LINEARSTACK
March 23, 2023

When to Leverage the Negative vs Positive Security Model

Ransomware is a threat all organisations face however, it is preventable. Read what you can do to prevent

Conceptions of Security

Deciding if the organisation should consider positive or negative security starts with the business objectives.

Is the organisation planning one or several business transformations in the next few years?

Will the organisation plan to migrate workloads across all platforms, including the cloud, SaaS, and containers, along with on-premise location?

Regardless of the platform to help support the digital transformation strategy, the organisation can expect application attacks, complex attack patterns, and data exfiltration breaches before, during, and after the enablement of the new digital platform.

As part of the business transformation strategy, will the organisation standardise on specific applications or allow for more open source and DevOps CI/CD agile development?

The answers to these questions will give the organisation a foundation of choice between a positive or negative or maybe even a hybrid security model choice.

What is a positive security model?

A positive security model is defined basically as a whitelisting method of security protection. The initial security focuses on blocking or denying everything coming through the various security adaptive controls, including the web application firewall (WAF)

Only permitted traffic defined with the WAF rules is allowed through.

Critical analysis is required when enabling this model. Understanding app security vulnerabilities embedded within legitimate traffic is challenging for any model. The deny-all policy is a vital piece of the positive model. Most often, legitimate traffic becomes blocked by the users with this model.

By denying everything through access control lists(ACLs), SecOps and DevOps, in turn, can enable port and protocol access based on the need of the application and user connectivity, not beforehand. This security method is far more secure than the negative model because unless the traffic is defined as safe, the connection and application requests are dropped at the border router and firewall. Unknown attacks are more likely to block under this model.

What is a negative security model?

Contrary to the positive security model, the negative security policy model focuses on the permit-all idea. The model allows undefined network traffic to pass through the adaptive security layer. The positive security model uses the opposing model users block instead of whitelisting. By using blacklisting, the negative model focuses on blocking ports and protocols after they have been deemed a security risk, not before. As SecOps and DevOps teams discover a security breach or maybe through pen-testing, they have identified a vulnerability. The team will leverage ACLs and rule sets on the WAF to block the traffic.

Implications of choosing which model is best

Choosing which security model could have immediate or long-term security implications or short-term positive impacts on protecting the organisation from an unknown zero-day attack. Here is an excellent analog to consider when selecting between the positive and negative security model:

When organisations enable an artificial intelligence engine to process data into workable segments to feed into machine learning models. What if the AL and ML were misconfigured? The output trends and data analytics seem to align with the business objectives. How should the organisation correct the issue? Is there an issue to update, to begin with?

Understanding the implications of managing a false positive and a false-negative security condition is challenging for any SecOps team. Reducing the workload to investigate false positives starts with the initial configuration of the adaptive control along with ongoing tuning of the various security rules. Legacy firewalls and security routers often became unmanageable after one year because the ACL list grew into thousands of lines.

The reciprocal is also true. Devices with minimal security adaptive controls tend to lead to more security breaches, causing many organisations to shut down their systems with very little attack analytics to capture the event.

The positive security model often leads to more false positives due to the "deny-any" strategy. However, the positive model is considered more secure for the organisation requiring extensive ongoing management to stop external attacks. The negative security model tends to promote more false negatives reports, requiring more resources to react to the increases in cybersecurity attacks due to fewer security rules.

Know which model makes the most sense

Positive security will be ideal if the organisation plans to release several application changes using Agile CI/CD DevOps deployment. Integrating into the DevOps model, code changes along with WAF rule set adjustments can be made within the same sprint. The negative security model will be ideal if the organisation plans to push for rapid deployment and frequent maintenance releases in shorter change control windows.

Role of a Managed Security Service provider(MSSP)

Once the organisation decides what model it will enable, an MSSP is a valued partner to assist with this decision. Organisations allowing a hybrid model (a mix of positive and negative models) require extensive and qualified resources to help with this enablement. MSSPs' expertise in creating WAF rules, analysing application traffic for other clients, and accessing a global team of cybersecurity experts gives an organisation immediate value in this security journey.

Ongoing monitoring support for the application security stack is the labor-intensive positive security and the reactionary resources needed to support the negative model. It falls squarely on the expertise of the MSSP provider.

The provider can automate this process by having an MSSP manage the positive and negative security model by monitoring and adjusting the WAF and security rules based on application changes and usage. The client can better utilise their internal resources on more strategic cyber security projects and priorities.

Linearstack industry expertise -  MSSP services

LinearStack is a New Zealand-owned and operated specialised cyber security services company with a global footprint.  The core focus of our business is to accelerate our customer’s cyber security operations with the help of our cyber defence services. We offer a range of managed and professional services to accomplish this goal for our customers. We are a true 24x7eyes-on-glass and hands-on-keyboard operation.

 

We augment our client’s teams by acting as a true an extension of their team empowering our clients to prioritise their cyber security strategy and customers while we protect their business from cyber threats 24x7. This is a transition we manage smoothly through tried &tested, robust, and well-defined processes.

Our Technology and Architecture Implementation services are designed for organisations that need security frameworks tailored to their existing IT infrastructure and organisational goals.

●      Good with complexity – we find solutions for the most challenging operations.

●      Positioning – we position the right technology in the right network segment to get maximum visibility into your network.

●      Better ROI from your existing technology – we identify under-utilised or overlooked features.

An expanded cyber security capability.

Our Managed Security Services are designed for organisations needing to significantly boost their cybersecurity capability. You want to save staffing costs while gaining instant and ongoing access to best-in-class expertise.

24x7 Cyber Vigilance

We monitor & protect your network and endpoints from threats 24x7, even when your employees are working remotely.

Culture

We’re 100% privately held, grown with a family mindset. When working with clients, we’re well integrated within their teams and act as an extension of their operations. Augmenting existing teams is a transition we manage smoothly, empowering our customers to prioritize cybersecurity strategy while we protect their business from cyber threats 24x7.

We believe maintaining thriving IT systems and assuring data protection are fundamental needs that all businesses deserve.

Contact Us

Want to know more about what we have to offer? We'd love to hear from you.

Get in touch with us today:

Phone: 0800 008 795

Email: info@linearstack.co.nz

Website: https://linearstack.co.nz   

Blogs

Start Reading

Our latest blogs and news are here for you

Extended Detection and Response (XDR)

XDR - What it is and how it speeds up cyber threat detection, investigation and response
Read More

Exploring MITRE ATT&CK for Threat Detection

A brief introduction to the MITRE ATT&CK Framework and how to get started using it
Read More

Difference between SANS & NIST IR Frameworks

NIST IR & SANS are key frameworks used in the data security industry – Do you know the similarities and differences?
Read More
Are you experiencing a security issue? Call us now.