Security Think Tank: Begin switch to context-aware security now, says Gartner

Stated simply, context-aware security is the use of situational information (such as identity, location, time of day, reputation and so on) to improve information security decisions, by making these decisions more efficient, effective and accurate. Let's look at a few examples:

• A next-generation firewall can use identity as an application context to apply its rules, simplifying its configuration and better enabling the business to adopt cloud-based services while balancing the organisation's need to reduce risk.

• A next-generation intrusion prevention system can use the vulnerability context of a system to more accurately tune its rule set, reducing both the system load and the chance of a false positive.

• An information security organisation struggling to deal with the results of a scan that has identified more than 500 vulnerabilities. By applying context information such as network topology, current firewall rules and the business value of the asset, the information security organisation can be focused on closing down vulnerabilities on a handful of systems that represent the highest risk.

• An employee has been phished with an email containing a link to a targeted attack download. Signature-based mechanisms will not stop this — the organisation's antivirus will not detect the payload and the URL is known to be "bad". However, before the user is allowed to navigate to the site, the secure web gateway performs a look-up to a URL reputation (a form of context). The service finds that the URL has a low reputation score and the navigation is blocked, preventing the infection.

The business benefits are ultimately about reducing risk and enabling the business; by reducing the chance that information security mistakenly blocks something legitimate, and increasing the chance that advanced attacks are detected.

As a starting point, Gartner recommends that organisations begin the transformation to context-aware and adaptive security infrastructure now: as they replace static security infrastructure, such as firewalls, and web security gateway and endpoint protection platforms. They also need to demand specific road maps from security vendors for application, identity and content awareness, as well as the ability to incorporate other types of context into their policy enforcement decisions.