Skip to main content

Adding Context to Policy

April 14, 2015

When defining policy in security tools there are often two primary camps individuals fall into; false positive or false negative based policy creation and tuning. Each school of thought has its advantages and disadvantages and many times security professionals become polarized into one group or the other. As next generation technologies enter the market and cyber threat intelligence (CTI) begins to become a staple in the industry, a new school of context-based policy thinking has emerged. To comprehend how to leverage context-based policy, knowledge of traditional false positive and false negative policy creation and tuning is needed. Based on an understanding of these models, we can explore how to leverage context and CTI to move to a mature context-based policy.

False Positive-Based Policy

When defining policy to eliminate false positives, the concept is that by generating fewer events, the events become more actionable and can be more readily mitigated through blocking. This school of thought has existed for many years. Through a highly refined blocking policy, this approach is less likely to impact end users and services. Heightened operational overhead is incurred as the ability to effectively keep these policies updated and provide coverage on the ever-changing risk landscape requires constant tuning. Additionally, this policy type leads to the generation of false negatives where a security event may not be triggered or blocked if the policy lacked comprehensiveness.

False Negative-Based Policy

Recognizing these problems, some individuals began to move towards a false negative policy model. This can generate an abundance of events that require analysts to manually remove false positives or rely on the correlation from a security information and event management (SIEM) solution to determine if the event is actionable. Additionally, usage of this policy type can also impact users and services through indiscriminate blocking. This approach has inflated storage, events per second (EPS) and created a heightened artificial reliance on SIEM. While I am not advocating for the exclusion of SIEM in a security program, it should not serve as a compensation for a tool’s inability to perform in the context of an organization’s environment.

Adding Context

As next generation firewall and intrusion detection and prevention technologies have begun to displace traditional devices, we have the ability to add context to policy. By adding context to events we can move towards a model that reduces false positives and improves blocking through an understanding of the event as it relates to external factors.

Utilizing context aware policies and blocking decisions allows for external data sets such as user identity, role, operating system and patch level to directly influence decisions. This may be done in an automated fashion using next generation toolsets or through manual processes tied to legacy technologies.

CTI can provide awareness to the threats and trends that are currently facing an organization’s industry. This process enables intelligence leading to context; factors targeting your industry can be acknowledged and influence the policy defined in tools. Combining intelligent policy decisions with correlation allows your organization to positioning itself to bring contextual awareness to your security program and make sense of the noise.

Moving Forward

As organizations become aware of the changes in the security landscape, the opportunity to improve on the traditional policy models is highlighted. More data, more traffic and higher user experience expectations require contextual policies. Inclusion of these policies can occur through utilization of next generation and cyber threat intelligence technologies. By utilizing these technologies, organizations can reduce operations, risk and impact to users and services.

Related Blogs

February 26, 2018

The GDPR 90-Day Countdown is on! (No Need to Freak Out)

May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 29, 2014

Compliance Regulations and the Firewall

Comm Solutions engineers are often asked to recommend a firewall that is compliant with Industry regulations. In most cases, the regulations apply to ...

See Details

June 10, 2016

Enterprise Risk and Compliance

Optiv’s enterprise risk and compliance services help you identify, mitigate and manage your organization’s cyber security risk.

See Details

April 16, 2015

East-West Visibility: Seeing the Peripheral Threats

East-west visibility refers to the ability to see traffic or malicious activity that is contained within your network. After an internal or external a...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.