Gartner Touts Reprovisioning For Threat Protection

Analysts at Gartner are advocating workload reprovisioning as the best protection against advanced attacks

Gartner is recommending remedial action for stealth cyber-attacks that would have been unthinkable before virtualisation took over the data centre.

The problem with an advanced persistent threat (APT) or targeted malware is that there is no discernable signature and the attackers move towards their goal with all of the care and attention that a sapper takes when defusing a bomb. This makes the attack extremely difficult to detect and, as the miscreants improve their techniques, the attack may be over before it is detected.

“New approaches, such as systematic workload reprovisioning, are needed to counter these advanced threats, and will require fundamental shifts in the way security professionals think about the ongoing security and management of server and desktop workloads,” said Neil MacDonald, vice president and Gartner fellow.

Sound Principles In Virtualised Environments

The principle behind systematic workload reprovisioning (SWR) is straightforward. By periodically rebuilding and reprovisioning server and desktop workloads from a high-assurance library of base image files, any malware that has been installed will be eradicated and the hackers will find themselves back at square one.

The principle is not new. Remediation of some serious antivirus attacks have forced the victim to go back to basics and reload the operating system and reprovision the infected systems from scratch. Gartner analysts are now recommending an updated version of this as a guard against undetectable attacks.

The process they recommend takes some thinking through. In some cases, an application running in a virtual instance remains unchanged throughout its lifecycle. Once configured and stored, the instance can be reloaded and brought online with no effect on the overall running of the process involved.

In other cases, the software may be updated as filters or rules are added and modified. These would have to be reflected in the base image files.

Gartner predicts that by 2016, more than 20 percent of enterprises will adopt a SWR strategy for high-risk, server-based workloads, and more than 60 percent of enterprises will adopt a SWR strategy for hosted virtual desktop workloads.

SWR Will Become The Norm

The company admits that workload reprovisioning is not a new concept but adds that proactive and systematic workload reprovisioning is.

“With SWR, the process of restoring workloads back to high-assurance states becomes the norm, not the exception, and it will become an automated, not manual, process,” Gartner said. “By periodically resetting workloads back to a high-assurance state, information security professionals proactively remove deeply rooted malware from the system, making it nearly impossible for advanced intrusions to persist, and minimising the dwell time of undetected intrusions.”

“Although the principle behind SWR is straightforward, the change in mindset is significant” MacDonald argued. “With an SWR strategy, workloads in production are not trusted and are considered compromised. With today’s advanced threat environment, we must adopt this change in thinking and adjust our security and operational strategies to reflect this.”

He added that he believes systematic reprovisioning from high-assurance repositories will become an accepted strategy for protecting high-risk workloads during the next five years.

Further details are provided in two Gartner reports: as a high-level view in Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Concepts and a deeper look in Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Considerations.