Infrastructure Security Research Agenda 2011—Part 1: Positivity

By Mike Rothman

Ah yes, it’s that time of year. Time for predictions and pontification and soothsaying and all sorts of other year-end comedy. As I told the crowd at SecTOR, basically everyone is making sh*t up. Sure, some have somewhat educated opinions, but at the end of the day nobody knows what will kill us in 2011. Except for the certainty that it will be something. We just don’t know what that something will be.

As the Securosis plumber, I cover infrastructure topics, which really means network and endpoint security, as well as some security management stuff. It’s a lot of ground to cover. So I’ll be dribbling out my research agenda in 4-5 posts over the next week. The idea here is to get feedback on these positions and refine them. As you’ll see, all of our blog series (which eventually become white papers) originate from the germs of these concepts. So don’t be bashful. Tell us what you think – good, bad, and ugly.

Before I get started, in order for my simple mind to grasp the entirety of securing the infrastructure, I’ve broken the topics up into buckets I’ll call ingress and egress.

  • Ingress is protecting your critical stuff from the bad folks out there. Now that the perimeter is mostly a myth, I’m not making an insider/outsider distinction here. Network security (and some other stuff) fits into this area.
  • Egress is working to protect your devices from bad stuff. This involves protecting the endpoints and mobile devices, with device-resident solutions, as well as gateways and cloud services aimed at protection.

Ingress Positivity

I’m going to start off with my big thought, and for a guy who has always skewed toward ‘half-empty’, this is progress. For most of its existence, security has used a negative security model, where we look for bad things – usually using signatures or profiles of known bad behavior. That model is broken. Big time. We’ll see like 25+ million new malware samples this year. We can’t possibly look for all of them (constantly), so we have to change the game. We have to embrace the positive.

That’s right, positivity is about embracing a positive security model anywhere we can. This means defining a set of acceptable behaviors and blocking everything else. Sounds simple, but it’s not. Positivity breaks things. Done wrong, it’ll break your applications and your user experience. It’ll keep your help desk busy and make you a pariah in the lunch room. But it’s probably your only chance of turning the tide against many of these new attacks.

This isn’t a new concept. A lot of folks have implemented default deny on their perimeters, and that’s a good thing. Application white listing on the endpoint has been around for a while, and achieved some success in specific use cases. But there are lots of other places we need to defend, so let’s list them out.

  1. Perimeter Gateway: We discussed this in the Enterprise Firewall paper, but there is a lot more to be said, including how to implement positivity on the EFW or UTM without getting fired. We also need to look critically at the future of IDS/IPS, given that it is really the manifestation of a negative security model, and there is significant overlap with the firewall moving forward.
  2. Web Application Firewall (WAF): The WAF needs to be more about a positive security model (right now it’s mostly negative), so our research will focus on how to leverage WAF for maximum effect. Again, there is significant risk of breaking applications if the WAF rules are wrong. We will also examine current efforts to do the first level of WAF in the cloud.
  3. The Return of HIPS: HIPS got a bad wrap because it was associated with signatures (given its unfortunate name), but that’s not how it works. It’s basically a white listing approach for app servers. Our research here will focus on how to deploy HIPS without breaking applications, and working through the inevitable political issues of trying to work with other IT ops teams for deployment, given how much they enjoy the security team starts mucking around with things.
  4. Database Positivity: One feature of current Database Activity Monitoring products is the ability to block queries/commands that violate policy. We will delve into how this works, how to do it safely, and how layering positivity at different layers of the infrastructure can provide better security than we’ve been able to achieve previously.

Notice I didn’t mention application white listing specifically here, because we are focused on ingress. Application white listing will be a key topic when I talk about egress later this week.

To be clear, the path to my definition of positivity is long and arduous. It won’t be easy and it won’t be widespread in 2011, but we need to start moving in that direction now – using technologies such as DAM, HIPS, and application aware firewalls. The old model doesn’t work. It’s time for a new one. Stop surrounding yourself with negativity. Embrace the positive and give yourself a chance.

I’m looking forward to your comments. Don’t be bashful.

No Related Posts

@ds - I don’t underestimate the difficulty of deploying a positivity-based model at all. In fact, I know most organizations will fail (if they even try) because of the reasons you state. I didn’t connect the dots before, but I’ve been calling for a move for security professionals to become business savvy for years (that’s what the P-CSO is all about), and this is just another manifestation.

But as @Lubinski points out, the alternative is not very good. Status quo (even if we control it) isn’t working and I’d posit (and I doubt most would argue) that a negative security structure will never work. Not given what we know about how attacks happen.

Just because it’s hard, doesn’t mean we shouldn’t do it. And I’m not interpreting your point (@ds) as anything more than the reality that many practitioners won’t be capable of making the jump. Just as many IT professionals couldn’t make the jump from mainframes to open systems in the 90’s. Those that did, profited handsomely. Those that didn’t milked consulting contracts until June of 2000 and then became irrelevant.

We’ll likely see the same thing. In 10 years, the wave of security professionals won’t think a positive security model is novel, it’s just the way things are done. And the folks that can’t make that jump will become extinct.

And yes, I’ll be working my ass off over the next decade to make this into a self-fulfilling prophecy. Not only to stroke my substantial ego, but also because I believe it’s the right thing to do.

Thanks for the comments guys.


By Mike Rothman

This will be a long and arduous road to go down but I believe we have no choice. You are already starting to see technologies that leverage this type of positive thinking but its widespread use in areas of security are few and far between, for now.

I agree with ds by stating that we will need to redefine our career path to be more suited towards the business end rather than the technical end. I believe a good ratio would be 70% business and 30% technical on a good day. This is inevitable I believe.

Security does not come without compromise, it is the usability and security see saw all over again. Things are changing,#$@# or get off the pot.

By Lubinski

Your post ignores the reasons behind the choices we’ve made and the impact on changing those choices.  I believe we use a blacklist approach because we can generally gather all the criteria to implement it independently.  By this I mean that we can research current threats and attack types, analyze them for patterns and build and deploy tools to detect those patterns.  All technology, right in our wheelhouse of the vast majority of people in the business.

Take the white list approach and you redefine our career requirements and in doing so you exclude the bulk of the practitioners.  I don

By ds

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.