One of the things I enjoy about my role at Forcepoint is how it sometimes gives me the time and space to just lean back, listen, and think about how folks are experiencing the current security landscape.
Last month I took the opportunity to do just that at the Gartner Security and Risk Management Summit in National Harbor, MD. Not the behemoth of a conference such as RSA and Black Hat, the Gartner event is smaller, more intimate, and provides attendees with a pretty thoughtful set of talks from both Gartner analysts and practitioners. It’s a nice gathering, and, as is typical, set me thinking a bit.
Over the last few years Gartner has – correctly, in my opinion – started to lean into concepts like risk management and adaptability in the face of threats. That chord was struck firmly during the opening of the conference, where the idea of Continuous Adaptive Risk and Trust Assessment was described. That’s a mouthful, so we’re left with a new acronym: CARTA. While it’s not a particularly catchy term, the ideas within it resonate well with how we believe practitioners need to think about security.
As I see it, one of the primary drivers for CARTA is that it has become increasingly difficult to decide with certainty if an event is good or bad. For example, consider a file that is being downloaded by a user. We scan that file at the gateway, and then have to make a decision: assuming the file isn’t disallowed by policy, is it good (in which case let it in!) or bad. The problem is, many times we just don’t know with absolutely certainty.
It’s hard to immediately grasp why we don’t – or more correctly, can’t – always know. At the scientific level, it’s a well-known result that you can’t make a perfect malware scanner. Pragmatically, though, the answer is simpler: while we can mark certain things as known-bad, it’s hard to handle everything else. Even a file we know is good may contain a previously-unknown vulnerability that can be exploited.
There’s at least two ways to deal with that uncertainty. First, you can try to make a better mousetrap – to keep whittling away at the edge cases that we’re not sure about. This is time well spent, but it’s also an impossible fight to win in the long term. Second – and in my take, this is the CARTA idea – you pragmatically do the best you can, but continually asses the risk the system faces and the trust you have in the different entities it is made up of; you then adapt to these new conditions, doing the right thing at the right time. Security becomes fluid rather than static (i.e., continuous adaptive), and the attacker has to figure out how to find their way through a moving maze.
All that is just one example – the ideas within CARTA can be applied across the security space, including less technical areas such as governance.
Looking around the room while the Gartner analysts introduced CARTA, it was interesting to gauge the reaction. For many, the ideas clearly resonated; people were engaged, listening carefully in a packed house. That, to me, is very positive sign, because in security, perfect truly is the enemy of good, and this more pragmatic adaptive approach is the way forward. While we wish we could mitigate all risk, to do business successfully is to embrace and control risk. Attackers morph continuously to maximize their efficacy; to combat that shape-shifting adversary, we must also adapt, continually protecting our most exposed assets with much more granularity than the blunt instruments of “Deny” and “Allow.” Instead, I believe that CARTA imagines a set of mitigations that sit in between, helping mitigating the risk, but allowing the access. That’s certainly in line with how Forcepoint thinks about security, and many features in our products already reflect that.
Of course, this being security, the glass is never going to be all full. Adaptation – autonomous or not – opens up a new type of attack surface, and we need to think hard about the implications of that. However, while this is a hard problem, it’s not the only one. As of right now defenders (and I mean ALL of us here, not just Forcepoint or other vendors), still don’t follow best practices reliably even though they know what they are. If that’s a challenge, backing in to this more complex CARTA mindset is going to be difficult for the average company, though the model does anticipate this by focusing on risk and the idea of handling the worst problem first. To get there, we’re going to have to change our mental models. That’s hard, but by no means impossible. Most importantly, I believe that the payoff is worth it.
And on that positive note, I’ll lean back again, and sit, and think again. Despite the rough seas we’ve been in for a while, I’m optimistic.