Transforming Information Security to Secure Businesses

By: Kathleen M. Moriarty, CIS Chief Technology Officer

We are on a path that will see information security transformed in the next 5-10 years. There are five trends that will enable us as an industry to improve the overall security posture and reduce the surface attack space. There is evidence that we are already moving in that direction with a push for built-in security, but we must be mindful to ensure management scales.

This blog will identify the five trends, discuss the evidence of change, provide examples of architectural patterns that scale, and share a possible future state.

5 Information Security Trends

1. Strong Encryption
2. Ubiquitous Encryption
3. Transport Protocol Stack Evolution
4. Data-Centric Security Models
5. User Control of Data

Motivation for Changes in Information Security

The trends in play offer an opportunity to pivot in order to reduce the resource demands of current security solutions and architectures. The ability to deploy and scale information security is becoming critical. The motivations for a substantial change include:

• Threat actors are increasingly sophisticated, often motivated by cultural norms and identity
• Every layer of the IP stack, including the physical hardware, is or has undergone significant change in the past few years
• Encryption is driving security to the endpoint, where hardened systems and detection capabilities aligned to measured risk is increasingly important

Evidence of Information Security Changes

The industry embraced common practices (the aforementioned trends) and those efforts are already making improvements to the overall cyber security landscape:

• Applications are decoupled from operating systems
• Operating systems are increasingly minimized, reducing the surface attack space
• DevOps is pushing us towards reuse of small modules, with DevSecOps baking security in at a granular level
• This decoupling of the OS, application, and move to micro-services enables faster remediation as the impact to adjoining applications and services is reduced
• Attestation from a root of trust (RoT) is in use to provide hardware and firmware assurance, and will increasingly be applied up the stack to containers, operating systems, etc. ensuring code and system are as expected
• Zero Trust (see NIST SP 800-207) is becoming pervasive, applied at a per module or component basis, where security is built-in. A follow-up blog will discuss the relationship between Zero Trust and the Lockheed Kill Chain with evidence of reduced dwell time for attackers.

Architectural Patterns that Scale

In the midst of change, we as an industry have the opportunity to direct the progression in a way that reduces the burden on resources in shifting towards architectural deployment and management patterns that scale. With this focus, we should be looking for opportunities to use a small number of experts that results in a large impact where possible as we move to the endpoint. It’s a unique opportunity and here are some examples:

• Manufacturer Usage Description (MUD) [RFC8520] enables the manufacturer to set expected behavior patterns for IoT devices. These can be updated by the small set of experts at the manufacturer and pushed out to all devices of that type and version as needed.
• Remote attestation at boot and runtime of firmware. Technical controls are established by a small set of experts at the vendor aligned to NIST SP 800-193 to provide firmware assurance, and in some cases the Trusted Computing Groups (TCG) Reference Integrity Manifest Information Model and validated using attestation from a root of trust (RoT) on every system.
• CIS Benchmarks and CIS Controls are managed by a team of experts and broadly applied across systems and applications. CIS Benchmarks and trusted CIS Controls can be used to prioritize remediation based on informed risk levels as an important step you can take now in this transition to the endpoint.

The Future of Security and Defense

The path and conclusions for this blog were reached through reading all standards published for four years in the IETF, gathering information on the “Effect of Pervasive Encryption on Operators” as documented in RFC8404, and analysis on industry direction and trends. This blog begins a series that will dive deeper aligned to the goal of motivating adoption of architectural patterns that scale as discussed in, “Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain”.

Kathleen Moriarty
Chief Technology Officer

Kathleen Moriarty, Chief Technology Officer, Center for Internet Security has over two decades of experience. Formerly as the Security Innovations Principal in Dell Technologies Office of the CTO, Kathleen worked on ecosystems, standards, and strategy. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.