Positive Security Controls vs. Negative Security Controls*


June 8, 2018

*And why you should use both

We talk a lot about the different technologies and strategies we use to protect our customers every day as a Managed Security Services Provider (MSSP). We’ve even published a quite informative white paper that spells out our overall viewpoint (download our free Intelligence in Depth guide here).

I thought it’d be a good idea to get a little more granular and dive into something I’ve mentioned here on this blog before: positive security controls and negative security controls and why it’s important to leverage both for a healthy and active security posture.

Exciting right?

What is a Positive Security Control?

A positive security control focuses only on allowing the known or whitelisted good (i.e. software, scripts, etc) to operate in your environment.

“Using a positive security model (Whitelist) you are effectively stating “allow these known good” events, thus implying that anything unknown is bad,” said Ray Scholl, Security7’s CISO. “This helps eliminate the unknowns (good or bad) from passing and eliminates unanticipated activity.”

However, a positive security model isn’t all kittens and rainbows as Scholl was quick to point out

“It can become burdensome – a new application or update, additional business requirement, etc. requires amending the list. (It’s) more impacting to the user community but more secure (overall).”

What is a Negative Security Control?

A negative security control focuses on blocking or disallowing the known bad (i.e. malware, viruses, trojans, etc) from operating in your environment while allowing everything else.

“Applying a negative security model (Blacklist) is fine, but now you have to maintain a list, add new signatures and wonder if you ever have them all covered….the unknown,” Scholl said. “The burden of “keeping up” that list is on you and there is, in my opinion, an inevitable gap between discovery, signature, and updating.  Less impact to the user community but is less secure.

Why should you use both positive and negative security controls?

Ever heard the old idiom that there can be “too much of a good thing?” That applies to both positive and negative security controls. Using one over the other can hamper or even harm not only your environment but the working efficiency of those who rely on it every day.

For instance, a negative security control might be easy to deploy but it’s not necessarily easy to keep up with the vast number of threats that are discovered every day.

The opposite can be said for positive security control. If you’re only allowing the “known good” to operate, what are you missing out on or hindering?

This is why combining the two strategies makes sense

“Can we combine these to generate a less burdensome yet solid approach?  You are an iPhone/Mac user and you trust an app so you install it.” Scholl said, using   You still have dials to disable features you may consider undesirable…..or you know your Mac is secure and don’t think you can be hacked – yet you cover your camera…..overlapping approaches to minimize user & admin burden and getting the security you desire.”

Brian Thomas, Security7’s CTO had this to add:

“It is not an either-or problem, which is why both positive and negative security models need to be applied in a complimentary fashion,” Thomas said. “Wherever possible, a positive security model is preferred, just by definition, but the context and application of that definition is what matters.”
“So let’s take Cylance’s Intelligent Application Whitelisting approach as an example. Cylance looks at roughly a hundred indicators of how an executable is constructed. So if a file meets a certain threshold of these indicators, it is considered “safe”.”
Thomas brought up a recent instance where a piece of software published and digitally signed by Hewlett Packard was actively logging the keystrokes of anyone who installed it.
“It passed these “whitelist” checks. The problem with this particular application is that it logged all user keyboard input as an unintended programming flaw by the developer,” he said. “Because of this programming flaw, it created an inadvertent data disclosure security risk that could be exploited by a savvy attacker.”
“Enter the need for a complimentary negative security model. Our EDR product, Cybereason, also evaluates applications and looks for “known-bad” signatures of files that have been identified as having security vulnerabilities. It was Cybereason that detected this particular piece of software as being a security risk through its’ application of a negative security model.”
“Another example is the Internet’s use of a PKI for ensuring valid encrypted and digitally signed traffic. All systems or browsers include an up to date list of Trusted Root and Intermediate CA’s (whitelist) as well as a list of Revoked CA certificates (blacklist),” he said. “One without the other would lead to a situation where a client could easily trust an untrusted or compromised source.”
“There are many other examples I can provide but suffice to say that each layer (OSI) of a security solution will ideally apply a combination of Positive & Negative Security Models, coupled with intelligent Detection and actionable Response Controls.”

The Takeaway

Organizations of any size should focus instead on implementing both type of security control. It’s ideal to create a hybrid security control that allows for both whitelisting and blacklisting, that way you’ve combined the best of both worlds.

Interested in finding out more about how Security7 leverages both positive and negative security controls? Download our free Intelligence in Depth guide here.

Carl Keyser is the Content Manager at Integris.

Keep reading

What to Know Before Installing Co-Pilot for Microsoft Word

What to Know Before Installing Co-Pilot for Microsoft Word

Imagine having an AI assistant that pulls from your notes, marries them to an existing document format, and writes a document for you. That's the power of Copilot for Microsoft Word, which is planned for rollout in 2024 for those who buy the Copilot M365 license....

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...