Tech-Tonics Advisors: 基于風險優先的資料安全方法

2016年1月19日，Tech-Tonics Advisors釋出了一個題為《A Prioritized Risk Approach to Data Security》的報告，并發表到了icrunchdatanews上。

先談談的我一點個人了解：本文出發點是講資料安全，但其實也是在講一個整體網絡與資訊安全的方法論。這個報告其實講了這麼幾點：

1）我們不可能阻止（prevent）每次攻擊，我們也沒有足夠的資源保護所有的資料資産和系統。相反，新技術的應用帶來了更多的攻擊面。情況正在變得更糟，傳統的“堡壘+壕溝”(Castal and Moat)的思路無力應對目前的局面，我們必須假設我們的網絡已經遭受入侵，我們需要一套全新的安全防護思路。

2）這個全新的思路就是“遏制與響應”（Contain and Respond）。這個思路強調首先要對資産進行風險識别與排序，然後重點針對高優先級資産進行防護。而防護的方法是建立一個以資料為中心的多層次方法。

3）在進行威脅檢測方面，需要更多的情報，其實更需要更多的情境資訊（Context），通過持續監測獲得對目前安全的可見性，并使得整個遏制和響應過程更加智能（Intelligent）。這裡的智能是指超越傳統基于簽名的檢測方法的新型方法，譬如關聯分析、機器學習、進階行為分析和資料可視化（Correlations, machine learning engines and advanced behavioral

analytics and data visualization）。

4）在SDX的時代，我們需要SDP（軟體定義的邊界），其實就是一種邏輯邊界。

5）人是安全治理的重要組成部分，做安全必須将人這個對象納入其中。【這裡不是強調安全分析師，而是更廣泛意義上的人在安全中的參與度】

看完以後，你會感覺跟Gartner的自适應安全架構（ASA）的思路大體類似【參考：Gartner：智能SOC/情報驅動的SOC的五大特征】。

阿裡的品覺對此文進行了翻譯，轉載如下：

在網絡安全方面，我們需要采用一種新的政策，它應該更偏重加強系統韌性，也就是系統的抗打擊能力，而非一味地強調預防。對于安全團隊來說，更重要的是迅速識别網絡攻擊并做出反應，盡量降低攻擊風險對企業的影響，而不是試圖阻止所有攻擊的發生。舊有的“城堡和壕溝”政策無力應對新的威脅。

沒有哪家公司能夠阻止每一次網絡攻擊，沒有那麼多的資源來同時保護其所有的資料資産、裝置和基礎設施。高度虛拟化的分布式計算架構、雲計算應用推廣，以及越來越多使用者通過移動平台上網，這些都消除了傳統的網絡邊界，為網絡罪犯和内賊提供了新的攻擊面和攻擊途徑。這些危險分子利用各種漏洞，發起更加周密、獨辟蹊徑的攻擊，把那些有權通路該價值資料資産的特權使用者作為目标。

資料容器和微服務的增長以及物聯網的興起帶來了新一波的應用和聯網裝置，使面臨風險的資料量迅速增加。這些趨勢降低了傳統網絡和邊界安全解決方案的有效性，因為那些方案隻能阻止前幾代的惡意軟體。

進階持續性攻擊（APT）之是以得逞，是因為很多公司缺少具有凝聚力的安全政策來防止或迅速偵測到攻擊行為。事實已經證明，傳統的狀态檢測防火牆、入侵防禦系統、網關、防毒軟體和反垃圾郵件解決方案都無法應對目前的威脅環境。

既然如此，随着APT擴大目标威脅面，各公司為什麼還要繼續将他們的大部分安全預算投資于以前的預防性技術？找到和根除目前威脅難道不是安全政策必須做到的嗎？

一種側重“遏制和響應”的政策

在這種情況下，安全團隊必須将注意力和資源從預防轉向加強韌性。這需要從思想上把他們的公司已經被黑客攻陷作為行動的前提。這種想法可以讓他們做好更充分的準備，進而迅速識别攻擊、遏制其擴散并從損失中恢複，将企業面臨的風險降至最低程度。要建立一套着眼全局的風險優先排序法，把公司上下面臨的各種數字安全風險都納入考量。

