November 18, 2005 • Volume 3 • Number 12

Coming Soon: Next-Generation Security

By Robert Green, Senior Editor
 

If we were to examine any single security control in a major agency system, the likelihood that it would be performing effectively would be quite high. Indeed. Multiplying that process out across the entire portfolio of specific controls, effective performance would again likely dominate the survey.

To the extent that they perform as advertised, properly implemented and managed anti-virus systems, firewalls, spam blockers, encryption, access control mechanisms, IPS and IDS, patches, trouble ticketing processes and other tools add layers of security that otherwise could not be achieved.

Still, systems get hacked, penetrated, defaced, or corrupted for their bandwidth or their value to blackhats as “bots.” And they do in part because effective Information Assurance and IT security is increasingly understood to be something more than the sum of the parts installed.

New Tools, New Concepts
 

New tools and new concepts are beginning to emerge that account for closing the gap that exists between the deployment of controls and the achievement of effective IA. One of the more interesting of these ideas is advocated in recent guidance from the Gartner Group that, in effect, recommends that agencies adopt the same levels of integration across their security components as they have for operational IT in the Enterprise Architecture (and now the Information Sharing-) era.

Mitchell Ashley, CTO of StillSecure, an IT security specialist company that partners with DHS, DOD and other security-focused agencies, told the FIAC 2005 conference about the Gartner guidance, which he believes will lead agencies to “a next-generation in security integration.”

Adaptive Security Architecture

To date, Ashley said, security integration has tended to occur piecemeal and as part of limited “gap engineering” efforts that might be conducted merely in one sector of a system. Tools that performed specific, vertical tasks are now bundled either by vendors or system operators but often remain performing in vertical or task-specific sectors of networks. Full security integration as detailed by Gartner calls for what Ashley called “an adaptive security architecture” in which controls are not so much plugged in or operated separately as they are “orchestrated.”

Gartner details five levels of interoperability that might be chronicled, but few if any organizations have yet achieved the top level, Ashley said. The adaptive technologies needed, to date, have been supplanted by the human resources side of the equation, and often within organizations in which security is a Balkanized task across elements that might not communicate much less interoperate.

“Too much of the security effort today is invested in a person trying to look at as much data as he or she can with little automated help when it comes time to make judgments,” Ashley said during a recent interview. Just the ability to watch attacks as they occur with an eye on vulnerabilities can tax a CISO or sys-admin, he told FIAC. In today’s paradigm, the staff might be aided by APIs that allow import and export of data, but the Gartner model goes beyond that limitation to create processes “that can take control of specific actions based on the circumstances and the feeds it is getting from all of your components.”

The general idea as encompassed by Gartner is not new and might be seen as brethren to the enterprise security integration model as advocated the last five years or so by OMB, GAO, Customs and other sectors of government. The difference today Ashley said is that toolsets and processes are more readily implemented that can turn each component of a security deployment into a willing provider of threat information directly to the other components in an automated information-sharing schema, which can then coordinate actions too.

“Effective adaptive technologies will work within the situation you have, not cause you to re-organize just so you can use a tool,” Ashley told FIAC 2005.

Robert Green can be reached at RobertGreen@PubSector.com.