Adaptive security is a cybersecurity model made up of four phases, prediction, prevention, detection, and response. The process was developed in response to the de-centralization of IT ecosystems to accommodate hybrid working environments and the porting of systems to the cloud.
The perimeter that once defined a network no longer exists. Organizations are leveraging cloud technology and shifting towards hybrid work environments. The de-centralization of IT ecosystems is becoming increasingly difficult to defend. Effective perimeter security acted as a shield or armor from outside attacks, but as the surface area of networks continues to grow, so too does the attack area. This means that there are more ways for attackers to get into your network. Security professionals need to bolster their armor and add an immune system to their network. Adaptive security provides a framework to develop that immune system.
Breaking down adaptive security into its four major components, Prediction, the first component is used to assess risks and develop plans to defend against threats. To effectively plan a defense strategy, organizations need to be up to date with the current security trends. Proactive data collection and analysis is an integral part of the prediction process. Red Sky Alliance collects and maintains a number of datasets including botnet tracking, breach data, dark web data, keylogger data, malicious emails, sinkhole data, and more. Data is important, however without analysis data is not intelligence. Analysts can use this data to identify security trends and guide decision makers on how to best implement controls to protect their information.
The Prevention phase of the Adaptive security framework is organization specific. Some prevention techniques that work for one industry might not transfer as well to another industry. Conducting a risk analysis should help provide decision makers with the information they need to prioritize security systems. Some principles are universally accepted including the principle of least privilege and zero trust network access. Limiting a user’s ability to access information to only what they need minimizes the likelihood of an attacker compromising a privileged account. The zero-trust methodology assumes that a breach is inevitable or already occurred. Zero-trust requires an aggressive approach to monitoring, management, and defense. Zero-trust also assumes that all resource requests and traffic may be malicious, or that systems have already been compromise. There is always an assumed risk when letting people access your network, in practice, the right user, should be using the right device, and the right application. By monitoring how people, devices, and data are behaving and intervene if actions look malicious detection is simplified. Security practitioners can protect their organizations assets.
The third phase of the adaptive security model is Detection. Zero-trust can play an important role in the detection phase especially if aggressive monitoring techniques are used to identify malicious behavior. While organizations are monitoring their systems, Red Sky Alliance can provide breach data collected from leaks on the deep and dark web. This data can help identify breaches that went undetected so your organization can take the appropriate responsive actions. Our breach data collections include raw data from database breaches scraped from both dark web and public breach disclosures. Our breach data frequently includes email and password combinations and, in some cases, other Personally Identifiable Information (PII).
The Response phase is the final stage of the adaptive security model. Once a security event or incident is detected an organization’s security team must take action. This usually follows an incident response plan and a forensic investigation. Collecting evidence is a key part of the forensic investigation. Organizations can use Red Sky Alliance breach data and threat data collections to confirm suspected incidents and take corrective actions. Red Sky Alliance’s Threat Recon data includes Indicators of Compromise (IoCs), Yara rules, and Snort rules used to identify malicious activity. The corrective actions could include improvements to the organization’s security methodology, changing technical controls, or changing policies.
The post incident review is often overlooked as an organization returns to normal operations. This is a critical step in which security professionals reflect on the response process, and in adaptive security this should include improvements to each phase of the methodology. Using hindsight to determine more effective processes for prediction, prevention, detection, and response can help an organization maintain a sound security posture against increasingly advanced threat actors targeting enterprises. Using tools like the Cyber Threat Analysis Center (CTAC), RedPane, and RedXray, by Red Sky Alliance provides data that organizations can use to improve their adaptive security processes.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings