Nearly 10 years ago, a number of security professionals presented a new approach to cybersecurity called “adaptive security.” Gartner, SANS, and Sun Microsystems began highlighting adaptive security, which was envisioned as a new way to protect businesses as the traditional network perimeter became less relevant. Enterprises were beginning to adopt cloud services, software-defined infrastructure and mobile computing, resulting in applications and data being exposed to a dynamic, evolving set of threats. These trends required security to be automated and capable of changing on demand based on context to improve security decisions.
Today Gartner continues to emphasize adaptive security as a top strategic technology trend for enterprises. Enterprises face sophisticated cyber-attacks that force them to play constant defense using a patchwork of security tools.
Adaptive security addresses these challenges without relying on traditional blocking and prevention measures and is now able to leverage exciting advancements in application architecture, data instrumentation, and advanced analytics. Here are three innovations enabling the new model for enterprise security:
Microservices and containers unlock security automation and scalability
Adaptive security requires that threat visibility, detection, and prevention continuously change and scale at the speed of applications being protected. Nowadays applications are continuously launched, moved, or destroyed using automated release pipelines, APIs, and cloud platforms, resulting in rapidly changing attack surfaces. Existing security tools and manual workflows cannot keep up, leaving enterprise assets susceptible to attack.
New application architectures now enable the automation and scalability that adaptive security requires. Microservices can deliver security components that interface programmatically, eliminating fragmented silos throughout the security stack. Security tools can leverage container technologies such as Docker, Kubernetes, and Mesosphere DCOS for delivering services that are scalable, portable, and orchestrated alongside the applications they protect. Containers also provide a basis for higher fidelity threat discovery.
Since applications running in containers are designed to be minimalistic, immutable, and perform very specific functions, deviations from expected behaviors can be more easily identified to discover malicious activity.
Data instrumentation delivers better security context
Adaptive security is designed to enable precise security decisions based on the context in which applications and users operate: time of day, location, data sensitivity, and so on. Rather than relying on rigid blocking methods such as network segmentation rules and signature-based detection, adaptive security acts on data captured through continuous monitoring of network traffic, application activity, user behavior, endpoint states, and other relevant datasets to gain as much context as possible.
Several innovations in data instrumentation and processing now allow enterprises to obtain the level of context needed for adaptive security. Interfaces are readily available to capture data that serves as an actionable “source of truth.” Examples include auditd and Berkeley Packet Filter, which are supported in the Linux kernel. Tools like osquery have been contributed to the open source community.
Recently cloud providers like AWS have announced new distributed tracing services. In parallel, numerous frameworks such as Spark, Flink, and Kafka have emerged to rapidly process large volumes of data.
Advanced analytics and machine learning enhance detection capabilities
Highly scalable applications, coupled with comprehensive instrumentation, generate data velocities that surpass what security operators can analyze. Adaptive security relies on automated analysis with effective detection to generate actionable insight for security operators.
After infiltrating systems, attackers are increasingly conducting extended reconnaissance before executing exploits, effectively blending in while biding their time. Security systems must be able to pinpoint the indicators that underlie this malicious dwell time.
Recent breakthroughs in machine learning can help spot these attack precursors more effectively. Machine learning enhances pattern recognition, classification, and decisions about what constitutes an actual threat. For example, drive-by cyber-attacks can execute payloads, exfiltrate data, and kill applications within seconds, leaving only minimal traces behind for security teams to investigate.
Machine learning can quickly detect this activity as it progresses and help preempt completion of the attack by leveraging techniques such as neural network algorithms and deep learning. Machine learning should not be viewed as a panacea for existing security challenges, but it has a valuable role in augmenting existing security tools.
Today every enterprise is defending against cyber-attacks that easily bypass the existing blocking and prevention-based defenses they have relied on for too long. When adaptive security was first proposed almost ten years ago, it was a forward-looking vision for how cybersecurity technology would evolve. In the years since, the industry has made steady progress towards that vision. The future of cybersecurity has arrived.