Thursday, February 16, 2012

Agile Security

Up until this past year, I had never included any marketing materials in my slides.  It never seemed to fit in with a technical presentation, even though I always believed in the Sourcefire product line's ability to defend our customers in the face of a rapidly changing landscape.  Having open source solutions, backed by the VRT's ability to convert real-world intelligence into new detection, while still giving the customer the option to build their own custom detection is a powerful combination.  But now our company has come up with a corporate vision and marketing message that speaks directly to how successful organizations approach security and I am really impressed.

We call it "Agile Security" and it basically describes a security cycle that is critical to keeping network defense up-to-date in a changing threat environment. It recognizes that static defenses simply can't stand up to the realities of today's security environment and that the ability to monitor dynamic networks is just the first step in a successful security stance. It also is an excellent description of how the VRT approaches converting its streams of intelligence into protection for our customers.

The concepts of Agile Security are broken up into four essential elements. The first is "See", meaning that you can't protect yourself if you don't have a current understanding of what is is you're trying to defend. With the encroachment into the network by consumer electronics in the form of smart phones, tablets and laptops along with the rapid turn over of technology in today's corporate environment this can be difficult. Organizations can use active or passive techniques for tracking changes in network topology as well as new devices as they come online, but whatever the approach it is critical to know what you're defending right now.

The second element of Agile Security is "Learn", which focuses on gathering information about vulnerabilities, exploits and malware that threaten your environment. This is where you leverage your understanding of your network to map known threats to vulnerable targets within your network. For example, Android malware is an evolving threat. Do your users use their smart phone and integrate into your network making this malware a threat to your network? This is also where you cycle information you gain by incident response teams into your cycle for evaluation by your security development teams. Have you found a new malware on your network? How did it get there? What is it trying to do? Where did your defenses fail? This information leads to the next phase of Agile Security, "Adapt".

"Adapt" is the phase where you convert your intelligence into an actionable defense. In some cases this is automatic, such as when the VRT releases a new rule or when the FireAMP system seamlessly adds detection to their cloud-based malware solution. Other times the situation is unique to your enterprise and detection can be added with custom Snort rules or ClamAV signatures. Sometimes the answer isn't in anti-virus or IDS systems. Perhaps the answer is a traditional firewall rule, application control or even a change to existing policies and procedures. Whatever the question this is the phase where you develop the correct answer for your environment.

The final phase is "Act", where the solutions developed in the "Adapt" phase are incorporated into your security stance. Often this happens automatically as your Snort and Sourcefire 3D sensors are updated with new detection content or when ClamAV and FireAMP receive new signature updates.  Updates may also be custom signatures and rules created by your own organization.  Sometimes changes to your security stance must occur within the policies of your environment. For example you may be subject to change controls before making firewall changes or QA checks prior to deploying custom detection. However it happens, now is when you bring your new defenses online. From here you monitor how your network and your adversaries react to your changes, and the cycle starts again at "See".

Normally I don't pay a lot of attention to marketing. For the most part I'm heads down into fighting day-to-day issues along with others on the VRT to get our new protections to our customers.  But when someone lays out exactly how many of our customers deal with issues and maps our product lines to this approach, I think it's worth looking at. For more information about Agile Security, you can go here:

http://www.sourcefire.com/agile-security.

I know, that's two nice posts in a row. No doubt I'll be angry about something next time.
Add to Technorati Favorites Digg! This

No comments: