11:06 AM
John W. Pirc
John W. Pirc
Connect Directly

The State of IT Security: It’s Broken

It's time to move past the hyperbole of next-gen security and look to new approaches that show enterprises how to understand and assess their unique risks.

Will 2014 be the year of change for the security industry? Not if we continue to approach information security in the same ways we have for the past three decades. No, it’s time to move beyond the hyperbolic claims of next-generation security. To address current threats and to reduce risk, we require empirical data and now generation technology.

Today, right now, we can significantly reduce risk by using big data threat analytics, and by analyzing security products based on empirical data and practical deployment use cases. In this way, organizations can better understand the limits of their current security infrastructure. Here are some examples of where we are and where we need to go.

Dynamic, not static, risk assessment
The way in which we assess true risk and apply security countermeasures has become predictable and static. Security products that are deployed do not differ much across different industry sectors. Additionally, security budgets are cyclical. Strategies are often based on historical information. Risk continues to be measured as a snapshot in time, and this significantly increases the time to threat detection and protection. There is no silver bullet that guarantees 100 percent protection, but moving from static risk assessment to dynamic risk assessment will allow us to begin modeling risk that is variable at any given point in nearly real-time.

Dynamic risk assessment requires us to examine risk from multiple angles by leveraging big data analytics. With the correct approach and key data points, well-known algorithms can be applied across multiple key indicators to accurately predict and forecast threats against an organization. You might consider this a far-fetched claim, but it’s not.

Variable risk: a new way to bake a cake
A few years ago, an executive from a Fortune 500 organization observed, “We have all the ingredients to make a cake, but we lack the ability to bake it.” The comment challenged me to rethink our approach to security and strive for a bold alternative. To do this, it was necessary to move beyond the comfort zone of industry-dictated security best-practices and approaches to reducing risk. We can continue to throw money at various point products that might close temporary risk-gaps resulting from recent breaches. We could, conversely, utilize a variable risk model whereby accurate information across multiple indicators provides the data necessary to purchase and deploy security solutions that significantly reduce risk.

In this model, we use multiple top-level indicators to establish a variable-risk score. This requires some work, but a security net with gaps is ineffectual. With our new model we can significantly reduce the gaps with accurate information plugged into a new risk equation that offers a pragmatic approach to addressing risk: Attack Surface (Threat Intelligence) + Threat Modeling = Variable Risk.

  • Attack Surface: This differs radically depending on industry vertical, geolocation, and amount of the information technology (IT) department budget. The attack surface is the operating system and the applications that are targeted by the adversary. It includes common desktop environments, mobile devices, and bring-your-own-device (BYOD). The extent to which these key indicators can be inventoried is a critical factor in tailoring security that is prescriptive for an organization.
  • Threat Intelligence: This describes the multiple threat feeds that provide near real-time intelligence on valid known and unknown malware, vulnerabilities, and exploits. Key to this intelligence is finding out the type of attack vector being used, and which operating systems and applications are vulnerable. Other key indicators that offer detection and protection are the dropped file name, command and control IP Address, URL, country code, and severity of the vulnerability.
  • Threat Modeling: This provides the ability to model known threats that are able to bypass current security products as they apply to an attack surface. This includes intrusion prevention systems (IPS), next generation firewalls (NGFW), secure web gateways (SWG), web application firewalls (WAF), antivirus (AV), and breach detection systems (BDS).
    There should be a clear understanding of the limitations of an organization’s security infrastructure as well as the time required to detect threats and protect against them. This knowledge will allow the organization to address the true risk to its environment. It will also assist when the organization seeks to renew or replace a security vendor. Although this type of data is available today, it is static and typically tested with known vulnerabilities. Live threat modeling, however, allows for dynamic testing that takes into account threats that have not yet been named. This information is valuable in calculating variable risk.
  • Variable Risk Rating: This provides the true measure of risk to an environment at any given point in time.

Today’s security environment is dynamic and complicated. The threat landscape and the attack surface are constantly changing. Every organization will experience patient zero (the first victim, i.e., the endpoint, when an organization is breached). The ability to reduce the time to detection and prevention is crucial in mitigating a breach.

The variable risk model eliminates the signal-to-noise ratio by focusing on what really matters in an environment. To remain competitive and secure in today’s global environment, organizations require a tailored approach specific to their attack surfaces. Waiting for next-generation security products to become the status quo only increases an organization’s chances of becoming a statistic or of discovering too late that it has been one for the past 16 to 18 months.

Author bio:
John Pirc is research vice president at NSS Labs. He is a noted security intelligence and cybercrime expert, an author, and a renowned speaker, with more than 15 years of experience across all areas of security.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
12/16/2013 | 3:53:07 PM
Re: Tailored approach
Suggesting security is broken impies that it can be fixed, that some state of perfect security will be achieved. I doubt that's possible (and were it possible, it would be subverted by the NSA, for the sake of national security). The best we can hope for is to keep pace with malware innovation and to remain vigilant enough that some other organization gets attacked.
Susan Fogarty
Susan Fogarty,
User Rank: Apprentice
12/16/2013 | 2:36:45 PM
Re: Tailored approach
John, my question is related to Marilyn's, I believe. Are you suggesting this analysis be done as an automated process? It seems like it would need to be in order to be current and dynamic. In my experience, security pros tend to distrust most types of automated systems.
User Rank: Apprentice
12/16/2013 | 2:33:03 PM
Re: Tailored approach
I like this dynamic vs. static approach. If everyone is conducting security in the same way, then how is it even possible to properly be on top of risks? Malicious actors, in this way, have a window that allows them to simply go against the grain of samenes. It's time to think differently. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 12:17:15 PM
Tailored approach
John, your indictment of the security industry -- and your call to action about taking advantage of technology that is available NOW to reduce risk is quite compelling. But I also wonder if there is also a knowledge gap withiin the InfoSec community. Do practitioners have the analytical skills to make the analytical judgements to develop the tailored approach you advocate? 
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-02
Buffer overflow in Canary Labs Trend Web Server before 9.5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet.

Published: 2015-10-02
Cisco NX-OS 6.0(2)U6(0.46) on N3K devices allows remote authenticated users to cause a denial of service (temporary SNMP outage) via an SNMP request for an OID that does not exist, aka Bug ID CSCuw36684.

Published: 2015-10-02
Cisco Email Security Appliance (ESA) 8.5.6-106 and 9.6.0-042 allows remote authenticated users to cause a denial of service (file-descriptor consumption and device reload) via crafted HTTP requests, aka Bug ID CSCuw32211.

Published: 2015-10-01
lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.

Published: 2015-10-01
kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.