Risk
12/16/2013
11:06 AM
John W. Pirc
John W. Pirc
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The State of IT Security: It’s Broken

It's time to move past the hyperbole of next-gen security and look to new approaches that show enterprises how to understand and assess their unique risks.

Will 2014 be the year of change for the security industry? Not if we continue to approach information security in the same ways we have for the past three decades. No, it’s time to move beyond the hyperbolic claims of next-generation security. To address current threats and to reduce risk, we require empirical data and now generation technology.

Today, right now, we can significantly reduce risk by using big data threat analytics, and by analyzing security products based on empirical data and practical deployment use cases. In this way, organizations can better understand the limits of their current security infrastructure. Here are some examples of where we are and where we need to go.

Dynamic, not static, risk assessment
The way in which we assess true risk and apply security countermeasures has become predictable and static. Security products that are deployed do not differ much across different industry sectors. Additionally, security budgets are cyclical. Strategies are often based on historical information. Risk continues to be measured as a snapshot in time, and this significantly increases the time to threat detection and protection. There is no silver bullet that guarantees 100 percent protection, but moving from static risk assessment to dynamic risk assessment will allow us to begin modeling risk that is variable at any given point in nearly real-time.

Dynamic risk assessment requires us to examine risk from multiple angles by leveraging big data analytics. With the correct approach and key data points, well-known algorithms can be applied across multiple key indicators to accurately predict and forecast threats against an organization. You might consider this a far-fetched claim, but it’s not.

Variable risk: a new way to bake a cake
A few years ago, an executive from a Fortune 500 organization observed, “We have all the ingredients to make a cake, but we lack the ability to bake it.” The comment challenged me to rethink our approach to security and strive for a bold alternative. To do this, it was necessary to move beyond the comfort zone of industry-dictated security best-practices and approaches to reducing risk. We can continue to throw money at various point products that might close temporary risk-gaps resulting from recent breaches. We could, conversely, utilize a variable risk model whereby accurate information across multiple indicators provides the data necessary to purchase and deploy security solutions that significantly reduce risk.

In this model, we use multiple top-level indicators to establish a variable-risk score. This requires some work, but a security net with gaps is ineffectual. With our new model we can significantly reduce the gaps with accurate information plugged into a new risk equation that offers a pragmatic approach to addressing risk: Attack Surface (Threat Intelligence) + Threat Modeling = Variable Risk.

  • Attack Surface: This differs radically depending on industry vertical, geolocation, and amount of the information technology (IT) department budget. The attack surface is the operating system and the applications that are targeted by the adversary. It includes common desktop environments, mobile devices, and bring-your-own-device (BYOD). The extent to which these key indicators can be inventoried is a critical factor in tailoring security that is prescriptive for an organization.
  • Threat Intelligence: This describes the multiple threat feeds that provide near real-time intelligence on valid known and unknown malware, vulnerabilities, and exploits. Key to this intelligence is finding out the type of attack vector being used, and which operating systems and applications are vulnerable. Other key indicators that offer detection and protection are the dropped file name, command and control IP Address, URL, country code, and severity of the vulnerability.
  • Threat Modeling: This provides the ability to model known threats that are able to bypass current security products as they apply to an attack surface. This includes intrusion prevention systems (IPS), next generation firewalls (NGFW), secure web gateways (SWG), web application firewalls (WAF), antivirus (AV), and breach detection systems (BDS).
    There should be a clear understanding of the limitations of an organization’s security infrastructure as well as the time required to detect threats and protect against them. This knowledge will allow the organization to address the true risk to its environment. It will also assist when the organization seeks to renew or replace a security vendor. Although this type of data is available today, it is static and typically tested with known vulnerabilities. Live threat modeling, however, allows for dynamic testing that takes into account threats that have not yet been named. This information is valuable in calculating variable risk.
  • Variable Risk Rating: This provides the true measure of risk to an environment at any given point in time.

