Kees1958
July 1st, 2007, 05:10 AM
Hi members, from several members I have received PM post with questions on the model I some times mentioned.
Start quote:
I'm looking at the security model you posted at http://www.wilderssecurity.com/showthread.php?t=155098
I did some digging and I found Gartner's "The Nine Styles of Host-Based Intrusion Prevention" which is similar to what you posted. Very interesting reading btw plus follow up pieces "Host-Based Intrusion Prevention: Myths and Realities" and "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles" .
However, theirs is a simple 3x3 matrix with slightly different terminology. So my question is, is the model you posted an adaptation by yourself or did you get it from somewhere else?
END Quote
Yesterday I spoke to a former colleque who is the service delivery manager of a large IT company (of which security is one of the competence lines) of which I used to work for.
So I asked him these questions.
Yes the model we (the company) uses is a combo of Gartner, Forrester Research and Butler Group. Basically there are 4 levels. When in future more threats evolve, we (the company) will add levels more levels by looking at the OSI communication layer model and the flow events of infections in the real world.
1. Network (=source at communication level)
In the OSI layered communinucation model the process level comes after (is of a higher class) than the network level. In all OS/Network combo's my colleque known data first flows through the network stack before entering the process stack. Therefore network is the first point of defence.
2. Threat gates (=source/origin at device and application level)
A PC or network client has several means of adding external code/new programs/data to the client or PC. This is generalised to threat gates (some being devices other means of communication/protocols or applications), like Floppy drive, USB stick, CD/DVD Rom, Floppy, P2P, Messaging, Chat, E-mail, Internet browser, etc.
In practice security management aimed at the Network and Threat gates combined with general hardening proved to be very robust and effective. Network protection is a no brainer, Threat gates are more easy to manage in business networks (less effort) against higher flexibility and more user friendliness than other additional means. Also threat gates management fit best in the traditional way of looking at security, first there is access, then authentification and policy allocation based on role and rights of the user.
I did mention in my first post threat gates 'OS intrusion'. My colleque explains it better. Threat gate entry security management focusses on the preventing sustainable changes in the OS and Network which go beyond the right of a predefined role (for instance a 'limited' user). In simple terms a threat gate defense (Sandbox) should prevent changes of startup entries in the registry and installation of drivers, without explicit okay of an administrator.
3. Execution level (are all possible triggers from all possible origin)
The proper term should be execution level. This also includes temporary changes in the code execution environment (like process modification or startup of unknown applications). In terms of defense scope this is much more complex, because it also includes temporary changes and includes all every other trigger/origine of malicious code. A drive by infection with some sort of key logger might not survive a re-boot or logoff - login between two user sessions, it still is a danger to security.
4. Data level (the target of the attack, access to confident data, changing/overriding data which represent value)
Explained correctly
Start quote:
I'm looking at the security model you posted at http://www.wilderssecurity.com/showthread.php?t=155098
I did some digging and I found Gartner's "The Nine Styles of Host-Based Intrusion Prevention" which is similar to what you posted. Very interesting reading btw plus follow up pieces "Host-Based Intrusion Prevention: Myths and Realities" and "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles" .
However, theirs is a simple 3x3 matrix with slightly different terminology. So my question is, is the model you posted an adaptation by yourself or did you get it from somewhere else?
END Quote
Yesterday I spoke to a former colleque who is the service delivery manager of a large IT company (of which security is one of the competence lines) of which I used to work for.
So I asked him these questions.
Yes the model we (the company) uses is a combo of Gartner, Forrester Research and Butler Group. Basically there are 4 levels. When in future more threats evolve, we (the company) will add levels more levels by looking at the OSI communication layer model and the flow events of infections in the real world.
1. Network (=source at communication level)
In the OSI layered communinucation model the process level comes after (is of a higher class) than the network level. In all OS/Network combo's my colleque known data first flows through the network stack before entering the process stack. Therefore network is the first point of defence.
2. Threat gates (=source/origin at device and application level)
A PC or network client has several means of adding external code/new programs/data to the client or PC. This is generalised to threat gates (some being devices other means of communication/protocols or applications), like Floppy drive, USB stick, CD/DVD Rom, Floppy, P2P, Messaging, Chat, E-mail, Internet browser, etc.
In practice security management aimed at the Network and Threat gates combined with general hardening proved to be very robust and effective. Network protection is a no brainer, Threat gates are more easy to manage in business networks (less effort) against higher flexibility and more user friendliness than other additional means. Also threat gates management fit best in the traditional way of looking at security, first there is access, then authentification and policy allocation based on role and rights of the user.
I did mention in my first post threat gates 'OS intrusion'. My colleque explains it better. Threat gate entry security management focusses on the preventing sustainable changes in the OS and Network which go beyond the right of a predefined role (for instance a 'limited' user). In simple terms a threat gate defense (Sandbox) should prevent changes of startup entries in the registry and installation of drivers, without explicit okay of an administrator.
3. Execution level (are all possible triggers from all possible origin)
The proper term should be execution level. This also includes temporary changes in the code execution environment (like process modification or startup of unknown applications). In terms of defense scope this is much more complex, because it also includes temporary changes and includes all every other trigger/origine of malicious code. A drive by infection with some sort of key logger might not survive a re-boot or logoff - login between two user sessions, it still is a danger to security.
4. Data level (the target of the attack, access to confident data, changing/overriding data which represent value)
Explained correctly