Positive vs. Negative Security Models: A Different Way to Look at Endpoint Security
BY RENE KOLGA, CISSP
When we think about cybersecurity, inevitably we end up talking about fighting the “badness” — malicious hackers, malware, cybercriminal syndicates and malevolent nation-state actors. Whether with signatures, heuristics or machine learning models, we attempt to identify and block that “badness.” Today that approach is unable to achieve anywhere close to 100 percent efficacy, largely because the amount of “badness” is practically infinite.
However, the legitimate (i.e., “good”) set of applications or behaviors is finite, and that makes it possible to achieve high levels of protection using a Positive Security model. This is very much in line with the zero-trust trend that was so visible at this year’s RSA Conference. The concept takes its roots from Google’s BeyondCorp initiative, launched in 2011 and traditionally applied to access control. In general, it suggests “default deny” where everything is blocked until proven trustworthy. This approach may sound extremely time-consuming (and it is, if applied to applications), but it does not have to be. Moreover, it should never be one or the other, but rather a balance between Positive and Negative Security models as the key to protecting endpoints regardless of the attack vector or type of attack.
‘Badness’ comes in many forms
Bad actors constantly come up with new attack vectors, new malware variants, new exploits. Most difficult to detect are zero-day attacks, for which patches are not yet available. According to the RAND Institute, zero-day exploits and their underlying vulnerabilities have an average 6.9-year life expectancy. This means the typical time it takes between a researcher discovering a vulnerability to its public disclosure and patch availability is 2,520 days. Thus, even if you have your patch management processes under control (along with employee training), you are likely still vulnerable.
CPU in every laptop, desktop, server, cloud environment and smartphone was theoretically affected. No one could have predicted this!
We need to accept that “badness” comes in unexpected forms and is unpredictable, and that an effective cybersecurity system balances the Negative and Positive Security models.
Negative Security model
Positive Security model
How does it work?
|Defines what is “bad” and allows everything else||Defines what is “good” and rejects everything else|
|Examples||AV, HIPS, NGAV, DLP||Firewall, Whitelisting/App Control|
|Easy to manage||Stronger security|
|Limited protection against new attacks||Can be hard to manage|
Negative Security model
A Negative Security model attempts to identify “badness,” blocks it and lets everything else in. This model is used in most endpoint and some network security products, such as antivirus (AV), host intrusion prevention systems (HIPS), next-generation antivirus (NGAV), endpoint detection and response (EDR), user and entity behavior analytics (UEBA), data loss prevention (DLP) and others. These products use signatures of previous attacks, known exploit methods (heap spray, buffer overflow, ROP, process hollowing, etc.), common malicious behavior (modifying Run or RunOnce registry entries), deviation from baseline behavior, machine learning-based static file analysis based on malware samples, etc.
Advantages of Negative Security model-based products include relatively low maintenance. The product needs to be deployed and, in most cases, is kept up-to-date automatically with the latest lists of “badness” provided by the vendor. Exceptions are EDR and UEBA, where the former requires mostly manual threat hunting and the latter, extensive integration with multiple internal systems (e.g., AD, SIEM, HR) along with extensive customization. In general, products like AV have been around for decades and are well understood by security professionals. They provide a needed base level of protection and are necessary to demonstrate compliance with myriad laws and regulations like PCI.
Positive Security model
A Positive Security model does the exact opposite of the Negative model. It focuses on the list of “goodness” and blocks everything else. This can be a list of known good applications, behavior, ports, etc. For decades, a primary example of a Positive Security model application was the firewall. On the endpoint side, application whitelisting or application control leveraged this model with some success. Additional approaches, such as mapping known good operating system behavior at the system call level (a.k.a. OS-centric Positive Security), are also available.
The benefit of this model is in its strong threat-agnostic protection. It is generally understood that the list of good applications or behaviors is significantly smaller than the list of possible attack vectors, vulnerabilities and malware.
It is estimated that up to one million pieces of malware are generated daily. There are only a few million pieces of legitimate software products in the world, a very small subset of which is used by a particular organization at any given time. The trick is in defining and managing this, even though it is a smaller list. And this management overhead has been a weakness of traditional Positive Security approaches like whitelisting/app control, along with an inability to protect organizations from file-less malware and vulnerabilities in approved applications.
Figure 2 Comparison of “good” vs. “bad.”
Creating security synergy between the two models
In cybersecurity there are no magic bullets, and you cannot win against infinite odds. According to AV-Test.org, almost 120 million new malware samples were submitted in 2017 alone. Even a 99.9 percent detection rate would leave 120,000 undetected threats.
You can reduce those odds through a solid security strategy. A layered approach with multiple different technologies working together is required. It is important to remember that just layering technologies using the same security model only results in a “shallow” defense in depth. It is like adding another lock on the door while leaving the window open.
To achieve true defense in depth, layers of protection of different types using different security models are essential. This is where Negative and Positive Security models working together can provide an organization with security synergy.
Rene Kolga, CISSP, heads product management for a company in Silicon Valley.