Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

CARTA – The Evolution of IT Security Beyond Black and White

Gartner’s 2017 Security Summit began this week with a keynote from Neil MacDonald, Eric Ahlm and Ramon Krikken introducing a new charter that will transform all areas of information security moving forward. They introduced a new strategic approach called CARTA* – Continuous Adaptive Risk and Trust Assessment.CARTA Evolution of IT Security

CARTA builds on Gartner’s Adaptive Security Architecture and pushes enterprises to embrace a continuously adaptive approach to information security because in an increasingly digital business world, binary decisions – black or white, allow or block – do not work. Enterprises have to think about how to enable transactions when all the information is not available or there is a known level of risk. A CARTA mindset allows enterprises to make decisions based on risk and trust.

The CARTA strategic approach is defined in great detail in a recent Gartner*report. Some of the key concepts include:

  • Decisions must continuously adapt. Security responses must continuously adapt. Risk and Trust must continuously adapt.
  • Initial block/allow security assessments for access and protection leave enterprises exposed to zero-day and targeted attacks, credential theft, and insider threats.
  • Trust and risk must be dynamic, not static, and assessed continuously as interactions take place and additional context becomes available.
  • Digital business outcomes can only be optimized when digital trust is adaptively managed as a set of fine grained measures of confidence with multidimensional risk and response attributes.

According to Gartner, there are three phases of IT security where CARTA can be applied – Run/Plan/Build.


In the realm of Run, or active deployments, CARTA allows enterprises to use limited resources to focus on the biggest threats. The integration of analytics helps scale limited resources and help them focus on significant threats while automating a majority of incidents. Once you acknowledge perfect prevention is impossible, then continuous response becomes a reality.

The current security resource constraints in most organizations suggests that this won’t be an option, but a requirement. The Mean Time to Detect is over 90 days in the US and the cost per incident is over $1m. In the current environment, Analytics + Response is a force multiplier and can help enterprises scale their security expertise without additional resources that do not exist. The Gartner analysts noted words of caution here – question analytics and don’t believe the hype – and tailor discussions around analytics to specific enterprise challenges. Enterprises will need to think about Analytics in depth, as one specific set of models won’t solve all problems. Think of this as an extension of Defense in Depth.

One key aspect of CARTA in enterprise security is continuous authentication. Continuous authentication will increasingly be part of every effective security program. One time authentication is fundamentally flawed. There is too much risk and too little opportunity to enable digital business. At run time, you need continuous authentication.


This same philosophy can extend to the world of application development, or Build in this framework. Therefore DevSecOps would be the place to use CARTA. As many applications become more Lego like building blocks using open source, it is very possible that vulnerabilities in these software packages exist. To enable DevOps to continue to create new applications, consider implementing a Digital Risk Rating service. Research has shown that a majority of apps using open source components and a majority of those open source components have a significant vulnerability. Using such packages can then become a risk based decision, rather than a black or white option. The same approach can be used when analyzing 3rd party software and integrations.


Another phase where CARTA applies in the Planning & Governance phase. For example, Password complexity and rotation rules have proven harmful and shown that they don’t work. NIST now recommends that enterprises don’t force employees to periodically change passwords. The analysts recommended that enterprises consider adaptive controls and continuously assess risk. In such cases, Analytics powered dashboards highlight risk and allow business owners to decide how much risk to accept. Again, it is not black or white, but a risk based decision making process.

Overall, Gartner’s analysts said that perfection is the enemy of good enough; Pragmatic security will enable digital initiatives to succeed. If not, binary decisions make enterprises conservative.

Preempt’s Take on CARTA

The CARTA approach is fundamental to how the Preempt is built. In fact, there are two areas in particular where Preempt can help enterprises put the CARTA strategic approach in motion today. The first is in the area of Adaptive Access Control, where Preempt is specifically mentioned, and the second is with User and Entity Behavior Analytics. According to Gartner, “Adaptive Access Control is a straightforward first step” to implementing CARTA. The  From the beginning, these two core competencies have been built into Preempt’s approach to real time threat prevention.

The Preempt Platform provides enterprise security teams with a continuously adapting set of threat responses in addition to Allow or Block – Black or White – including, MFA, email notification, re-authenticate, SMS, etc. Combined with User and Entity Behavior Analytics, enterprises can make policy based and CARTA inspired decisions on how to respond to the threat or suspicious incident. For detecting and responding to insider threats and security breaches, we believe this continuously adaptive approach is highly effective and becomes more accurate over time.

Learn more about how Preempt can help you with implementing CARTA:


*Gartner Report: Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats, Gartner, May 2017


Topics: Adaptive Response, CARTA, CISO, Risk,

Posted by Ajit Sancheti on June 16, 2017 10:04 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More