The 9 Box of Controls

American military leader General George Marshall once said, “The only way human beings can win a war is to prevent it.” As Secretary of Defense and the only US Army General to ever win a Nobel Peace Prize, his commitment to peace was born of his direct knowledge of the awful costs and consequences of war.

As information security professionals, we are the first line of defense in the war against cyberattack. We need agile defenses that quickly and continuously adapt to meet new demands. Attackers are constantly adapting, and so defenders need to continually update their defenses in order to stay ahead of the curve rather than behind it.

But rapidly evolving threats are only part of the challenge. We also need to continually adapt to a fast-changing technology landscape. As we consider our future as information risk and security groups, it’s abundantly clear that we need to radically change our approach to defense in order to face the challenges ahead, and to support what I call our Protect to Enable mission.

One emerging issue in recent years has been the well-documented fact that the antivirus (AV) industry has not kept pace with the attackers. Because paid security measures often fail to prevent harm, many companies default to a Detect and Respond approach as their primary method of dealing with cyberattack, believing this to be the only option available to them. This means they may expose themselves and their organizations to ongoing high risks and higher long term costs, since they are reactively responding to attacks that have already breached the organization’s defenses. This tactic of continually repairing breaches rather than taking measures to preemptively detect and block the enemy before they have a chance to strike, both strengthens the attackers and weakens the target companies.

Moving Beyond the Detect and Respond Model

When investigating our security controls, we need to consider whether our existing control architecture improves or impedes business agility and velocity. It’s important to recognize that controls can place a “drag coefficient” on the business that implements those controls. If controls hinder users in any way, they can stifle business velocity and innovation. Users react to this control friction by circumventing the controls whenever possible; as a result, the controls may actually introduce new risks, as well as incurring added costs. In today’s interconnected business systems, an attacker just needs to breach one endpoint to infiltrate an entire network, making this a particularly risky ‘end-user’ issue. Companies employing traditional AV products may face this issue on a daily or even hourly basis.

In order to move forward beyond the Detect and Respond model, we will need an agile security architecture that quickly and automatically learns and adapts to all new challenges as they emerge. A learning system is harder to defeat because it can more quickly predict - and thus prevent - new attacks. The current pace of technological change is so rapid that we cannot possibly predict all the future challenges we may face, and the manual or semi-manual processes employed by traditional AV vendors may not be anywhere near enough to keep up with this pace.

In essence, we need solutions that can learn to manage, and protect us from, what we don’t know. The right control architecture will enable the flexibility that helps businesses move more fluidly, allowing companies to rapidly adopt new technologies and emerging usage models, while continuing to provide dependable security in an ever-evolving threat landscape.

Introducing the 9 Box of Controls

I recently returned from over a week of travel where I was speaking almost daily with business leaders, IT professionals and security professionals. I was speaking on the topics of information risk, controls, and leadership. At the RSA 2016 conference, I also spoke at a session moderated by Evan Wheeler, Executive Director of Operational Risk Management at DTCC. One of the things I explained in that discussion is where the industry is for the most part anchored in its control focus, vs. where all of our organizations need controls.

Let me explain my perspective on controls. My perspective is rooted in my experiences as a business leader and in my many years in Finance, including my role as a Profit and Loss Manager for a billion dollar business unit in the late 90s. It is a control philosophy that I have carried forward in my roles in Security, but one that I believe is lacking in the industry.

An important aspect of this perspective is the concept of control friction. I’ve developed a simple framework called the 9 Box of Controls, which takes the issue of control friction into account when assessing the value as well as the impact of any control, including information security.

I believe that the 9 Box of Controls includes some novel thinking that may be valuable to many organizations facing these universal risk challenges. My conversations with peers at other companies have validated this view. Many of them are now using the 9 Box to drive not only tactical, but also strategic discussions in their organizations around where they are spending their resources today, and where they should be headed long term.