“遏制和響應”安全政策以一種全盤考慮的風險優先排序法作為出發點。這些風險包括經營中斷、知識産權損失、私人資料洩露、監管違規、實體設施和人身傷害以及聲譽受損。

安全團隊不應該指望阻止每一次威脅，而是應該集中力量抵禦優先級别最高的風險，也就是那些對經營和财務最為不利的風險。一旦對各種風險進行重要性排序後，就要建立一套以資料為中心的多層次方法，圍繞與各種風險有關的資料建立安全邊界，把這些資料保護起來，消除特權使用者面臨的風險，提供識别内賊和可能被盜賬戶的資訊。

就像風險被賦予不同的優先級别一樣，與這些風險有關的不同資料資産也被賦予不同的保護和隐私要求。對黑客來說最有價值的資料——個人身份資訊、知識産權、客戶資料和機密财務資訊——也是安全團隊最需要保護的“瑰寶”。

不同于按照基礎設施、應用、裝置和使用者劃分的傳統安全分層，風險優先排序法使安全團隊可以将更多的資源和精力用于對公司最重要的資産。這種政策更偏重先發制人和情報，使安全團隊能夠更好地保護最具價值的資料資産，及時響應和解決安全事件，滿足GRC（治理，監管，合規）要求。

它也有助于管理日益上升的安全和合規成本，包括團隊技能。随着更多功能實作自動化，技能組合應該更多地傾向于情報——威脅分析、驗證、事件響應。

需要更優質的情報

基于簽名的傳統防禦方法仍然是安全政策的一個核心組成部分，它可以防範非靶向型惡意軟體。但為了在虛拟化的雲端和大資料環境中保護公司最具價值的資料資産，安全團隊需要更大的可見性和更多的情報。具體來說，他們需要知道哪些資料處于這樣的環境中，誰有權使用這些資料，資料何時試圖離開，如何在滿足GRC要求的同時監控這些資料及其使用者。

包含最寶貴資料的資料庫和資料倉庫——以及容納它們的伺服器——是黑客攻擊的首要目标，随着各公司日益整合大資料和傳統資料，以便獲得更深入的洞見和改善決策結果，對那些資料儲存庫的威脅将持續增加，使公司暴露于更多的風險中。很多資料也驅動着決策過程，無論這些決策是由人還是機器來做出，如果這些資料被篡改，那些由此産生的決策結果将是災難性的。

如今，在大多數公司做決策時所使用的資料中，大資料占比不到15%，是以我們建議把大資料納入範圍更廣泛的資料管理和資料治理計劃。安全治理應該與這些計劃的資料品質群組成部分聯系起來。同樣，保護大資料安全應該被納入範圍更廣泛的安全政策，而不是另外再搞一套單獨的大資料安全政策，因為這可能會制造出又一個資料豎井。

對網絡流量的自動持續監控、應用層面的認知和針對使用者的規則為IT環境中的活動提供了粒度。更加廣泛、自動和智能的監測使安全團隊可以更好地了解風險并對威脅進行優先排序。

相關性、機器學習引擎、進階行為分析和資料可視化将以這些粒度為基礎，繪制出一幅容納了使用者、應用和端點的各種特性的情景。有了它，安全團隊就可以建立正常和異常活動的基準。關鍵績效名額（KPI）提供了異常行為模式的實時可見性，有助于實作更快、更準的事件響應。

軟體定義邊界（SDP）是一種相對較新的協定，為軟體定義網絡（SDN）創造出下一代的接入控制系統。基于雲的SDP控制器能夠建立網絡和應用資源的邏輯邊界，使用者必須先通過身份驗證才能進入這個虛拟邊界。基礎設施和應用仍然對潛在入侵者不可見。控制層面和資料層面的分離使安全團隊可以在雲端建立更加自動和周密的安全配置，動态地提供标準化的安全服務。

