G00252630
Four Strategies for Optimizing Your Security
Controls in Future Scenarios
Published: 30 May 2013
Analyst(s): Andrew Walls
Future threat environments will force security and risk leaders to create new,
adaptive control environments. A structured approach — one that defines,
regularly surveys and improves control effectiveness — will help teams plan
and adapt to the changing landscape.
Key Challenges
■
Traditional enterprise control environments fail to mitigate the impact of current and future
attacks against enterprise assets on external endpoints.
■
1
Increasing conflict and tension between governments, industry cartels and activist associations
2
create conflicting opportunities and threats for corporate security practices.
■
Geographic variations in threats and regulation force distributed organizations to pursue
divergent security strategies.
3
Recommendations
■
Use scenario planning to develop a deep understanding of future threat and opportunity
environments (see "Security and Risk Management Scenario Planning, 2020.")
■
Structure your control environment to accommodate threat variation and context, particularly
for distributed organizations operating in multiple scenario categories.
■
Maintain flexible business, political, industry and customer-centric alliances, and be prepared to
comply with overlapping and conflicting security and risk directives from a variety of authorities.
Introduction
As threats and opportunities change, control environments must evolve to satisfy the balance
between business and security drivers. Security and risk managers exploring Gartner's Scenario
2020 should:
■
Analyze and identify existing controls.
■
Designate and assign controls of the future.
■
Perform routine assessment of control effectiveness.
■
Use a structured approach offered by Gartner's strategy tool.
Present-day evidence — and those events converging with the Nexus of Forces in mobile, social,
cloud and big data — suggests attack surfaces for the enterprise are growing beyond most
protection technologies and techniques. Scenario planning allows organizations to better
understand future control needs and requirements. With a strategic approach to scenarios, planning
at the control level will help organizations mature in concert with business while minimizing
technology and behavioral risk.
Analysis
A Structured, Strategic Approach to Controls
Security control environments are composed of technological and behavioral controls that are
passive or active in their interaction with threats. The selection of these controls should be driven by
the risk management strategy defined in concert with business leaders (see "Use a Structured
Approach to Communicate Your Security Strategy").
Technological controls compose the bulk of traditional IT security control environments. Firewalls,
data loss prevention tools, intrusion prevention systems (IPSs), anti-malware, network behavior
analysis and the like are all forms of technological controls. Behavioral controls are structured
human behaviors that are intended to respond to and mitigate security threats. Security
administrator actions and security actions made by regular employees or customers are all forms of
behavioral security controls.
An active security control directly mitigates or otherwise affects a threat. A firewall rule that drops
probe packets is a form of an active technological control. An employee confronting a visitor that is
not displaying a security badge is a form of an active behavioral control.
A passive control responds to threat symptoms, but does not directly mitigate or alter the impact of
a threat. A firewall rule that generates log entries in response to probe packets is an example of a
passive technological control. A user notifying the help desk that they received a suspicious email is
a form of a passive behavioral control. Passive controls are usually detection and escalation
mechanisms, but, on their own, do not modify the threat or vulnerability that has been detected.
Control environments typically combine active and passive controls into an integrated mechanism.
For example, an IPS detects symptoms of a security event and:
■
Generates a log event of the detected symptom — passive control
■
Matches the symptoms to an attack pattern or anomaly — passive control
Page 2 of 10
Gartner, Inc. | G00252630
■
Alters the filtering configuration to contain/block the apparent attack/anomaly — active control
In a similar fashion, behavioral controls combine passive and active elements. For example, users
may be instructed to:
■
Recognize the hallmarks of a potential phishing email — passive control
■
Avoid clicking on the URL in the email — active control
■
Delete the email — active control
■
Inform the help desk of the incident — passive control
These two continua — active/passive and technological/behavioral — form a grid that defines four
control groups (see Figure 1).
Figure 1. Control Matrix
Technical
Controls
Search and
Destroy
Active
Controls
Castles
and Moats
Passive
Controls
Psy Ops
Behavior
Jujitsu
Behavioral
Controls
Source: Gartner (May 2013)
Four control types are created by the intersection of the factors active-passive and technologicalbehavioral:
Castles and Moats:
■
Traditional active and passive technical controls
■
Isolation via network architecture and access controls
Gartner, Inc. | G00252630
Page 3 of 10
Behavior Jujitsu:
■
Improved security education programs focused on passive (defensive) behavioral controls that
detect, record and/or escalate suspected incidents
Search and Destroy:
■
Offensive technical approach to returning fire against a threat agent
■
Passive monitoring of activities of identified adversaries
Psy Ops:
■
Advanced behavioral intervention
Examples of these types of controls might include (see Figure 2):
1.
