Active Cyber Defense: Using Closed-Loop Security to Protect the Digital Workplace

We tend to think of cyberattacks in medieval terms: attackers swarm the walls that protect the castle, hammering away with zombie servers strung together like a battering ram of old to execute a distributed denial of service (DDoS) attack or ransomware.

This still happens. The difference is that is not just   desktop and laptop devices that are vulnerable. There are also thermostats, dishwashers, fire alarms, and even light bulbs, the group of simple devices that, when networked together, comprise what we call the Internet of Things (IoT). Too many of these devices aren't protected. Aruba recently surveyed the market and found 84 percent had experienced a breach in their IoT implementations.

What to do?

Rethink security. Instead of building bigger walls, companies need to take a cue from leading security thinkers and implement Active Cyber Defense (ACD), a four-step architecture that emphasizes continuous monitoring to detect and then deal with compromised or malicious users and devices before they do damage.

On the Network, Time Heals No Wounds

Today's targeted attacks are designed to stay "under the radar" by moving in small, circumspect steps over long periods of time -- often with legitimate credentials coopted from a compromised user.

"It's no longer a matter of if you'll get breached. It's a matter of when," said my colleague, Art Wong, senior vice president and global general manager of enterprise security services for Hewlett Packard Enterprise. IT experts have introduced ACD with this more complex and dangerous threat landscape in mind.

The goal with ACD is to move from being reactive to proactive in dealing with cyber threats while delivering more comprehensive coverage of a constantly-changing IT ecosystem. At its core, ACD defines a four-stage pipeline consisting of sensing, sense making, decision making, and action. The overarching goal is to accelerate the progression through the pipeline and automate the stages as much as possible. The better the intelligence in sensing, sense making, and decision making, the more confident and timely the resulting action can be.

 ACD at Work: 4 Steps to Building Intelligent, Real-Time Threat Response

ACD is a systematic, 360-degree approach to providing security for the digital workplace that aims to close open loops and make the entire networked ecosystem more secure. Here's how it works at each stage:

1.    Sensing. If properly monitored, the network can act as a massive sensor. Packets, flows, logs, and more provide raw material that good analytics systems (see below) use to detect anomalies. The more insight into the network those analytics have, the more precise and predictive the response architecture can be.

2.    Sense-making. This is where giant strides in cybersecurity technology are being made. A new technology called UEBA (User and Entity Behavior Analytics) uses a combination of supervised and unsupervised machine learning models to find and alert against attacks that have evaded real-time defenses. It is only by seeing, aggregating, and interpreting small changes in behavior that these sorts of low-profile attacks get detected before they do damage.

3.    Decision-making. With innovative, AI-based analytics raising precision alerts, it is now possible to codify a set of policies that make changes in user and device access to IT infrastructure based on the type of alert and entity affected. This can be as simple as a re-authorization or as aggressive as a quarantine or block. Even modest responses buy time for security analysts, who can then use integrated incident investigation to further diagnose the situation and take further steps.

4.    Action. Automated, policy-driven action creates the conditions for closed-loop security. The key is integrating the analytics, sense-making UEBA platforms with programmable systems for implementing policy automatically and responsibly. When done right it's the perfect setup for organizations that most need intelligent, proportional, real-time threat response.

The key to Active Cyber Defense is having the right components in position to execute on all four of the stages and this usually entails stringing together many different solutions.  The promise has rarely, if ever, been delivered by one vendor in a seamlessly integrated solution.

With HPE Aruba's acquisition of Niara, with its advanced machine-learning based UEBA, combined with Aruba's market leading ClearPass family of Admission Control, Profiling and Policy Management, the visibility, intelligence and proactive security that ACD envisions are now delivered in an integrated solution.