In the first of a series of guest posts, Kathleen Moriarty of the Center for Internet Security (CIS) examines five vital trends that are guiding the industry toward better information security.
We are on a path that will see information security transformed in the next 5-10 years. There are five trends that will enable us as an industry to improve the overall security posture and reduce the surface attack space. There is evidence that we are already moving in that direction with a push for built-in security, but we must be mindful to ensure management scales.
This post will identify the five trends, discuss the evidence of change, provide examples of architectural patterns that scale, and share a possible future state.
5 Information Security Trends
- Strong Encryption
- Ubiquitous Encryption
- Transport Protocol Stack Evolution
- Data-Centric Security Models
- User Control of Data
Motivation for Changes in Information Security
The trends in play offer an opportunity to pivot in order to reduce the resource demands of current security solutions and architectures. The ability to deploy and scale information security is becoming critical. The motivations for a substantial change include:
- Threat actors are increasingly sophisticated, often motivated by cultural norms and identity
- Every layer of the IP stack, including the physical hardware, is or has undergone significant change in the past few years
- Encryption is driving security to the endpoint, where hardened systems and detection capabilities aligned to measured risk is increasingly important
Evidence of Information Security Changes
The industry embraced common practices (the aforementioned trends) and those efforts are already making improvements to the overall cyber security landscape:
- Applications are decoupled from operating systems
- Operating systems are increasingly minimised, reducing the surface attack space
- DevOps is pushing us towards reuse of small modules, with DevSecOps baking security in at a granular level
- This decoupling of the OS, application, and move to micro-services enables faster remediation as the impact to adjoining applications and services is reduced
- Attestation from a root of trust (RoT) is in use to provide hardware and firmware assurance, and will increasingly be applied up the stack to containers, operating systems, etc. ensuring code and system are as expected
- Zero Trust (see NIST SP 800-207) is becoming pervasive, applied at a per module or component basis, where security is built-in. A follow-up blog will discuss the relationship between Zero Trust and the Lockheed Kill Chain with evidence of reduced dwell time for attackers.
Architectural Patterns that Scale
In the midst of change, we as an industry have the opportunity to direct the progression in a way that reduces the burden on resources in shifting towards architectural deployment and management patterns that scale. With this focus, we should be looking for opportunities to use a small number of experts that results in a large impact where possible as we move to the endpoint. It’s a unique opportunity and here are some examples:
- Manufacturer Usage Description (MUD) [RFC8520] enables the manufacturer to set expected behaviour patterns for IoT devices. These can be updated by the small set of experts at the manufacturer and pushed out to all devices of that type and version as needed.
- Remote attestation at boot and runtime of firmware. Technical controls are established by a small set of experts at the vendor aligned to NIST SP 800-193 to provide firmware assurance, and in some cases the Trusted Computing Groups (TCG) Reference Integrity Manifest Information Model and validated using attestation from a root of trust (RoT) on every system.
- CIS Benchmarks and CIS Controls are managed by a team of experts and broadly applied across systems and applications. CIS Benchmarks and trusted CIS Controls can be used to prioritise remediation based on informed risk levels as an important step you can take now in this transition to the endpoint.
The Future of Security and Defence
The path and conclusions for this blog were reached through reading all standards published for four years in the IETF, gathering information on the Effect of Pervasive Encryption on Operators as documented in RFC8404, and analysis on industry direction and trends. This blog begins a series that will dive deeper aligned to the goal of motivating adoption of architectural patterns that scale as discussed in, Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain.
Originally published as a CTO blog post on the CIS website on 19 January.