Castles and moats (passive technological control): Firewall rules continuously logging sessions
on defined ports and protocols
2.
Behavior jujitsu (passive behavioral control): Reporting a suspected security issue to the help
desk
3.
Search and destroy (active technological control): Responding to a distributed denial of service
(DDoS) by performing denial of service against apparent attack sources
4.
Psy ops (active behavioral control): Deleting a message posted by a colleague due to
noncompliant content
Page 4 of 10
Gartner, Inc. | G00252630
Figure 2. Controls in Action
Technological
Active
Disable
Login
Event
Log
Passive
Confront
Tailgaters
Report
Incident
Behavioral
Source: Gartner (May 2013)
Structure Your Control Environment to Accommodate Threat Variation and Context
Active controls are triggered by information generated through passive controls. Active and passive
controls are only effective if appropriate information to trigger the active control is available and if
the active control can affect the relevant threat.
In the four scenarios for the future of security, each one creates a unique combination of attack
targets and risk sources. To develop a portfolio of effective controls for each scenario, controls
must be selected on the basis of their ability to generate useful information on threats (passive
controls) and exert influence directly on the threat source/vector, or limit the impact of the security/
risk (active control).
For example, in the neighborhood watch scenario (see Note 1):
■
The corporate perimeter firewall fails as a control.
Gartner, Inc. | G00252630
Page 5 of 10
■
■
In this scenario, the targets of attack are the individuals (for example, customers or
employees) rather than corporate infrastructure. As a consequence, attacks may not cross
the corporate perimeter and be noticed by passive controls within the firewall.
■
Since a perimeter firewall can only affect the flow of data across perimeter interfaces, the
active controls within the firewall will be unable to directly affect a threat to a remote
endpoint.
Endpoint protection platform works as a control.
■
A distributed endpoint protection platform (EPP) solution enables detection of an attack on
the endpoint (passive control).
■
If an attack is detected, the EPP solution is capable of alerting security personnel (passive
control) and blocking the attack, or minimizing the impact (active controls).
By way of comparison, in the regulated risk scenario (see Note 2):
■
■
The corporate perimeter firewall works as a control.
■
In this scenario, the target of the attack is corporate infrastructure. As a consequence, most
attacks will cross the corporate perimeter and be noticed by passive controls within the
firewall.
■
Since passive controls in a perimeter firewall can detect and escalate an attack to an active
control, the active controls within the firewall can act directly on the port/protocol/session
being used as an attack vector or can trigger other active controls, such as data loss
prevention.
Offensive counter-attacks fail as a control.
■
The strong regulatory authority of government prohibits counter-attacks, such as an
aggressive DDoS, which would be an offensive form of active control.
For each scenario, technological and behavioral controls should be evaluated for applicability and
utility. By evaluating existing controls, gaps in risk mitigation can be identified. These gaps then
form the performance criteria for new controls.
Maintain Flexible Alliances and Be Prepared to Comply With Overlapping and
Conflicting Directives
The vertical axis in the future scenario reflects the continuum of authority that drives security/risk
regulation and standards. At one extreme, a monolithic government (for example, world
government) defines specific performance standards and regulations for all aspects of security and
risk management. These regulations cover the behavior and system operation of enterprises and
individuals. For example, Payment Card Industry Data Security Standard (PCI DSS) mandates
certain enterprise operations, while increasingly popular "three strikes" rules about copyright
infringement restrict personal actions related to copyrighted content.
Page 6 of 10
Gartner, Inc. | G00252630
At the opposite extreme, standards setting and regulation are fragmented across multiple entities,
including industry associations, social communities and criminal cartels (see Figure 3).
Figure 3. Targets and Authority Axes
Tribal
Authority
2
4
Enterprise
Individual
Target
1
3
Monolithic
See "Security and Risk Management Scenario Planning, 2020"
Source: Gartner (May 2013)
As regulatory authority shifts across this continuum, organizations (and individuals) will need to
maintain multiple alliances to maintain compliance and to influence the direction of future mandates.
For example, enterprises will lobby governmental bodies and participate in industry groups that
generate standards. Enterprises operating in multiple geographic or cultural situations will need to
maintain connections and alliances with the entities that drive regulation and cultural expectations
for enterprise behavior in each context.
The four scenarios describe potential extreme environments produced by the differing aggregation
of regulatory authority and variations in the primary targets for attack. Most enterprises will operate
simultaneously in two or more of the four scenarios. This range of operating conditions will come as
a result of geographic spread (for example, multinational versus domestic only), cultural diversity
and overlapping legal jurisdictions. As a result, most enterprises will require control portfolios that
Gartner, Inc. | G00252630
Page 7 of 10
span two or more of the scenario environments. In anticipation of this requirement, scenario
planning for controls should prioritize those that can operate effectively in more than one scenario.
