Kathleen Moriarty

Transforming Information Security to Secure Businesses

Kathleen Moriarty

4 min read

10 You have liked this article 0 times.

In the first of a series of guest posts, Kathleen Moriarty of the Center for Internet Security (CIS) examines five vital trends that are guiding the industry toward better information security.

We are on a path that will see information security transformed in the next 5-10 years. There are five trends that will enable us as an industry to improve the overall security posture and reduce the surface attack space. There is evidence that we are already moving in that direction with a push for built-in security, but we must be mindful to ensure management scales.

This post will identify the five trends, discuss the evidence of change, provide examples of architectural patterns that scale, and share a possible future state.

5 Information Security Trends

  1. Strong Encryption
  2. Ubiquitous Encryption
  3. Transport Protocol Stack Evolution
  4. Data-Centric Security Models
  5. User Control of Data

Motivation for Changes in Information Security

The trends in play offer an opportunity to pivot in order to reduce the resource demands of current security solutions and architectures. The ability to deploy and scale information security is becoming critical. The motivations for a substantial change include:

  • Threat actors are increasingly sophisticated, often motivated by cultural norms and identity
  • Every layer of the IP stack, including the physical hardware, is or has undergone significant change in the past few years
  • Encryption is driving security to the endpoint, where hardened systems and detection capabilities aligned to measured risk is increasingly important

Evidence of Information Security Changes

The industry embraced common practices (the aforementioned trends) and those efforts are already making improvements to the overall cyber security landscape:

  • Applications are decoupled from operating systems
  • Operating systems are increasingly minimised, reducing the surface attack space
  • DevOps is pushing us towards reuse of small modules, with DevSecOps baking security in at a granular level
  • This decoupling of the OS, application, and move to micro-services enables faster remediation as the impact to adjoining applications and services is reduced
  • Attestation from a root of trust (RoT) is in use to provide hardware and firmware assurance, and will increasingly be applied up the stack to containers, operating systems, etc. ensuring code and system are as expected
  • Zero Trust (see NIST SP 800-207) is becoming pervasive, applied at a per module or component basis, where security is built-in. A follow-up blog will discuss the relationship between Zero Trust and the Lockheed Kill Chain with evidence of reduced dwell time for attackers.

Architectural Patterns that Scale

In the midst of change, we as an industry have the opportunity to direct the progression in a way that reduces the burden on resources in shifting towards architectural deployment and management patterns that scale. With this focus, we should be looking for opportunities to use a small number of experts that results in a large impact where possible as we move to the endpoint. It’s a unique opportunity and here are some examples:

  • Manufacturer Usage Description (MUD) [RFC8520] enables the manufacturer to set expected behaviour patterns for IoT devices. These can be updated by the small set of experts at the manufacturer and pushed out to all devices of that type and version as needed.
  • Remote attestation at boot and runtime of firmware. Technical controls are established by a small set of experts at the vendor aligned to NIST SP 800-193 to provide firmware assurance, and in some cases the Trusted Computing Groups (TCG) Reference Integrity Manifest Information Model and validated using attestation from a root of trust (RoT) on every system.
  • CIS Benchmarks and CIS Controls are managed by a team of experts and broadly applied across systems and applications. CIS Benchmarks and trusted CIS Controls can be used to prioritise remediation based on informed risk levels as an important step you can take now in this transition to the endpoint.

The Future of Security and Defence

The path and conclusions for this blog were reached through reading all standards published for four years in the IETF, gathering information on the Effect of Pervasive Encryption on Operators as documented in RFC8404, and analysis on industry direction and trends. This blog begins a series that will dive deeper aligned to the goal of motivating adoption of architectural patterns that scale as discussed in, Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain.

Originally published as a CTO blog post on the CIS website on 19 January.

10 You have liked this article 0 times.

You may also like

View more

About the author

Kathleen Moriarty, technology strategist and board advisor, helping companies lead through disruption. Adjunct Professor at Georgetown SCS, also offering two corporate courses on Security Architecture and Architecture for the SMB Market. Formerly as the Chief Technology Officer, Center for Internet Security Kathleen defined and led the technology strategy, integrating emerging technologies. Prior to CIS, Kathleen held a range of positions over 13 years at Dell Technologies, including the Security Innovations Principal in Dell Technologies Office of the CTO and Global Lead Security Architect for EMC Office of the CTO working on ecosystems, standards, risk management and strategy. In her early days with RSA/EMC, she led consulting engagements interfacing with hundreds of organisations on security and risk management, gaining valuable insights, managing risk to business needs. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS. Keynote speaker, podcast guest, frequent blogger bridging a translation gap for technical content, conference committee member, and quoted on publications such as CNBC and Wired. Kathleen achieved over twenty five years of experience driving positive outcomes across Information Technology Leadership, short and long-term IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College. Published Work: - Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain, July 2020.

Comments 0