Model-driven security: using unconventional controls to stay ahead of threats

We need to get out of our own way in terms of how we think about and implement security, while enlisting analytics and data science as our allies.

Whether you’re a newly minted or battle-hardened CISO, the environment you’re chartered with protecting is likely full of what I call conventional controls.

These mechanisms provide the foundation for demonstrating due diligence to regulators, auditors, security assessors and stakeholders. They are often based on established frameworks oriented on the alignment of business and IT practices for meeting the requirements of specific standards such as ISO 27001, NIST 800-53, etc.

While conventional control frameworks are a necessary requirement, they are not sufficient to avoid major security breaches. The threat landscape is evolving too quickly. Threat actors respond to changes in controls, invest in new ways to bypass them and share information in criminal forums, seeking blind spots they can capitalize on.

Therefore, building business resiliency requires adaptability, speed and agility in cyber security controls. These ‘unconventional controls’, as they have been labelled by Aetna CISO Jim Routh, are designed and tailored to meet a range of emerging threats. Unconventional controls are a byproduct of intensive research into threat actor tactics using multiple sources of security intelligence and sector-based information sharing and analysis centers (ISACs).

These unconventional controls have given rise to a new framework called Model-Driven Security, which places greater emphasis on addressing risk rather than compliance, using threat intelligence and analytics.

As more adjustments are made to controls, resiliency improves, thereby increasing the degree of difficulty for threat actors to compromise the enterprise. This willingness, by forward thinking CISOs, to experiment with unconventional controls, that are not part of established risk frameworks, has been precipitated by the velocity of the changes in the tactics used by adversaries.

Model-driven security has emerged primarily because unconventional controls have evolved due to advances in automation and machine learning that amplify their effectiveness. When an organization adopts unconventional controls to supplement conventional controls, they are implementing model-driven security. This approach also helps enterprises move at the speed of their online consumers by reducing security “friction."

For example, one of the earliest use cases for model-driven security is access control, where the viability of traditional authentication methods and passwords are nearing obsolescence. To keep pace with hacker innovation and an expanding threat plane (the cloud and mobile, among others), continuous behavioral-based authentication is increasingly being used as an unconventional control by early adopters.

Powered by risk-based security analytics, behavioral authentication can improve the end user experience by doing away with passwords while increasing security. This continuous authentication model makes in-the-moment decisions about a users’ confirmed identity before allowing the session or requested action to continue. Authentication is no longer a singular event, but an engaged process that persists throughout the user’s experience in the environment.

Using this model, an organization can monitor access and activity in real time to capture and feed properties such as how a person holds their phone, device configuration or apps used most frequently, into a risk engine. As described in the Wall Street Journal, machine learning analytics can create an individual risk score for each user. When actions deviate significantly from each user’s baseline normal behavior, the risk score is increased. When risk thresholds are exceeded the app may restrict access to certain functions or request another form of authentication before allowing the user to proceed.

Model-driven security and unconventional controls are being born out of the need for organizations to move at, or near, the speed of their adversaries.  This requires the use of industry frameworks, conventional controls, and finally, unconventional controls.

This sea change, moving beyond compliance-based to risk-based security programs, is essential to ensure resiliency in today’s constantly evolving world of cyber threats. Since hackers will continue to innovate, with no prospect of abatement, our approach to security must be able to maintain parity with their techniques.

The only way to provide frontline security controls at this level of speed (close to real time) is through models. More and more of our existing security controls will ultimately be driven by analytical models that improve with more data and can be adjusted as threat actors shift their tactics. Criminals and nation states are using models to crack security controls, so enterprises need to use the same approach to adapt their protection measures.

This shift in traditional IT security concepts and practices is rooted in the use and understanding of data science, which is now becoming a required skill set for cyber security and audit professionals.

The new objective is to achieve higher levels of enterprise resiliency and in-the-moment security. To do this, we need to get out of our own way in terms of how we think about and implement security, while enlisting analytics and data science as our allies. The use of model-driven security and unconventional controls represents a new take on traditional approaches to cyber defense and is our best hope for getting in front of new threats instead of playing catch up.

Copyright © 2018 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.