Visibility as Foundation for a New Security Model

Defining a “Security 1.0” model is not difficult: It includes the familiar safeguards found in every modern enterprise including firewalls, anti-virus software, perimeter networks, data leakage protection, and so on. The goals of this 1.0 approach have been ambitious, focusing on prevention of attacks. The corresponding implementation, however, has not worked: The offense is far ahead of the defense.

Speaking this week at the Gigamon Cybersecurity Forum in Washington, Shehzad Merchant, CTO of Gigamon, argued for an improved model – one called “Security 2.0.” Motivation for this model includes addressing the acceleration of technology innovation and dealing with the fact that advanced persistent attacks have become democratized. Anyone today can rent or buy advanced attacks.

Merchant’s model includes four pillars: The first involves Prevention using the familiar set of safeguards found in Security 1.0. The second involves Detection, which allows for the building of context using data collection and machine-learning-based analysis. The third involves Prediction, which allows for triangulation of intent using artificial intelligence and cognitive solutions. Finally, the fourth pillar involves Containment, where proper remediation and security action are taken to reduce risk.

For these pillars to work, Merchant recommends use of an underlying security delivery platform to support visibility into real-time enterprise activity. This might seem obvious, but the velocity of change in technology can make visibility a formidable goal. “Processing an Ethernet frame on a 10 Gbps network,” Merchant explained, “requires that multiple security decisions be made in the time it takes - several nanoseconds - for light to travel just a few feet.”

The Gigamon CTO explained that the GigaSECURE Security Delivery Platform was created to feed metadata, rich intelligence, and full information capture into the pillars of the Security 2.0 model. The platform was designed to breathe context into the Prevention-Prediction-Containment cycle, because without situational awareness, the wrong security decision might be made – which can bode poorly for that Ethernet frame mentioned above.

Certainly, there are significant technical and operational challenges associated with the practical deployment of real-time security protections along the lines of the Gigamon offer. Enterprise networks are typically a tangled mess of legacy, existing, and new components, so any clean, rational 2.0 model based on a set of logical pillars must still be carefully tailored to fit the specifics of a local environment. (If only every enterprise could be a greenfield.)

Nevertheless, the shift from 1.0 prevention to 2.0 situationally aware protection using an underlying data analytic framework seems sensible. Even in truly complex environments where this might seem quite challenging, the effort to adjust your local cyber security methodology toward this proposed Security 2.0 model seems to have great upside potential with little downside risk.

Let me know what you think.