Any future security architecture we implement must provide better prevention, and it must also be more flexible, dynamic, and more granular than traditional enterprise security models. A new architecture also needs to greatly improve threat management. As new attacks appear, we need a security system that is able to recognize good from bad in milliseconds, so that it can stop the bad and allow the good. For any attack that gets past these preventive controls, we need to be able to learn as much as we possibly can without compromising the user’s computing performance or privacy. This information enables us to investigate exactly what occurred, so we can take immediate action to mitigate the risk whilst also learning how to prevent similar attacks in the future.

A control architecture should assume that attempts at compromise are inevitable—but we should also understand that it is possible to achieve real prevention for 99% or more of risks that could occur, including that of malicious code and zero-day attacks caused by mutated malware. Should a piece of malicious code attempt to execute, we can then instantly apply artificial intelligence and machine learning to analyze the features of files, executables, and binaries to stop the code dead in its tracks before it has a chance to harm the environment. For the remaining attacks—representing less than 1% of malware—we need to focus heavily on survivability.

Types of Security Controls

There are three primary types of security controls: prevention, detection and response:

  • * Prevention occurs when an action or control prevents an infection or cyberattack, stopping it in its tracks before it affects users or the environment
  • * Detection means identifying the presence of something malicious that has already entered the environment
  • * Response is a reaction to the discovery of a piece of malicious code, attempting to remove it after it has already affected the user

From a risk perspective, prevention focuses on minimizing vulnerability and the potential for harm, while detection and response focus on minimizing damage. When you are focused on minimizing damage, the main variables to turn the reactive risk dials are a) time to detect and b) time to contain.

There are also three primary approaches one can take to implement a control: automated, semi-automated, and manual.

  • * Automated control occurs entirely through machines
  • * Semi-automated control involves some level of human intervention
  • * Manual controls are managed entirely by hand

The combinations of these control types and automation levels comprise the cells of the 9 Box, as shown in the figure below. Risk increases as we move from prevention, to detection, to response. Cost increases as we move from automated to semi-automated to manual controls.

A Note on Control Friction

However, there is a third dimension to the 9 Box: control friction. As we know, friction is the force that causes a moving object to slow down when it comes into contact with another object. Similarly, controls can impose a “drag coefficient” on business velocity—they can slow the user or a business process (just think of the groan issued by PC users when they switch on their machine to complete an urgent task, only to find it indisposed for the next half hour due to an automated Windows Update).

However, friction is not a fundamental, immutable force like gravity or electromagnetism. Instead, we have the ability to determine exactly how much control friction we apply. Apply too much control friction, and business users may choose to circumvent IT security controls. This adds cost: IT is no longer managing the technology employees are using, so data and business silos are created, and the organization loses its volume purchasing power. It also adds risk: because the security team lacks visibility into the technology being used, it cannot prevent compromises, detection is difficult, and in many cases, response after the fact becomes the only option.

If a business adheres to high-friction controls, the long-term effect can be the generation of systemic business risk. High-friction controls can hinder business velocity; the organization can lose time to market and the ability to innovate, and over the long term it may even lose market leadership. 


Thinking Outside the “Magic Quadrant”

When one looks at the 9 Box of Controls and wanders the floor of the RSA Conference, you gain a new perspective on the industry’s dynamics and the economics that fuel the status quo. For instance, why is the industry focused in the upper right of the 9 Box? Why do so many security professionals consider the upper right quadrant to be the “magic quadrant?”

The conclusion I am forced to draw is that the industry profits from the insecurity of computing, so most players have no real economic incentive to fundamentally solve the problem and deliver true prevention. Alternatively, you have some solutions that offer a level of automated prevention through shrinking the attack surface, but they do so at such a high degree of control friction that other costs and risks occur.

So where is the real magic quadrant for information security? In my view, it is not the upper right but the exact opposite - the lower left. If we implement automated controls with a low degree of control friction that prevent risk all around, we are delivering exactly what the AV industry so sorely needs - solutions that Protect to Enable people, data, and the business.

Malcolm Harkins
Global Chief Information Security Officer, Cylance