Gartner’s CARTA (Continuous Adaptive Risk and Trust Assessment), which sets out their vision for security, is increasingly being adopted by several enterprises. Recently Gartner also called out CARTA strategic approach in the top 10 security projects for 2019. CARTA, being a strategic approach, covers a whole gamut of areas and multiple security products from endpoints, devices, IoT, procurement, etc. contribute to different parts of CARTA.
A couple of years back, Gartner introduced CARTA (Continuous Adaptive Risk and Trust Assessment) – a strategic approach to information security. With workloads increasingly moving to the cloud, access is made from multiple devices and locations outside office boundaries, one-time gates are no longer sufficient and must change to be adaptive and context-aware.
The CARTA approach suggests that both Risk (threat/attack) and Trust (access by entities) should not be made as a one-time gate of good/ bad, allow/disallow but instead, be continuously evaluated and actions taken in a dynamic, adaptive manner based on various factors like device, risk, asset value, incidents, behavior, analysis, etc. This strategy is applicable to Ops (production), Build (development), and Planning (business owners).
In this document, we talk about CARTA as it applies to Web Application Security and Indusface, applicable more to threat assessment and mitigation and not as much to trust. For this aspect, CARTA sets out a cycle of Predict – Prevent – Detect – Respond which resonates with the Detect-Protect-Monitor approach that Indusface provides.
Anticipate Threats & Exposure. (Detect)
Indusface Web Application Scanner automatically scans applications for vulnerabilities. Customers that need deeper business logic scanning will use our premium pen testing service.
Prevent Attacks (Protect)
Indusface WAF implements the Protect part and prevents attacks. The highly tuned advanced rule set is in block mode right from the start. Premium (custom) rules will be written and applied depending on specific customer scenarios.
Incident/breach (Protect, Monitor)
Indusface tools and teams will analyze and Monitor events to detect indicators of attempted attack and take appropriate action including automated response, alerting, and getting security experts involved.
Remediate, analyze incidents (Detect, Protect, Monitor)
Raw and analyzed logs are stored so post facto analysis can be done by internal and customer teams. Internally, detection, prevention rules are adjusted, customized and new targeted rules written as needed in response to incidents.
Integrated WAS and WAF
Vulnerabilities found by scanning have additional information associated with them that explains whether there is protection out of the box, additional rules must be applied, or a premium custom rule should be requested. Known vulnerabilities are tracked closely though they are mitigated by WAF – an attempt to attack is always interesting. Similarly, areas of the web application that are accessed in the real world but not yet scanned will be prioritized for scanning the next time a scan is performed.
Data pipeline
Without data there is no analysis and timely data is required for a quick response. Indusface has built a high volume, high-speed data pipeline so that security and non-security events rapidly get to the backend for analysis. This augments the longer-term storage of raw data that can be used for post facto analysis by customers if needed.
Analytics, AI, ML, automation
“Use analytics, AI, automation, and orchestration to speed the time to detect and respond — and to scale our limited resources”
This has always been our philosophy. We use our years of experience with numerous web applications to drive what to automate like manual pen test cases -> automated scanning and automated rule generation. With the data pipeline, now we are adding more analytics and AI so our teams can focus on and prioritize security issues and incidents. This is the only scalable way to handle the sheer volume of data that is generated/collected.
Adaptive protection
Allow more decisions than a simple block / allow e.g. CAPTCHA, throttle, alert. These decisions are not static and depend on the behavior, context, threat assessment, and vulnerability scans. This also means that IP as an identity is not sufficient, a more fine-grained knowledge of the session is needed. Sometimes this can be done by looking at the traffic while for others we need to integrate with IAM providers.
Play well with others
Along with the business cases like CDN integration, let us Encrypt certificates, on a security-specific basis, we are implementing API driven integration that can be used for things like getting events from Indusface (e.g. SIEM), adjusting security posture, richer session identity, etc.
Firstly, in Table 1 “Foundational Security Projects and Capabilities”: Server Protection Agents/ Security Infrastructure, WAF is one of the solutions for perimeter security controls. Of the specific 10 security projects that Gartner mentions, there are two that directly apply
WAF is specifically called out in the project advice as mitigating technology.
Project Advice — Look at current threat and vulnerability management products and processes to accomplish this. Also, consider mitigating technologies such as intrusion detection and prevention systems (IPDS) and web application firewalls (WAFs) that could be actively protecting for unpatched vulnerabilities.
Indusface Detect-Protect-Monitor and all the features relating to CARTA discussed above make Indusface an ideal partner to implement CARTA strategies for your web application security.
If you have taken a managed security services approach, consider a detection and response project that can feed valuable information into a managed detection and response (MDR) provider and/or a managed security service provider (MSSP).
From an operational standpoint, the foundation of CARTA starts with an assessment, and then building the zero-trust principles on top of that with an adaptive security model:
From an operational Standpoint, the foundation of CARTA starts with an assessment and then building the zero-trust principles on top of that with an adaptive security model
While Indusface has been doing much of this for years, using the CARTA framework to focus our approach helps us and our customers achieve Adaptive Attack Prevention.
media.threatpost.com/wp-content/uploads/sites/103/2020/07/02094226/Carta-01.png
www.indusface.com/?utm_source=Threatpost-article&utm_medium=Referral&utm_campaign=Threatpost-CARTA
www.indusface.com/learning/web-application-firewall/what-is-virtual-patching/?utm_source=Threatpost-article&utm_medium=Referral&utm_campaign=Threatpost-CARTA
www.indusface.com/products/application-security/web-application-firewall/?utm_source=Threatpost-article&utm_medium=Referral&utm_campaign=Threatpost-CARTA
www.indusface.com/products/application-security/web-application-scanning/?utm_source=Threatpost-article&utm_medium=Referral&utm_campaign=Threatpost-CARTAe
www.indusface.com/resources/white-papers/continuous-adaptive-risk-and-trust-assessment-carta/?utm_source=Threatpost-article&utm_medium=Referral&utm_campaign=Threatpost-CARTA