Global networking has produced a system of unparalleled value to modern society. Extracting value from this system of information exchange is based on the ability to implement intelligent endpoint nodes on the network consisting of systems ranging in size from supercomputers through wearable systems. The premise of the Internet-Of-Things, popularized as IOT, suggests this trend should continue.
Unfortunately, this proliferation of intelligent endpoints has created an environment unparalleled in the history of information security and risk management. Each endpoint represents a potential failure point with respect to the desired system behavior being subverted to the goals of an aggressor seeking to capture privileged information or disrupt the intended functionality of the endpoint. The global network which synergizes the utility of these endpoints also provides the framework for launching attacks against the endpoints from anywhere in the world, with the added complication of little or no possibility for attributing the origin of the attack.
Since the inception of global networking, the security strategy has been to protect intelligent endpoints by sequestering them from access by the network at large using firewall technology. Simple firewalls have given way to stateful firewalls and intrusion detection and prevention systems which seek to recognize and optionally interdict attempts to subvert the functionality of the protected systems. The effect of these systems has been to produce architectures which are effectively soft targets once the perimeter protection systems have been breached.
To maximize the effect of a compromised system, the focus by malicious actors has been on the development of advanced persistent threat (APT) technologies which seek to introduce long term behavioral modifications to the endpoint targets. This provides a mechanism which persists the ability to exfiltrate information from the compromised systems long past the initial breach. This strategy is particularly effective in the firewall model since it allows other ‘soft’ targets in the interior of the protection domain to be attacked and infiltrated without interdiction by the perimeter defense systems.
The response has been to employ additional protection systems to monitor internal network traffic to interpret whether illicit behavior is being demonstrated by any internal network endpoints. However, if aggressors avoid detection by perimeter systems it is likely that internal network monitoring should also fail. Any type of traffic monitoring also faces challenges associated with steganographic methods which shroud illicit traffic in ever increasing quantities of legitimate traffic.
Furthermore, an industry movement toward the use of strong encryption may lead to increasingly random data streams which can be used to camouflage illicit network traffic. Major system compromises in recent years in the federal government, entertainment, retail and healthcare industries have demonstrated the ability of attackers to persist information exfiltration attacks for long periods of time without detection. In these attacks, aggressors have exported hundreds of gigabytes of data without being detected by internal or perimeter defense systems.
Maintaining the security of network endpoints has classically involved continually applying updates to security vulnerabilities in operating systems and application platforms. This strategy can be unreliable in the face of zero-day exploits which leverage previously undiscovered software vulnerabilities to implement both the initial compromise and subsequent persistence of attack systems.
Also, with more sophisticated security systems, a primary threat to effective security is the economics of information technology. Vendors seek to appease markets that demand platforms which implement the value proposition of ubiquitous networking but which do not reward attention to the security implications of such systems. Addressing the modern information security challenge demands attention to the economics of security which can benefit from cost and complexity minimization on network endpoints. It has been doctrine in the security industry that security and complexity are mutually incompatible. The recent attention to containerization strategies is an attempt to reduce the complexity and attack surface of service providing endpoints. While such systems provide isolation, they do not provide a system for determining whether the behavior of the encapsulated system is consistent with the intent of the system.