這些工具整合得越好，殺傷鍊就越自動化。統合分散的資料點可以為安全團隊提供更多的有助采取行動的情報，加快事件響應速度和控制風險，也有助于整合内部威脅情報與來自雲端和移動網絡的外部服務。

自動化提供了适應新架構和流量增長的速度和規模，進而讓安全團隊反應更靈活，治理更高效，成本更低，還有助于減少人為失誤和更有效地進行補救。

人是數字安全治理的必要組成部分

最後，由于人常常是各種風險的共同因素，是以他們應該被納入安全政策，就像被納入有效的資料治理、災難恢複和業務連續性計劃一樣。可以讓他們認識到他們的弱點，提高他們的警覺，鼓勵他們遵紀守法或者因為違規而處罰他們。

人們相信，企業展現出比同行更強大的安全治理能力将被視為競争優勢。這也包括企業對數字攻擊的處理方式。比如企業如何向客戶、監管機構和投資者告知攻擊已經發生和他們正在或已經采取哪些防控措施，這對于維持安全治理和維護企業聲譽至關重要。

維護安全人人有責，然而這個責任還是要落在安全團隊的肩上。數字安全治理應該跟資料治理、災難恢複和業務連續性一樣被視作一項企業計劃。但想要真正地産生效果，它必須得到進階管理層和董事們的支援和落實。如果企業在今後想要更安全地實作商業目标，此乃必然之路。

英文原文如下：

A new approach to security strategy is required – one that is based

more on resilience than on prevention. It’s become more important for a

security team to quickly identify and respond to an attack to minimize

the impact of risks to the business rather than trying to prevent

attacks from occurring. The old castle-and-moat strategy simply cannot

survive the new threat landscape.

No organization can prevent every cyberattack. And none has the

resources to protect all of its data assets, devices and infrastructure

uniformly. Highly virtualized distributed computing architectures,

cloud-based applications and increasingly mobile users have opened new

attack surfaces and vectors for cybercriminals and malicious insiders by

erasing the traditional network perimeter. These bad actors exploit

vulnerabilities with more sophisticated and innovative attacks that

target privileged users who have access to valuable data assets.

The growth of containers and microservices and the emerging Internet

of Things (IoT) ushers in a new wave of apps and connected devices,

exponentially increases the amount of data at risk. These trends

marginalize the effectiveness of traditional network and perimeter

security solutions, which were designed to prevent earlier generations

of malware.

Advanced persistent attacks (APTs) succeed because many organizations

lack a cohesive security approach that might prevent or rapidly detect

an attack. Legacy stateful firewalls, intrusion prevention systems, Web

gateways, antivirus software and email anti-spam solutions have proven

to be no match for the current threat environment.

So as APTs expand targeted threat surfaces, why do organizations

still invest most of their security budget in yesterday’s preventive

technologies? Security strategy needs to focus on finding and rooting

out these modern threats.

A “Contain and Respond” Strategy

In this environment, security teams need to shift their focus – and

resources – from prevention to resilience. This entails accepting that

their organization is already compromised. This perspective better

prepares them to quickly identify an attack, contain it from spreading,

and recover from any losses – minimizing risk exposure for the business.

A holistic approach to prioritizing risks takes into account risks

across the entire organization.

A “contain and respond” security strategy starts with a holistic

approach to prioritizing risks across the organization. These risks

include business interruption, intellectual property loss, private data

theft, regulatory noncompliance, physical plant and personal injury and

reputational damage.

Instead to trying to prevent every threat, security teams target

defenses against the highest priority risks – those that can most

negatively impact operations and finances. Once risks are prioritized, a

multilayered data-centric approach establishes a secure perimeter

around the data associated with risks, locks down the data, removes risk

from privileged users and provides the information that identifies

malicious insiders and possibly compromised accounts.

