As a United States Marine one of the sayings burned into the fabric of my soul is “Stay positive Marine”. In boot camp this was “stay positive recruit” and you would hear it repeatedly. On a mildly irritating day to have someone suddenly yell “stay positive” lands like an insult almost. Now magnify it by hearing it at your worst day after day. One might imagine you would grow to hate it. I did not. I have found it to come up regularly in life and especially life in cybersecurity. The days get long. The journey of change in an organization seems endless and let’s face it there is never a done in this career. There will always be a new threat, there will always be a user who clicks and there will always be blind spots attackers hide in. Staying positive is something I have adopted as a mindset and thank you to all my brother and sister Marines for imparting this lesson. So, what does all of this have to do with a positive security model?
In cybersecurity, it is easy to become pessimistic. It is easy to become jaded. After all, if you follow any cyber news, it seems as if regardless of the time and effort, we have spent to make a safer digital society we fail over and over again. Organizations fail to invest, prioritize and create a culture of society. Nation-states fail in curbing cyber-criminal and nation-state hacking activities. Vendors fail to protect their source code. Employees fail and click, and the circle of cyber goes round and round. This is the easy path. The path of pessimism.
I prefer the harder path. The path of optimism and positivity.
I am lucky, I often meet with teams winning daily. In a lot of these cases, these wins can’t be publicly spoken about. These wins can’t be shared outside of NDA meetings or dark cornered meetings at Defcon or Blackhat where the unwritten rule of what happens in Vegas stays in Vegas applies or more correctly what gets said in Vegas stays there. I am optimistic for several reasons. I am optimistic that the people of cyber are driving massive amounts of change at all levels. From Jen Easterly and the great work, CISA has been doing to the everyday analysts triaging alerts and tickets to the Threat Hunters, looking for evil lurking in their systems. We are sharing more than ever. We are rallying to the right frameworks and tools. Just look at the impact MITRE™ ATT&CK has had on the industry. I am optimistic about tools and platforms that are providing more value than ever. I have been in this industry for 25 years and trust me it used to feel like we were swinging against the world with both hands tied behind our backs. Gone are the days when Cybersecurity isn’t in the mainstream news. Gone are the days when boards aren’t concerned about it. Gone are the days when consumers are blissfully unaware that their data is constantly at risk. We have made massive amounts of progress.
Staying on the topic of remaining positive, I want to address positive security models and their impact on winning teams. Let’s start by defining what a positive security model for a workload is.
What is a Positive Security Model?
A positive security model works by allowing only good known binaries to run on a workload. Essentially stating these binaries or publishers are well based on what is already known about the environment. This eliminates the need to maintain a list of things that are “known to be evil” by someone. Most workload protection platforms operate on a Negative model. This has advantages but also some disadvantages that attackers still take advantage of. That new piece of custom ransomware or the latest wiper may evade or bypass a negative model. A well-tuned positive security model will be well-positioned to defend against that attack time and time again. I think positive security models take more effort to implement. You must understand the environment and how users interact with applications. I will argue time and time again that this time is well spent and pays massive dividends year after year for organizations managing this model.
Governments and the Financial sector across the globe are implementing positive security via VMware’s Application Control. Critical Infrastructure is seeing immense value in it. It is part of PCI-DSS.
So why aren’t you more positive about your program?
Key Benefits of a Positive Security Model
- Stop unwanted malicious applications from executing
- Ensure Continual Compliance
- Gain Trust
- Stop malware, ransomware, and next-gen attacks
- Eliminate unplanned downtime of critical systems
- Consolidate endpoint agents
- Prevent unwanted changes to system configuration
- Meet IT risk and audit controls across major regulatory mandates
- Increase efficiency of IT resources with streamlined IT audit processes
- Protect legacy systems running on unsupported operating systems
Gaining control over the workloads and endpoints applications allows for teams to spend less time chasing false positives, increase trust and protect legacy operating systems. Application Control Customers can know their environment and understand the baseline of activity. This allows them to know normal and find evil faster.
Every single time I meet with a customer who is running application control they tell me how they are winning with it. They tell me how it allows them to sleep at night. They tell me how when everyone else is scrambling to combat the latest Zero day they can approach their leadership and organizations with a higher degree of confidence and certainty. No security model is perfect and certainly, no technology is however taking a positive approach to your security program will give you peace of mind that you don’t have today.