Risk
12/16/2013
11:06 AM
John W. Pirc
John W. Pirc
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The State of IT Security: It’s Broken

It's time to move past the hyperbole of next-gen security and look to new approaches that show enterprises how to understand and assess their unique risks.

Will 2014 be the year of change for the security industry? Not if we continue to approach information security in the same ways we have for the past three decades. No, it’s time to move beyond the hyperbolic claims of next-generation security. To address current threats and to reduce risk, we require empirical data and now generation technology.

Today, right now, we can significantly reduce risk by using big data threat analytics, and by analyzing security products based on empirical data and practical deployment use cases. In this way, organizations can better understand the limits of their current security infrastructure. Here are some examples of where we are and where we need to go.

Dynamic, not static, risk assessment
The way in which we assess true risk and apply security countermeasures has become predictable and static. Security products that are deployed do not differ much across different industry sectors. Additionally, security budgets are cyclical. Strategies are often based on historical information. Risk continues to be measured as a snapshot in time, and this significantly increases the time to threat detection and protection. There is no silver bullet that guarantees 100 percent protection, but moving from static risk assessment to dynamic risk assessment will allow us to begin modeling risk that is variable at any given point in nearly real-time.

Dynamic risk assessment requires us to examine risk from multiple angles by leveraging big data analytics. With the correct approach and key data points, well-known algorithms can be applied across multiple key indicators to accurately predict and forecast threats against an organization. You might consider this a far-fetched claim, but it’s not.

Variable risk: a new way to bake a cake
A few years ago, an executive from a Fortune 500 organization observed, “We have all the ingredients to make a cake, but we lack the ability to bake it.” The comment challenged me to rethink our approach to security and strive for a bold alternative. To do this, it was necessary to move beyond the comfort zone of industry-dictated security best-practices and approaches to reducing risk. We can continue to throw money at various point products that might close temporary risk-gaps resulting from recent breaches. We could, conversely, utilize a variable risk model whereby accurate information across multiple indicators provides the data necessary to purchase and deploy security solutions that significantly reduce risk.

In this model, we use multiple top-level indicators to establish a variable-risk score. This requires some work, but a security net with gaps is ineffectual. With our new model we can significantly reduce the gaps with accurate information plugged into a new risk equation that offers a pragmatic approach to addressing risk: Attack Surface (Threat Intelligence) + Threat Modeling = Variable Risk.

  • Attack Surface: This differs radically depending on industry vertical, geolocation, and amount of the information technology (IT) department budget. The attack surface is the operating system and the applications that are targeted by the adversary. It includes common desktop environments, mobile devices, and bring-your-own-device (BYOD). The extent to which these key indicators can be inventoried is a critical factor in tailoring security that is prescriptive for an organization.
  • Threat Intelligence: This describes the multiple threat feeds that provide near real-time intelligence on valid known and unknown malware, vulnerabilities, and exploits. Key to this intelligence is finding out the type of attack vector being used, and which operating systems and applications are vulnerable. Other key indicators that offer detection and protection are the dropped file name, command and control IP Address, URL, country code, and severity of the vulnerability.
  • Threat Modeling: This provides the ability to model known threats that are able to bypass current security products as they apply to an attack surface. This includes intrusion prevention systems (IPS), next generation firewalls (NGFW), secure web gateways (SWG), web application firewalls (WAF), antivirus (AV), and breach detection systems (BDS).
    There should be a clear understanding of the limitations of an organization’s security infrastructure as well as the time required to detect threats and protect against them. This knowledge will allow the organization to address the true risk to its environment. It will also assist when the organization seeks to renew or replace a security vendor. Although this type of data is available today, it is static and typically tested with known vulnerabilities. Live threat modeling, however, allows for dynamic testing that takes into account threats that have not yet been named. This information is valuable in calculating variable risk.
  • Variable Risk Rating: This provides the true measure of risk to an environment at any given point in time.

Today’s security environment is dynamic and complicated. The threat landscape and the attack surface are constantly changing. Every organization will experience patient zero (the first victim, i.e., the endpoint, when an organization is breached). The ability to reduce the time to detection and prevention is crucial in mitigating a breach.

The variable risk model eliminates the signal-to-noise ratio by focusing on what really matters in an environment. To remain competitive and secure in today’s global environment, organizations require a tailored approach specific to their attack surfaces. Waiting for next-generation security products to become the status quo only increases an organization’s chances of becoming a statistic or of discovering too late that it has been one for the past 16 to 18 months.

Author bio:
John Pirc is research vice president at NSS Labs. He is a noted security intelligence and cybercrime expert, an author, and a renowned speaker, with more than 15 years of experience across all areas of security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
12/16/2013 | 3:53:07 PM
Re: Tailored approach
Suggesting security is broken impies that it can be fixed, that some state of perfect security will be achieved. I doubt that's possible (and were it possible, it would be subverted by the NSA, for the sake of national security). The best we can hope for is to keep pace with malware innovation and to remain vigilant enough that some other organization gets attacked.
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
12/16/2013 | 2:36:45 PM
Re: Tailored approach
John, my question is related to Marilyn's, I believe. Are you suggesting this analysis be done as an automated process? It seems like it would need to be in order to be current and dynamic. In my experience, security pros tend to distrust most types of automated systems.
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
12/16/2013 | 2:33:03 PM
Re: Tailored approach
I like this dynamic vs. static approach. If everyone is conducting security in the same way, then how is it even possible to properly be on top of risks? Malicious actors, in this way, have a window that allows them to simply go against the grain of samenes. It's time to think differently. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 12:17:15 PM
Tailored approach
John, your indictment of the security industry -- and your call to action about taking advantage of technology that is available NOW to reduce risk is quite compelling. But I also wonder if there is also a knowledge gap withiin the InfoSec community. Do practitioners have the analytical skills to make the analytical judgements to develop the tailored approach you advocate? 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5104
Published: 2014-07-28
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action ...

CVE-2014-5105
Published: 2014-07-28
Multiple cross-site scripting (XSS) vulnerabilities in ol-commerce 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) a_country parameter in a process action to affiliate_signup.php or (2) entry_country_id parameter in an edit action to admin/create_account.php.

CVE-2014-5106
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php.

CVE-2014-5107
Published: 2014-07-28
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.ph...

CVE-2014-5108
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.