Comparing the use of threat intelligence feeds with API access to cloud security services and the use of local scanning engines
Two well-known security frameworks, Forrester’s Zero-trust and Gartner’s CARTA, help end users improve their cyber-security posture. How can security vendors support their customers’ plans to implement Zero-trust and continuous risk assessment?
“Cyberthreats are prolific and continuously adapting — we are in a cyber arms race where combatants have a broad threat surface to play with and no shortage of tactics to do damage.” – Forrester’s introduction to Zero trust.
Traditional perimeter-based network security models no longer work. They ignore threats and compromised assets inside the network and forget the employees who work outside. Inside the network we see APTs moving laterally, and users susceptible to multiple threats such as phishing and compromised browser extensions. Beyond the perimeter lie all the employees who now work from home: In a post-pandemic world, we must accept that we will probably see more high-value knowledge workers outside than inside.
Although Zero trust at first sounds simpler than other security frameworks, it is no less demanding and just as effective. Zero trust embodies a complete strategy ranging from mindset, through damage limitation strategies (micro-segmentation) to risk assessment.
Continuous Adaptive Risk and Trust Assessment (CARTA) is part of Gartner‘s Adaptive Security Architecture. The starting premise is that security should always begin with Zero-trust. From that initial position, access to data should be based on context (i.e., the user, their device), and continuous monitoring should take place to understand the risk. Ultimately, access becomes adaptive, varying on context.
Both Zero-trust and CARTA share several common attributes. Among these are the need to identify threats and the requirement for ongoing risk assessment.
Because threats evolve, a one-time security assessment for malware (within files or websites) is a flawed approach. Both the Zero-trust and CARTA frameworks promote continuous assessment for risk. But to enable this, security detection systems must be efficient and effective. These systems must respond to the volume, velocity, and complexity of threats in (near) real-time.
Numerous technologies help address these challenges. Volume (and scale) are addressed by leveraging both cloud technology and machine learning. Velocity can be addressed by using local scan technologies that immediately identify malware, supported by advanced malware detection within a cloud infrastructure. And complexity is addressed by threat intelligence and API access to the most advanced and in-depth analysis technologies such as cloud sandboxing .
However, few cyber-security companies build the complete suite of technologies needed to address the wide variety of challenges faced by their customers. Simply put, no one vendor can solve the problems of volume, velocity, or complexity of threats without partnership. All choose to partner with one or more OEMs to license technology and intelligence. To learn more, consider reading Gartner’s ‘5 best practice steps for selecting a security technology OEM‘.
Technology licensing reduces time to market. It helps address a scarcity of engineering talent and limits the risks associated with in-house development. Importantly, it enables quick access to proven and mature technologies. These include advanced local scanning, systems to improve firewalls, IDP systems, web gateways, email gateways, UTM and EDR/EPP. It also extends to advanced threat detection systems that develop detailed knowledge about specific threats such as threat persistence, domains, IP, and C&C.
These technologies address the issues of scale and complexity, improve detection, and reduce false positives.
Both Zero-trust and CARTA rely on risk and threat identification to happen quickly. Consequently, to prevent damage and data compromise, anti-malware systems need to work in near real-time.
Endpoint protection or malware intercept on a network appliance will identify and block malicious code. It prevents malware from infiltrating and infecting a network or its devices at the point of ingress, in real-time. However, the variety, volume, and complexity of threats mean that the detection technology must encompass the most comprehensive array of threats in the most efficient way. It must also have little impact on the performance of the device.
If real-time detection is delivered locally, enhanced detection (for zero-day or recently changed artifacts) comes from the cloud. Within a cloud security service, machine learning, sandboxing, data correlation, and behavioral analysis engines support local detection. A cloud security service’s near-real-time assessment capability is at the heart of continuous assessment for risk and trust and is how threat intelligence is developed.
What was safe today may not necessarily be safe tomorrow. Enterprises understand this. Consequently, they are investigating opportunities to improve their ability to predict, prevent, detect, and respond to changes in the threat landscape. Threat intelligence delivers over-the-horizon visibility into the details of emerging or changing malware, compromised domains, or URLs. It is the platform upon which continuous assessment of files and content can be based.
Threat intelligence is accessed via a continuous threat feed or on-demand through an API. This intelligence comes in many forms (technical, tactical, operational and strategic). However, it is often the simplest forms (file or domain reputation, classification, categorization, static, dynamic and infection intelligence) that are the most valuable. They are also the most immediately accessible through machine to machine interfaces (MRTI).
Both Zero-Trust and CARTA enable better information security decisions — where “better” means more accurate, faster, and adaptive security decisions. Cybersecurity vendors should aspire to align with both frameworks’ intent to allow end-users to proactively minimize the time to detect threats and adapt to the changing threat landscape. One way to achieve this is through licensing technology. You can find out more at oem.avira.com.