Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/12/2018
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

'CARTA': A New Tool in the Breach Prevention Toolbox

Gartner's continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs.

A hacker who recently stole U.S. military secrets about combat drones and tried to sell them on the black market apparently accessed the data by searching the Internet for misconfigured Netgear routers and exploiting a 2-year-old known vulnerability involving default login credentials. Clearly, even the military struggles to protect itself from threats and attacks.

The root of this data breach emanates from an old way of thinking about implementing security — one that relies on static risk and vulnerability management. These principles and practices, which are locked in a binary view of the world, are diminishing in effectiveness in the face of a dynamically changing threat landscape. Unlike the old world of black and white, and good and bad, grayness is the new the reality in security.

To deal with this gray zone, organizations need a new approach, one that continuously monitors, assesses, adapts, and responds to risk as needed in real time.

Research firm Gartner has defined this new approach as Continuous Adaptive Risk and Trust Assessment (CARTA). The firm predicts that by 2020, 25% of new digital business initiatives will adopt a strategic CARTA approach, up from fewer than 5% in 2017.

In a nutshell, Gartner sees CARTA as a way for organizations to manage the risks that come with the digital world by deploying security that moves at the speed of digital business.

How to Implement CARTA
Under CARTA, all systems and devices are considered potentially compromised and their behaviors are continuously assessed for risk and trust. Here are the five key components for deploying a CARTA-inspired security model:

Asset Discovery
The first step in implementing a CARTA-based security program involves gathering and maintaining a comprehensive and up-to-date asset inventory. Without this data, it is virtually impossible to assess risks and apply appropriate defenses. Asset management should be automated so an organization can efficiently keep track of devices — their type, model, location, functions, and configurations — and of software, notably versions, patches, problems, and a history of vulnerabilities.

Without such information, an organization cannot perform basic proactive security measures such as monitoring network activity, taking snapshots of current configurations, and preventing attacks. Asset information can also be used to restore devices and software if an attack occurs.

Trust Relationships
Strong asset management is only as strong as the process for managing trust relationships between various devices, software, and the people who use them. Accordingly, organizations need to understand, monitor, and manage how devices, software, and people interact on an hourly basis each day.

As trust and risk increases and decreases dynamically based on context and behavior, models of trust and risk should be created that observe patterns over time. If the risk score of a specific device or user gets too high and outweighs the trust (for example, a user who tries to download a massive amount of sensitive data to an unmanaged device), an organization has two choices: reduce the risk score or increase the trust score.

Vulnerability Assessment
This consists of continuous assessment and prioritization of vulnerabilities for remediation. Because thousands of vulnerabilities are discovered each year, addressing all of them is not achievable. A more effective approach is to focus on the most serious, imminent, and executable threats. For example, remote code executions (RCEs) are among the most toxic threats to an organization. These should receive a high prioritization, especially when evidence from security intelligence feeds indicates a particular RCE vulnerability has been weaponized and is being actively exploited in the wild.

Metrics
As always, the devil is the details. This has become increasingly important because cybersecurity is now also a concern of the C-suite and boards of directors. Being able to report security metrics in business terms is now a requirement in larger organizations. These metrics are also critical to senior management when they make the case for additional investments in security resources; shoring up cyber defenses requires fact-based evidence of threats, gaps, and risks that can be understood by a nontechnical audience.

Adaptability
This is the core component of any CARTA-based security program. In response to changing security conditions, organizations need to reassess their risk levels each month, certainly each quarter. A best practice is to be proactive and adaptive, leveraging a risk-based strategy to security that adapts to the changing network of devices and applications. In addition, since the network changes far more rapidly than policies and procedures in standard compliance frameworks, a risk-based approach should be implemented on top of frameworks that may change only once a year.

Digital transformation, which is being driven by cloud, mobile, and Internet of Things technologies, is making static approaches to enterprise security irrelevant. Defending a constantly expanding attack surface, which often lacks a perimeter, requires a dynamic and continuous approach to vulnerability and risk assessment, prioritization, and remediation.

CARTA provides a useful road map for implementing a security program that is capable of responding to the volume and velocity of threats and their polymorphic nature.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Christopher Acton is vice president of security services and customer success for RiskSense, a provider of vulnerability prioritization and management software. He is a security researcher and expert in web application, infrastructure and system security. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well I dont run on MacOS, so I need to take extra precautions"
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13759
PUBLISHED: 2020-06-02
rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attackers to cause a denial of service (loss of IP networking) because read_obj and write_obj do not properly access memory. This affects aarch64 (with musl or glibc) and x86_64 (with musl).
CVE-2020-7662
PUBLISHED: 2020-06-02
websocket-extensions npm module prior to 1.0.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other characte...
CVE-2020-7663
PUBLISHED: 2020-06-02
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other charact...
CVE-2020-12017
PUBLISHED: 2020-06-02
GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacke...
CVE-2018-18623
PUBLISHED: 2020-06-02
Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.