Today’s security environment is dynamic and complicated. The threat landscape and the attack surface are constantly changing. Every organization will experience patient zero (the first victim, i.e., the endpoint, when an organization is breached). The ability to reduce the time to detection and prevention is crucial in mitigating a breach.

The variable risk model eliminates the signal-to-noise ratio by focusing on what really matters in an environment. To remain competitive and secure in today’s global environment, organizations require a tailored approach specific to their attack surfaces. Waiting for next-generation security products to become the status quo only increases an organization’s chances of becoming a statistic or of discovering too late that it has been one for the past 16 to 18 months.

Author bio:
John Pirc is research vice president at NSS Labs. He is a noted security intelligence and cybercrime expert, an author, and a renowned speaker, with more than 15 years of experience across all areas of security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
12/23/2013 | 12:55:21 PM
Re: Tailored approach
John, Thanks for your response. I believe the distrust of automation is something IT folks are going to need to reach beyond in order to progress. In order to keep up with the pace of modern day threats and even simple business processing speed, we can't rely on manual human reaction time anymore.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/20/2013 | 7:29:11 AM
Re: Tailored approach -- change is hard!
I'm glad to hear that what you're advocating doesn't require a ginoromous jump in skills for security practitioners, John. But I agree that change is hard and it will be challenging for many people and organizations to move off the status quo to a variable risk model  that is radically different.

For readers, I'm curious:  What do you think would be the hardest aspect of shifting from a static to a dynamic security risk assessmsent strategy?
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:52:41 PM
Re: What about the data?
Thank you Stratustician.  I couldn't agree with you more on data identification and classification.  Having an understanding of where data resides and the value of that data is more than half the battle.  This goes hand and hand with knowing your attack surface. I didn't want to boil the ocean in this paper but you bring up very good points that should not be overlooked!
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:47:06 PM
Re: Tailored approach
Thank you Thomas. I would have to disagree with you.  I'm not advocating "perfect security" but a reasonable pragmatic approach to the problem.  If we rely on "hope" and remain vigilant with current security practices than we will never keep pace with the threat.
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:34:15 PM
Re: Tailored approach
Thank you Susan. The analysis needs to be performed in real or near-real time.  I agree with your point that most security pros tend to distrust automated systems. I use to think the same way about automated systems and that was something that I learned from the industry as a best practice.  The question I would ask is: "how is that working for you today?".  I don't mean that to sound harsh but we have to do something different and approach the problem from a different angle. 
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:06:02 PM
Re: Tailored approach
Thank you Daniel and I couldn't agree with you more.
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:04:06 PM
Re: Tailored approach
Thank you Marilyn. Sorry for the delayed response...I've been traveling. I think you will always have knowledge gaps within any industry.  I think practitioners have the skills to adopt my approach.  The biggest hurdle is doing something that seems radically different from current defensive approaches. I will admit that what I wrote just scratches the surface and I plan on adding even more context after the Holiday break with a white paper.   
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/17/2013 | 3:34:04 PM
Re: What about the data?
That's a great point Stratustician, about classifying data in order to know how to protect it. In fact, I have a columnist who will be writing about that topic very soon. (So stay tuned!)

In the meantime, maybe you can share some of your experiences dealing with data classification & security -- good and bad!

 
anon5605928117
50%
50%
anon5605928117,
User Rank: Apprentice
12/17/2013 | 9:34:33 AM
Re: Tailored approach
While it may not be fixable, certainly the conceit that individuals can memorize a hundred different long random passwords (provided they remember their incompatible userIDs) is as irrational as Mr. Spock's surprise when people act like people.    We need to understand people first.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
12/16/2013 | 8:01:20 PM
What about the data?
I'm surprised that no one brought up one of the key fundamentals of security that would help (hopefully) reduce a lot of the complexity of securing data: asset identification.  I personally find that a lot of the confusion and security points of failure relate to not understanding what data exists, where it is, and how it is used.  It seems like a basic idea that if we have a good idea about what we have, we can build better security policies around it instead of trying to protect everything by throwing everything and anything at the problem and hoping nothing gets through.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.