*And why you should use both
We talk a lot about the different technologies and strategies we use to protect our customers every day as a Managed Security Services Provider (MSSP). We've even published a quite informative white-paper that spells out our overall viewpoint (download our free Intelligence in Depth guide here).
I thought it'd be a good idea to get a little more granular and dive into something I've mentioned here on this blog before: positive security controls and negative security controls and why it's important to leverage both for a healthy and active security posture.
Exciting right? So "hold on to your butts," as Samuel L. Jackson once said, because I'm about to drop some knowledge on you...
What is a Positive Security Control?
A positive security control focuses only on allowing the known or whitelisted good (i.e. software, scripts, etc) to to operate in your environment.
"Using a positive security model (Whitelist) you are effectively stating "allow these known good" events, thus implying that anything unknown is bad," said Ray Scholl, Security7's CISO. "This helps eliminate the unknowns (good or bad) from passing and eliminates unanticipated activity."
However, a positive security model isn't all kittens and rainbows as Scholl was quick to point out
"It can become burdensome - a new application or update, additional business requirement, etc. requires amending the list. (It's) more impacting to the user community but more secure (overall)."
What is a Negative Security Control?
A negative security contol focuses on blocking or disallowing the known bad (i.e. malware, viruses, trojans, etc) from operating in your environment while allowing everything else.
"Applying a negative security model (Blacklist) is fine, but now you have to maintain a list, add new signatures, and wonder if you ever have them all covered....the unknown," Scholl said. "The burden of "keeping up" that list is on you and there is, in my opinion, an inevitable gap between discovery, signature, and updating. Less impacting to the user community but less secure.
Why should you use both positive and negative security controls?
Ever heard the old idiom that there can be "too much of a good thing?" That applies to both positive and negative security controls. Using one over the other can hamper or even harm not only your environment but the working efficiency of those who rely on it every day.
For instance, a negative security control might be easy to deploy but it's not necessarily easy to keep up with vast number of threats that are discovered every day.
The opposite can be said for a positive security control. If you're only allowing the "known good" to operate, what are you missing out on or hindering?
This is why combining the two strategies makes sense
"Can we combine these to generate a less burdensome yet solid approach? You are an iPhone/Mac user and you trust an app so you install it." Scholl said, using You still have dials to disable features you may consider undesirable.....or you know your Mac is secure and don't think you can be hacked - yet you cover your camera.....overlapping approaches to minimize user & admin burden and getting the security you desire."
Brian Thomas, Security7's CTO had this to add:
Organizations of any size should focus instead on implementing both type of security control. It's ideal to create a hybrid security control that allows for both whitelisting and blacklisting, that way you've combined the best of both worlds.
Interested in finding out more about how Security7 leverages both positive and negative security controls? Download our free Intelligence in Depth guide here.