I’m a big car nut so I wondered if there are any parallels between the evolution of cars and IT security. Seven years after the first automobile was produced by Karl Benz in 1886, electronic security started when the wireless telegraph, the first network, was hacked.
While both technologies were born in similar eras, their paths quickly diverged. Automobiles evolved at a fast pace because consumers and government demanded improvements. Performance increased, costs decreased,
and safety got a lot better.
In contrast, security’s progression was largely motivated by the risk – prevention from attacks, detection of current attacks, and remediation of past attacks. Security was always weighed against perceived cost of the risk. In other words, you didn’t want to spend more on security than the attacks cost you. Comfort was completely alien to security until recently.
Today, security has changed. Rather than simply thinking about detection of attacks, organizations are now beginning to focus on how users will interact with security measures. This is what I call Positive Security – the ability to build security into products in a way that benefits users so that users are protected from intrusion.
How did negative security models work?
The old model of security focused on the risk and the cost of security strategies, without considering how they would affect users. In fact, it was a commonly-held belief that the worse the user experience, the better the security. This led to hatred and circumvention of security protocols.
The current model of security continued to favor strategies that mitigate risk and satisfy regulatory compliance, while giving a nod to improving the user experience. Senior management and business unit leaders increasingly felt that security shouldn't hinder business goals, so a secure user experience needed to support innovation and accelerate business development. Those demands made incident response and many other security processes more proactive.
Planning for business as a User Experience (UX) is now a must. As employees use their own devices, businesses create their own custom apps, and cloud services replace physical infrastructure, companies benefit from shifting capital expenditures to operational costs. Considering all these developments, a new security model is needed to replace obstructionist security models with positive ones.
How do you prioritize secure business innovation?
The most important implication of Positive Security is that it puts the user experience front and center. This means that secure business innovation must dynamically balance both risk and cost. Positive Security impacts organizations at all levels.
For senior business unit leaders, security must contribute to revenues, profits, customer satisfaction, employee productivity, compliance, and business innovation.
For IT leadership, security needs to be able to predict the seriousness and urgency of potential threats, prioritize mitigation strategies, analyze the negative impact of fixes and patches on production, and suggest courses of action.
To support end-users and customers, security solutions need to monitor users’ behaviors, transactions, and interactions in near real-time to avoid accidental, mischievous, or malicious activities. Actions can be manually or automatically invoked so that security managers can disable access, step up authentication, or invoke detailed tracking for further analysis. In some cases, "normal behavior" over a long period of time might even cause systems to step down authentication and other security measures to improve the user experience.
What #PositiveSecurity solutions already exist?
As listed below, many current security technologies fall into the positive category. Therefore, evolving towards #PositiveSecurity does not require the rip-and-replace upgrades of older solutions. Threat Intelligence and Analytics, however, are a new and key distinction, as explained in the next section.
Endpoint (IoT, Mobile, and systems). Repel attacks on PC, mobile, and IoT devices. Password Management supplies robust and unique passwords for every application.
APT (Advanced Persistent Threat) Defense. Detects and blocks attacks based on previously unknown vulnerabilities.
Security SaaS (Software as a Service). Improves security knowledge, shifts security budgets to operational from capital, and reduces need to install software on devices, servers, and networks.
MSSP (Managed Security Service Providers). Customized service that improves (or replaces) IT management expertise and often takes over support for older software and hardware.
MFA (Multi-Factor Authentication) with biometrics. Reduces or eliminates need to memorize complex passwords, reduces risk, and provides regulatory compliance.
PAM (Privileged Access Management). Reduces insider attacks, streamlines IT administration, and complies with regulations.
Threat Intelligence and Analytics. Threat intelligence enhances security by focusing vulnerability management on imminent threats that pose a high risk to critical data, applications and infrastructure. This enables customers to predict attacks and proactively deal with current attacks that may have gone unnoticed.
UBA (User Behavior Analysis). External hijacking of insider accounts and internal threats are often foreshadowed by anomalous user behavior (e.g., repeated attempts to log onto privileged accounts, sudden large uploads to previously unknown IP addresses, etc.). UBA can proactively alert, trigger detailed monitoring, and possibly block further suspicious activity.
NGFW (Next Generation Firewall). While the ability to consolidate many diverse security applications on a single physical or virtual platform is cost-effective, the real benefit from true NGFW is the aggregation and analysis of all these network, application, data, and user alerts. In combination with Threat Intelligence, this can block attacks, reduce discovery time for current threats, and speed incident response and remediation for ongoing attacks.
What really separates #PositiveSecurity solutions from negative ones?
The predictive capabilities of threat intelligence and analytics enhance current security technologies’ ability to see early Indicators of Attack (IoA) around the world and take preemptive and prescriptive measures to reduce an enterprise's vulnerability. Using machine learning and artificial intelligence, #PositiveSecurity systems alert on Indicators of Compromise (IoC) based on anomalous deviations from normal patterns. Moving from reactive to proactive to predictive is one crucial driver towards #PositiveSecurity. The other crucial driver towards #PositiveSecurity solutions is for both IT and stakeholders to embrace #PositiveSecurity’s core collaboration between UX, risk, and cost.
What would happen if cybersecurity was a positive, instead of a negative?
In an ideal world where security actually improves business operations, consumers would shop for the best deals without worrying about website reputation, credit card theft, stolen passwords, and identity theft. Employees could access company applications and data from anywhere in the world, on any device, across any network quickly and securely. Businesses could efficiently and cost-effectively and selectively make services, applications, and data freely available to employees, customers, prospects, suppliers, resellers, contractors, and regulators without performance penalties, costly integration, or disruption of production processes.. Consumers and businesses could continuously optimize IoT processes, systems, and analysis without fear of hijacked devices, theft of analytics, or management disruption.
#PositiveSecurity solutions are the cornerstone of our approach at Pixel Security Research. We specialize in analyzing technologies that proactively solve corporate and consumer problems while balancing user experience with risk and cost. You can find out more about what we can offer your company on our Services page.