit a signal to a specific and limited set of receivers
Some CCTV cameras are fixed in a single position pointed at a door or a hallway
Other cameras resemble a small dome and allow the security technician to move the
camera 360 degrees for a full panoramic view
46. Physical Access Log
A record or list of individuals who entered a secure area, the time that
they entered, and the time they left the area
Can also identify if unauthorized personnel have accessed a secure
area
Physical access logs originally were paper documents
Today, door access systems and physical tokens can generate
electronic log documents
51. Procedures: detailed specifications for how something should be done
— Can be either standards or guidelines
— Segregation of duties: two people are required to complete sensitive tasks
– No individual can do damage
– Procedures
— Request/authorization control
– Limit the number of people who may make requests on sensitive matters
– Allow even fewer to be able to authorize requests
– Authorizer must never be the requester
— Mandatory vacations to uncover schemes that require constant maintenance
— Job rotation to uncover schemes that require constant maintenance 51
52. – Procedures: detailed descriptions of what should be done
– Processes: less detailed specifications of what actions should be taken
— Necessary in managerial and professional business function
— Baselines: checklists of what should be done but not the process or procedures for doing
them
— Best practices: most appropriate actions in other companies
— Recommended practices: normative guidance
— Accountability
– Owner of resource is accountable
– Implementing the policy can be delegated to a trustee, but accountability cannot be
delegated
– Codes of ethics
52
54. Visit us at
www.internetsociety.org
Follow us
@internetsociety
Galerie Jean-Malbuisson 15,
CH-1204 Geneva,
Switzerland.
+41 22 807 1444
1775 Wiehle Avenue,
Suite 201, Reston, VA
20190-5108 USA.
+1 703 439 2120
Thank you.
Amer A. Haa’a
IT researcher
A.Hazaa@coe-ye.com
54
