Information Superiority - Winning the Security Battle

The battle for your network is based on the concept of information superiority. Network defenders need to have a clear baseline of their environment to protect it. However, if attackers establish information superiority over a defender, it’s very difficult to protect against (or remove) them.

The idea of information superiority is not in itself entirely new, but it is perhaps a new way of looking at old problems in and around security. One of the fundamental problems that we face when trying to secure any organization is the task of identifying what needs to be defended and the threats to consider when structuring our defenses. In the past this problem has been addressed by defenders employing a number of tools and techniques to develop a map of assets to protect. Once this map was in place a threat model would be developed and defensive tools deployed and configured to provide defense in depth for the organization.

Unfortunately that’s not the way things have worked out in the real world. The methods used by many organizations to discover their assets are largely ad hoc, incomplete, and do not integrate with their security infrastructure. Tools such as network and vulnerability scanners are employed to actively interrogate devices in the organization and host-based asset management agents are installed to provide telemetry about endpoint state and changes. The reality of today’s cloud-hosted and virtualized IT services cores, mobile users and devices is that real-time discovery needs to be a major component of any mapping system if defenses are to be properly adjusted in meaningful time frames. Network and endpoint discovery efforts in most organizations are done with whatever tools are at hand and are not systematic nor, more importantly, done in real-time.

At the most basic level, the knowledge of what’s being protected and what it’s being protected from is necessary in order to deploy and configure many primary components of security infrastructure today. A list of the assets in the environment, their configuration and vulnerabilities, behavioral patterns, data motion and interaction, user access and utilization of resources are all data points that are directly needed by security devices to function properly.

Since networks evolve in real-time, awareness technology has to do discovery in real-time. Information superiority is attained by deploying discovery and awareness infrastructure and then tying it back to defenses in an automated fashion. In working to achieve information superiority, there are critical caveats to bear in mind:

• It’s OK to use scan technologies but their primary use is for more in-depth interrogation, not primary discovery.
• Enterprises that have low awareness of their operational environment will have poorly tuned and deployed defenses.
• Lacking a robust and comprehensive awareness infrastructure leaves you with traditional methods for gaining awareness over your environment, which leaves you very vulnerable to attackers who are able to leverage local information superiority - knowledge of the target environment, vulnerabilities, operations and users.

For all of these reasons, modern defenses need to be structured around a foundation of information superiority. To that end, technologies to develop and maintain information superiority in an environment are the critical foundation that successful defenses should be built upon.

Information superiority is the foundation on which Sourcefire builds to provide better automation. We pioneered the core technologies that provide information superiority (our FireSIGHT technology - formerly known as RNA/RUA) and we’ll continue to build and integrate more innovative awareness technologies into our solutions. Not only have we built this into our technological foundation for improved network and endpoint protection, but by doing this we have become the foundation for establishing information superiority within customer environments.