We are blessed to live in interesting times. CISOs today are witnessing unprecedented change within their security programs, the techniques and tooling employed by the adversaries we confront, and the evolution of our security architectures. Historically, security architectures overwhelming focused on point solutions primarily related to network perimeter and endpoint defenses. Too frequently, however, these solutions were functionally isolated from other deployed security and monitoring technologies resulting in siloed security that did not adequately address the whole-of-enterprise and expansive digital risk. Not surprisingly, security teams faced challenges in defining the ‘official’ system of record and shining light on the proverbial security blind spots over their organization’s infrastructure and critical assets.
The advent of security incident and event management (SIEM) capabilities, which portended greater security visibility through the collection, aggregation, and correlation of security logs, changed the dynamic of security teams from not having enough visibility to that of too much noise and not enough signal. Alert fatigue, or worse, orphaned alerts, became the norm. Today’s security architectures are frequently a mix of legacy point solutions with incomplete or inadequately deployed modern responses to the complex threat landscape that most organizations confront.
The result is that too many organizations suffer security incidents and breaches that could have been avoided by a modern security architecture and, by extension, more automated security functions. This dynamic is further challenged by the talent war to attract and retain qualified security analysts, security engineers, and security architects. These highly skilled security practitioners are, in many cases, too frequently doing exceedingly detailed work manually, resulting in higher error rates and burnout of key staff. Manual, siloed defenses simply cannot keep pace with well-resourced and highly automated adversaries operating at network or machine speed. Clearly the status quo is not tenable, and we need to re-think our approach to security architecture.
The security architecture challenge is clearly the fodder of the analyst community. As a case in point, Gartner recommends organizations employ an adaptive security architecture, one that moves from the traditional focus on prevention to more timely detection and response, ultimately incorporating predictive models to understand and thwart adversarial behavior. Gartner’s security analysts expanded on the concept of adaptive security to a new framework, continuous adaptive risk and threat assessment (CARTA). Forrester Research’s notion of Zero Trust architectures, where there is continual validation given a lack of trust for ancillary security services, also implicitly requires greater integration of security components. Collectively, Gartner’s adaptive security architecture and CARTA along with Forrester Research’s zero trust model are predicated on real-time, machine or network speed risk decisions. Essentially, the modern security architecture requires integration between and among components with limited manual intervention to adequately respond to issues that surface.
Modern security architectures must be designed to meet these principles and focus on enhanced integrations between security tools and applications. The concept of security orchestration automation and response (SOAR) – initially focused on incident response practices – has expanded to address more mundane security hygiene functions including automated validations of security configurations and settings. Similarly, modern cloud services such as Amazon Web Services’ (AWS’) Lambda are now being used to ensure that unauthorized changes are timely detected and corrected in an automated fashion. The use of Lambda functions (and functional equivalents in GCP and Azure) can help automate basic security hygiene and configuration activities as well as address incident response to pre-identified conditions – similar to other SOAR tools. These tools become a force multiplier for our security teams, enabling them to address security issues in a more timely and automated fashion.
The advent of deception technologies is also integral to modern security architecture in that deception fundamentally changes the dynamic that the security defender must be right 100% of the time while the adversary only needs to be right once. With well-implemented deception, decoyed network assets, servers, credentials, and other high-fidelity artifacts effectively lay a mind-field to quickly detect and respond to adversaries in the environment. Breach and attack simulation (BAS) tools also support continuous security evaluation and security testing that complements point-in-time security assessments (be they black box or white box penetration tests). We also benefit from enhanced application security and code analyses that include static and dynamic security testing as well as runtime application self-protection (RASP) capabilities. Modern security architectures also benefit from increased understanding of adversarial behavior, notably from the MITRE ATT&CK framework and the insights it provides on the indicators of compromise (IOCs) that certain threat actors and their attacks evidence. Simply stated, as security leaders and practitioners, we have access to highly effective security capabilities if we re-think our security architectures.
Accordingly, the security principles that govern modern security architectures include, but are not limited to, the following:
- Shift left concepts that focus on security by design (effectively incorporating security capabilities earlier in the design and implementation phases of new infrastructure, systems, and applications)
- Enhanced system integration through application programming interfaces (APIs) that enable disparate security tools and applications to work in a more coordinated and automated fashion (think SOAR as a ubiquitous capability)
- Emphasis on detection and response capabilities that proactively hunt for adversarial behavior in our environments (this behavior is not typically evidenced as signatures but rather the illegitimate use of legitimate processes and services such as PowerShell)
- Automation of detailed, error-prone functions that provide guardrails against poor configurations and configuration creep
- Continuous assessment and validation, notably around security configurations to preclude configuration errors from being exploited
- Contextualized and adaptive responses that encompass both an asset’s inherent value and its risk to the organization if it were compromised coupled with the profile of the user and enhanced credential management
- Extensive use of machine learning (notably supervised machine learning) capabilities to detect the proverbial needle in a haystack of other needles
- Deception capabilities that provide high fidelity alerts of adversarial behavior while facilitating incident response training and more effective security monitoring
- Well architected design principles that assume compromise and system and component failure (effectively designing for resilience)
These core principles, coupled with the strong prescriptive guidance from security standards and frameworks, enable more risk resilient security programs and certainly security architectures that facilitate not only enhanced, whole-of-enterprise visibility, but also responses that are high-fidelity and conducted at network speed. Here’s to more resilient security architectures.