Just as risks have different priorities, it follows that the

different data assets associated with those risks also have different

protection and privacy requirements. The data of highest value to

attackers – personal identifiable information, intellectual property,

customer-specific data and confidential financial information – are also

the most valuable “crown jewels” for the security team to protect.

Figure 1. Security, the Data that Underlies Prioritized Risks

Source: Tech-Tonics Advisors

As opposed to conventional security layering by infrastructure,

application, device and user, a prioritized risk approach allows the

security team to dedicate more resources and attention to the assets

that are most important to the organization. This strategy is more

proactive and intelligence-based, enabling the security team to better

secure the organization’s most valuable data assets, respond to and

remediate incidents in a timely fashion and meet GRC (governance,

regulatory, compliance) requirements.

It also helps manage escalating security and compliance costs,

including team skills. As more functionality is automated, more of the

skill set should be skewed towards intelligence – threat analytics,

forensics and incident response.

The Need for Greater Intelligence

Traditional signature-based defenses remain a core component of

security strategy, protecting against non-targeted malware. But to

protect the organization’s most valuable data assets in virtualized,

cloud and big data environments, security teams need greater visibility

and intelligence. Specifically, they need to know what data is going

into these environments, who is authorized to work with this data, when

data is attempting to leave and how this data and its users can be

monitored while adhering to GRC mandates.

Not surprisingly, the databases and data warehouses that contain the

most valuable data – and the servers they reside on – are the primary

source of breaches. As organizations increasingly integrate big data

with traditional data in their quest to gain deeper insights and improve

decision outcomes, threats to these repositories will continue to

increases, exposing the organization to more risk. Much of this data

also drives decision-making – by both people and machines. If that data

were to be tampered with the resulting decision outcomes could be

disastrous.

Since big data represents less than 15% of most organizations’ decision-making inputs today, it’s recommended that big data be part of broader data management and data governance initiatives.

As such, security governance should be linked with data quality and

integration components of these programs. Similarly, securing big data

should be part of a broader security strategy rather than having a

separate big data security strategy that potentially creates yet another

data silo.

Automated continuous monitoring of network traffic, application-level

awareness and user-specific rules provide granularity into activity in

the IT environment. Monitoring that is more pervasive, automated and

intelligent allows security teams to better understand risks and

prioritize threats.

Correlations, machine learning engines and advanced behavioral

analytics and data visualization create context based on granularity

about users, applications and endpoint characteristics. These allow

security teams to establish baselines of normal vs. abnormal activity.

Key performance indicators (KPIs) provide real-time visibility into

anomalous behavior patterns, driving faster and more accurate incident

response.

Software-defined perimeter (SDP) is a relatively new protocol that

creates a next-generation access control system for the software-defined

network (SDN). A cloud-based SDP controller creates a logical boundary

around network and application resources, and only grants access to this

virtual perimeter after first authenticating user identity by their

device and permissions. Infrastructure and apps remained concealed from

potential intruders. Separating the control plane from the data plane

allows security teams to build more automated and sophisticated security

configurations and dynamically provision standardized security services

in the cloud.

The better these tools are integrated, the more of the kill chain can

be automated. Unifying disparate data points provides security teams

with more actionable intelligence to speed incident response and contain

risk. It also facilitates consolidating internal threat intelligence

and external services from the cloud and mobile networks.

Automation provides speed and scale to keep up with new architectures

and traffic growth. It improves agility and governance, reduces costs

and helps security teams mitigate human error and remediate more

effectively.

People are Integral to Security Governance

Finally, because people are usually the common denominator in risks,

they should be included in security strategy – as they are in effective

data governance and disaster recovery and business continuity

initiatives. They can be made aware of their vulnerabilities, trained to

be more vigilant and incentivized to adhere to policies or penalized

for transgressions.

It’s believed that a company’s ability to demonstrate stronger

security governance relative to peers will become viewed as a

competitive advantage. This includes how it responds to a breach. How a

company informs customers, regulators and investors that an attack has

occurred and what they are doing/have done to contain it is critical to

maintaining security governance and preserving company reputation.