The dynamism of risks, as a result of the appearance of new threats and the continuous identification of vulnerabilities, as well as the increased adoption of technologies, have determined that security models in organizations must adapt to continuous changes.
Currently, prevention and detection approaches, traditionally used in the field of cybersecurity, must be complemented with new ways of dealing with risks, particularly with prediction and response activities.
This perspective, called adaptive security, considers that it is only a matter of time for systems to be compromised, so they must be permanently monitored and remedied, without neglecting the constant work of minimizing risks by reducing their impact or probability. of occurrence.
Adaptive security: What is a security architect
As in nature, the species that survive are not the strongest, nor the fastest, nor the largest, but those that adapt best to changes; in an environment of dynamic risks, the fittest survive, those who manage to adapt better to the environment.
This idea applied to the field of cybersecurity defines adaptation as a relevant condition when risks change constantly. In this sense, those organizations that best adapt to changes are those that achieve their objectives. Adaptive security considers the implementation of security architectures that adapt to their environment in order to understand behaviors and events that allow them to anticipate threats.
You may be interested: Macro malware in Latin America: the threat hidden in office documents
According to this approach, even if prevention was carried out perfectly, it is not functional, so it is necessary to design an adaptive security infrastructure, with the assumption that said infrastructure will be compromised. Therefore, all systems and devices must be considered potentially compromised and their behaviors must be continually evaluated to determine their risk and trust.
The model was defined by Gartner Adaptive Security Architecture , and is made up of four phases: prediction, prevention, detection, and response; It is based on real-time decision making based on risk and confidence assessments. Among others, its purpose is to reduce the damage that an internal and external threat can cause, minimize losses, as well as minimize detection and response time when an incident occurs.
Each of the phases defines guidelines within a cycle that starts from implementing, monitoring and adjusting the security posture, according to the information collected.
Prediction: Refers to the ability to anticipate threats and attacks, mainly through intelligence activities (early identification of threats). To carry out this phase, the security posture, the organization's exposure and the assessment of prioritized risks must be defined.
Some considerations in this phase are related to other activities, such as the discovery of cybersecurity trends , investigation and identification of incidents that organizations have suffered (at the local, regional or global level). The task is to move from a reactive to a proactive security posture, anticipating threats and attacks.
Prevention: Based on previously collected information, security measures must be implemented or improved, including the acquisition of protection technologies. As in any area of security, the prevention phase aims to prevent attacks.
In this stage the strengthening or isolation of the systems is considered (according to the needs), the application of policies, processes, procedures, and in general, of security controls (technical, administrative or physical) that reduce the probability of occurrence or impact of the identified risks.
Detection: The third phase refers to complementary technologies whose main objective is to identify suspicious or abnormal behavior, as well as to recognize attacks or threats that managed to evade prevention measures.
There are preconditions to consider in this phase. For example, the definition of what a security incident represents, since in this way containment is sought, which is another of the strategic points considered at this stage. Aspects such as confirmation and prioritization of risks are also considered.
Response: The last phase refers to incident response, mainly considering remediation, as well as investigation of events and retrospective analysis of what happened. The main purpose is to eradicate the conditions that allowed the risk to materialize. As a result, the necessary actions to correct it must be carried out, which imply changes, as well as lessons learned.
This security architecture proposal seeks to face current risks, through the constant adjustment of conditions within organizations, based on more and better information, risk and trust assessments. Finally, information security is about making decisions and continually adapting to change.
Currently, prevention and detection approaches, traditionally used in the field of cybersecurity, must be complemented with new ways of dealing with risks, particularly with prediction and response activities.
This perspective, called adaptive security, considers that it is only a matter of time for systems to be compromised, so they must be permanently monitored and remedied, without neglecting the constant work of minimizing risks by reducing their impact or probability. of occurrence.
Adaptive security: What is a security architect
As in nature, the species that survive are not the strongest, nor the fastest, nor the largest, but those that adapt best to changes; in an environment of dynamic risks, the fittest survive, those who manage to adapt better to the environment.
This idea applied to the field of cybersecurity defines adaptation as a relevant condition when risks change constantly. In this sense, those organizations that best adapt to changes are those that achieve their objectives. Adaptive security considers the implementation of security architectures that adapt to their environment in order to understand behaviors and events that allow them to anticipate threats.
You may be interested: Macro malware in Latin America: the threat hidden in office documents
According to this approach, even if prevention was carried out perfectly, it is not functional, so it is necessary to design an adaptive security infrastructure, with the assumption that said infrastructure will be compromised. Therefore, all systems and devices must be considered potentially compromised and their behaviors must be continually evaluated to determine their risk and trust.
The model was defined by Gartner Adaptive Security Architecture , and is made up of four phases: prediction, prevention, detection, and response; It is based on real-time decision making based on risk and confidence assessments. Among others, its purpose is to reduce the damage that an internal and external threat can cause, minimize losses, as well as minimize detection and response time when an incident occurs.
Each of the phases defines guidelines within a cycle that starts from implementing, monitoring and adjusting the security posture, according to the information collected.
Prediction: Refers to the ability to anticipate threats and attacks, mainly through intelligence activities (early identification of threats). To carry out this phase, the security posture, the organization's exposure and the assessment of prioritized risks must be defined.
Some considerations in this phase are related to other activities, such as the discovery of cybersecurity trends , investigation and identification of incidents that organizations have suffered (at the local, regional or global level). The task is to move from a reactive to a proactive security posture, anticipating threats and attacks.
Prevention: Based on previously collected information, security measures must be implemented or improved, including the acquisition of protection technologies. As in any area of security, the prevention phase aims to prevent attacks.
In this stage the strengthening or isolation of the systems is considered (according to the needs), the application of policies, processes, procedures, and in general, of security controls (technical, administrative or physical) that reduce the probability of occurrence or impact of the identified risks.
Detection: The third phase refers to complementary technologies whose main objective is to identify suspicious or abnormal behavior, as well as to recognize attacks or threats that managed to evade prevention measures.
There are preconditions to consider in this phase. For example, the definition of what a security incident represents, since in this way containment is sought, which is another of the strategic points considered at this stage. Aspects such as confirmation and prioritization of risks are also considered.
Response: The last phase refers to incident response, mainly considering remediation, as well as investigation of events and retrospective analysis of what happened. The main purpose is to eradicate the conditions that allowed the risk to materialize. As a result, the necessary actions to correct it must be carried out, which imply changes, as well as lessons learned.
This security architecture proposal seeks to face current risks, through the constant adjustment of conditions within organizations, based on more and better information, risk and trust assessments. Finally, information security is about making decisions and continually adapting to change.
No comments:
Post a Comment