New Complexities in Enterprise IT Call for Context-Aware Security
|Credit: Rawich at FreeDigitalPhotos.net|
IT security experts are increasingly highlighting “context awareness” and “situational intelligence” as important new abilities in vulnerability management (VM) for enterprises. Such understanding is nuanced and fluid, involving analyses of “the who, the what, the where, and the how” when it comes to monitoring the use of the organizational network and providing decision-makers with security information that can readily be interpreted and used.
VM vendors are working to incorporate context awareness into their solutions in such areas as firewalls, remote access, device management, privileges and access control, monitoring, logging, auditing, reporting, and incident response. The bring-your-own-device (BYOD) trend means that a VM system must be able to keep an eye on and decipher a great number of personal mobile devices on the network.
The problem for IT staff is knowing what information to focus on. Context awareness allows companies to set priorities around their security threats. At the same time, the system has to provide reporting and alerts to the right decision-makers in usable formats, meaning it has to give responsible parties such as engineers, auditors and managers the information that is important to each of them.
“Companies are drowning in a sea of security data,” said Marc Maiffret, chief technology officer of security vendor BeyondTrust, in an interview with ThomasNet News. “The focus for many years was to collect as much information as possible, with the idea that the more information that you have, the better armed you would be to fight off cyberattacks.”
“Without the proper context and intelligence, this data sits in databases, dumb and without any logic to play a part in your day-to-day operations,” he said. What organizations need to do, Maiffret said, is “to step back from the vacuum cleaner approach” in such areas as malware and vulnerabilities to more refined tactics that are “driven by the need for prioritization of what data is the most important.”
To set priorities, Maiffret suggests that decision-makers ask themselves, “Are you leveraging tools and technologies that can apply context to what vulnerabilities are actually being exploited in the wild, and to prioritize vulnerabilities based on what hackers use to truly break in versus the thousands of other vulnerabilities every year that are never used and truly don't matter?”
Context awareness is hard to get right, according to John Parkinson, affiliate partner at Chicago-based Waterstone Management Group, an advisory firm focused on serving the technology sector. Parkinson told ThomasNet News that the concept of “situational awareness” was developed by military psychologists during the 1980s, “analyzing how war fighters reacted to different information feeds depending on where they were and what they were doing.”
Soldiers had to interpret the intelligence quickly and make decisions accordingly. “Sometimes, you had only enough attention span to focus on a very few critical pieces of information. If you got too much, you overloaded and couldn't tell what was important,” Parkinson explained. “What was important depended on ‘context,’ the nuances of your situation.”
Eventually the idea was extended from combat avionics to all kinds of IT systems. But the problem, said Parkinson, is that “it’s tough to build really good context- or situation-aware processes and systems, given that the real world has lots of unanticipated variables and available data is often incomplete or ambiguous.”
The issue of user identity is a central challenge in context awareness, with the prevalence of cybercrime and identity theft. Amy Larsen DeCarlo, principal analyst at Washington, D.C.-based research firm Current Analysis, wrote recently that situational intelligence is now needed because of more fluid “distributed operating environments” in which user identity is more difficult to confirm and manage.
Today, “password and other static controls are no longer sufficient,” according to DeCarlo. Context-aware technologies can “use environmental and other circumstantial data to parse out whether a user should be allowed access or might, in fact, be a real threat.” The same kinds of measures can also be used to assess external threats, such as malware or phishing attacks introduced by websites.
A new generation of firewalls, web security gateways, and intrusion-detection and intrusion-prevention systems that include contextual capabilities is coming onto the market. Contextual information, said DeCarlo, can help validate a user’s identity and manage permissions. “For example,” she wrote, “a context-aware security platform will examine a variety of factors -- from device type and password to the location of the user logging in -- to verify if the login request is genuine or perhaps is being generated by a hacker who has commandeered another user's credentials.”
Discussions of context awareness often center around users and their devices, with particular emphasis on mobile devices. Perhaps even more important, though, are the enterprise’s processes around reporting and response, according to Morey Haber, senior director for product management at BeyondTrust.
“You might be able to generate hundreds of reports in your system, but are you sending them to the right people in your organization? Most tools fail to get that,” said Haber, noting that different internal audiences -- IT staff, engineers, managers, auditors -- all have their individual contexts and informational needs.
“It’s not just the display of the data,” Haber stressed. “It’s why you’re displaying it a certain way and to whom. As soon as you start highlighting it for the right person and making it useful, targeting who needs it and in what format -- then you’re making your process context-aware.”
A report this month from Mountain View, Calif.-based research firm Frost & Sullivan spotlighted recent growth in the global VM market and attributed it in part to companies’ recognition of the need for context awareness. Christopher Kissel, network security analyst at Frost & Sullivan, said this growth reflects “the constant drumbeat of internal and external changes companies face in protecting their networked assets.”
Kissel expects this growth will continue “as the nature of cyberattacks change, harvesting smaller businesses and becoming more personalized to penetrate even the most security-conscious organization."