Due to the ongoing evolution of standards, regulations and regulatory authorities, scenario planning
should be based on the assumption that everything will change. Investing in rigid control structures
— particularly controls that drive the behavior of IT and IT security personnel — reduces the ability
of the enterprise to respond quickly and effectively to changing conditions.
Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Security and Risk Management Scenario Planning, 2020"
"Consider a People-Centric Security Strategy"
"User Behavior Can Improve Security, but Only With Development and Practice"
"Use a Structured Approach to Communicate Your Security Strategy"
Evidence
1
The hypercompetitive market for mobile devices drives vendors to innovate at a rapid pace in
pursuit of competitive differentiation in the market. This innovation produces market benefits, but
can also lead to unanticipated security vulnerabilities. On a regular basis, security vulnerabilities and
risks associated with mobile devices are discussed in a variety of media. The citations below are a
small collection of some of the more recent events:
■
J. Blagdon, "US Telecoms Oppose Strict Cybersecurity Controls, Get Them Removed From
FCC Report," The Verge 18 March 2013
■
C. Brook, "Malnets to Continue Targeting Mobile Devices in 2013," Threatpost, 12 February
2013
■
F. Eordogh, "How Anonymous Have Become Digital Culture's Protest Heroes," The Guardian,
15 April 2013
2
Public networks have become a conveyance for transborder attacks. Various entities —
government-sponsored and otherwise — use the Internet to collect competitive intelligence and to
attack corporate, education and government infrastructure. Multiple governments at many levels
(such as national, state/province and local) have identified domestic and international information
security threats as threats to domestic security. In response, an increasing number of governmental
bodies are increasing the regulation of IT management in some industries. In addition, multiple large
governments are openly discussing the use of IT to develop and deploy attack mechanisms against
adversaries:
■
"Executive Order — Improving Critical Infrastructure Cybersecurity," Office of the White House
Press Secretary, 12 February 2013
Page 8 of 10
Gartner, Inc. | G00252630
■
W. Broad, J. Markoff and D. Sanger, "Test on Worm Called Crucial in Iran Nuclear Delay," New
York Times, 15 January 2011
■
A. Greenberg, "Evidence Mounts That Chinese Government Hackers Spread Android Malware,"
Forbes.com, 1 April 2013
3
Most enterprises operate in multiple legal jurisdictions. Each jurisdiction maintains a unique set of
regulations and laws that combine national, international and local concerns that pertain to data
management, corporate accountability, privacy and so on. Although the applicability of the laws in a
particular jurisdiction to a particular enterprise activity is a topic for legal counsel, in general,
enterprises must comply with multiple, potentially contradictory regulations:
■
L. Clark, "ICO Commissioner Slams EU Data Protection Directive," Wired, 7 February 2013
■
M. Masnick, "Rep. Gohmert Wants A Law That Allows Victims To Destroy The Computers Of
People Who Hacked Them," TechDirt, 19 March 2013
■
A. Greenberg, "A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them,"
Forbes.com, 5 April 2013
Note 1 An Explanation of Neighborhood Watch From the Security and Risk Management Scenario
Planning, 2020
"The neighborhood watch scenario is essentially anarchy. In this scenario, individuals are
increasingly targeted by attacks, and a decrease in government regulation is reducing the beneficial
impact of governments on the security situation. E-militias will form to protect individuals against
extreme anarcho-hacktivism. Corporate and communal interest groups will construct 'walled
gardens,' and self-organizing protection societies (honest and dishonest) will flourish."
Note 2 An Explanation of Regulated Risk From the Security and Risk Management Scenario
Planning, 2020
"This scenario is close to the operating environment that most organizations work in now.
Enterprises remain the primary target for malicious attacks and increasing regulation attempts to
guide enterprise security and risk management. Governments will use regulation in pursuit of safety
for enterprises and for governmental organizations. All infrastructures become critical and are
regulated accordingly. Enterprises are held responsible for security decisions and actions of
employees. Attacks become acts of war between nation states. The extreme of this scenario is
outright cyberwarfare between governments."
More on This Topic
This is part of an in-depth collection of research. See the collection:
■
Long-Range Planning Guidance for Information Security and Risk Management: Gartner's
Security 2020 Scenario
Gartner, Inc. | G00252630
Page 9 of 10
GARTNER HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM
For a complete list of worldwide locations,
visit http://www.gartner.com/technology/about.jsp
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access
this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained
in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This
publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,
Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,
and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see “Guiding Principles on Independence and Objectivity.”
Page 10 of 10
Gartner, Inc. | G00252630