Adding Context to Policy
When defining policy in security tools there are often two primary camps individuals fall into; false positive or false negative based policy creation and tuning. Each school of thought has its advantages and disadvantages and many times security professionals become polarized into one group or the other. As next generation technologies enter the market and cyber threat intelligence (CTI) begins to become a staple in the industry, a new school of context-based policy thinking has emerged. To comprehend how to leverage context-based policy, knowledge of traditional false positive and false negative policy creation and tuning is needed. Based on an understanding of these models, we can explore how to leverage context and CTI to move to a mature context-based policy.
False Positive-Based Policy
When defining policy to eliminate false positives, the concept is that by generating fewer events, the events become more actionable and can be more readily mitigated through blocking. This school of thought has existed for many years. Through a highly refined blocking policy, this approach is less likely to impact end users and services. Heightened operational overhead is incurred as the ability to effectively keep these policies updated and provide coverage on the ever-changing risk landscape requires constant tuning. Additionally, this policy type leads to the generation of false negatives where a security event may not be triggered or blocked if the policy lacked comprehensiveness.
False Negative-Based Policy
Recognizing these problems, some individuals began to move towards a false negative policy model. This can generate an abundance of events that require analysts to manually remove false positives or rely on the correlation from a security information and event management (SIEM) solution to determine if the event is actionable. Additionally, usage of this policy type can also impact users and services through indiscriminate blocking. This approach has inflated storage, events per second (EPS) and created a heightened artificial reliance on SIEM. While I am not advocating for the exclusion of SIEM in a security program, it should not serve as a compensation for a tool’s inability to perform in the context of an organization’s environment.
As next generation firewall and intrusion detection and prevention technologies have begun to displace traditional devices, we have the ability to add context to policy. By adding context to events we can move towards a model that reduces false positives and improves blocking through an understanding of the event as it relates to external factors.
Utilizing context aware policies and blocking decisions allows for external data sets such as user identity, role, operating system and patch level to directly influence decisions. This may be done in an automated fashion using next generation toolsets or through manual processes tied to legacy technologies.
CTI can provide awareness to the threats and trends that are currently facing an organization’s industry. This process enables intelligence leading to context; factors targeting your industry can be acknowledged and influence the policy defined in tools. Combining intelligent policy decisions with correlation allows your organization to positioning itself to bring contextual awareness to your security program and make sense of the noise.
As organizations become aware of the changes in the security landscape, the opportunity to improve on the traditional policy models is highlighted. More data, more traffic and higher user experience expectations require contextual policies. Inclusion of these policies can occur through utilization of next generation and cyber threat intelligence technologies. By utilizing these technologies, organizations can reduce operations, risk and impact to users and services.