Security model

Hi members, from several members I have received PM post with questions on the model I some times mentioned.

Start quote:

I'm looking at the security model you posted at https://www.wilderssecurity.com/showthread.php?t=155098

I did some digging and I found Gartner's "The Nine Styles of Host-Based Intrusion Prevention" which is similar to what you posted. Very interesting reading btw plus follow up pieces "Host-Based Intrusion Prevention: Myths and Realities" and "Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Styles" .

However, theirs is a simple 3x3 matrix with slightly different terminology. So my question is, is the model you posted an adaptation by yourself or did you get it from somewhere else?

END Quote

Yesterday I spoke to a former colleque who is the service delivery manager of a large IT company (of which security is one of the competence lines) of which I used to work for.

So I asked him these questions.

Yes the model we (the company) uses is a combo of Gartner, Forrester Research and Butler Group. Basically there are 4 levels. When in future more threats evolve, we (the company) will add levels more levels by looking at the OSI communication layer model and the flow events of infections in the real world.

1. Network (=source at communication level)
In the OSI layered communinucation model the process level comes after (is of a higher class) than the network level. In all OS/Network combo's my colleque known data first flows through the network stack before entering the process stack. Therefore network is the first point of defence.

2. Threat gates (=source/origin at device and application level)
A PC or network client has several means of adding external code/new programs/data to the client or PC. This is generalised to threat gates (some being devices other means of communication/protocols or applications), like Floppy drive, USB stick, CD/DVD Rom, Floppy, P2P, Messaging, Chat, E-mail, Internet browser, etc.
In practice security management aimed at the Network and Threat gates combined with general hardening proved to be very robust and effective. Network protection is a no brainer, Threat gates are more easy to manage in business networks (less effort) against higher flexibility and more user friendliness than other additional means. Also threat gates management fit best in the traditional way of looking at security, first there is access, then authentification and policy allocation based on role and rights of the user.

I did mention in my first post threat gates 'OS intrusion'. My colleque explains it better. Threat gate entry security management focusses on the preventing sustainable changes in the OS and Network which go beyond the right of a predefined role (for instance a 'limited' user). In simple terms a threat gate defense (Sandbox) should prevent changes of startup entries in the registry and installation of drivers, without explicit okay of an administrator.

3. Execution level (are all possible triggers from all possible origin)
The proper term should be execution level. This also includes temporary changes in the code execution environment (like process modification or startup of unknown applications). In terms of defense scope this is much more complex, because it also includes temporary changes and includes all every other trigger/origine of malicious code. A drive by infection with some sort of key logger might not survive a re-boot or logoff - login between two user sessions, it still is a danger to security.

4. Data level (the target of the attack, access to confident data, changing/overriding data which represent value)
Explained correctly

 

Edit:

Some spicy statements (of my collque):

A highly knowledgable and skilled user
1. Does not run with admin rights
2. Uses a proper firewall and AV
3. Might add IDS Snort or Proxy filter to drop and uses a web browser which does not has straight connections with the OS (IE weaknesses are the remainders of a failed Microsoft trick to make the browser part of the OS).

A high knowledgable/average skilled user
1. Does browse the Internet with admin rights
2. Therefore needs additional protection (having more knowledge than skills), basically has two choices.

The easy route = 95% protection at 5% of the effort = seamless sandbox or 15% of the effort sandbox + virtualization.

The hard way = aim for 99% protection with 120% or 25% effort: use a classical HIPS (determine the whitelist yourself) or use a smart HIPS (with experts black and whitelist intelligence in the application) like
- KIS7 (AV + FW + PDM) [ I have no experience with it]
- Online Armour 2 + AV [white and black list]
- PrevX3 = PrevX2 with a good AV combined [white and blacklist plus community sharing]

A security digi-literate better wait for anti-malware to get smart, examples are:
- A2 Malware (behavior blocking plus blacklist = A-okay)
- Spyware Doctor + CyberHawk (wait and see)
- Norton + Primary Response SafeConnect (wait and see)

 

Hello,
How would you like people to respond to your post? A similar model? Evaluate your model?
Cheers,
Mrk

 

Mrkvonic,

No some other members checked the Gartner model and noticed some differences. I by chance met a former colleque and asked him about this model. I corrected some of my 'free' interpretation that is all.

I realise it is just a correction/edit and a bit boring, that is why I posted some of my colleques statements.

When you have ideas/models yiu want to share go ahead.

K

 

I think both of those approaches to this thread, namely evaluating the initial model and coming up with other ones, would expand the scope of this thread in a manner that might prove informative and helpful to many, especially if members such as your self contribute.