Vulnerabilities / Threats

10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Playing It Straight: Building A Risk-Based Approach To InfoSec

What a crooked haircut can teach you about framing the discussion about organizational security goals and strategies.

I don’t remember much from my school days, but I do remember one particular statement from one of my teachers. During the course of delivering the lesson, she illustrated her point by remarking: “If you hold your head crooked, you get a crooked haircut.” You might ask yourself what exactly this means and what this has to do with information security. Allow me to elaborate.

What my teacher illustrated with that phrase was the idea of building the proper frame of reference. The haircut analogy illustrates this as follows. A barber or stylist approaches a haircut from his or her frame of reference. Generally, the person giving the haircut is standing up, and thus their frame of reference is based on that (vertical). The person receiving the haircut is generally seated. If that person holds his or her head straight, then both people share the same frame of reference. If, however, that person tilts his or her head, his or her frame of reference becomes different than that of the barber or stylist. As a result, what appears to be a straight haircut to the barber or stylist will in fact be a crooked haircut to the customer.

In other words, if we want to achieve a certain outcome, we have to work towards it from within the correct frame of reference. Otherwise, no matter how much time, money, and resources we invest into our efforts, the outcome may be different from what we expected.

We can extend this analogy to the security realm and learn some valuable lessons from it. Almost all organizations now realize that they need to build or enhance their security programs. Of course, strategies, approaches, and methodologies will vary widely in this endeavor. Results will also vary widely. When undertaking this effort, frame of reference becomes extremely important. If an organization does not properly calibrate its efforts, it can end up investing a lot of time, money, and resources into a security program that misses the mark. In other words, having the right frame of reference guides a program to success. Building or enhancing a security program in a “crooked” frame of reference can ultimately lead to a program that does not adequately address the needs of the organization and does little to improve its security posture.

I’d like to illustrate this concept by sharing a few examples of incorrect frames of reference that I sometimes see in organizations. My goal is to help organizations understand the concept and identify any potential areas for improvement internally.

The Program of “No”
Unfortunately, security professionals sometimes get a reputation for being the people in an organization who always say “no.” In recent years, security has become an integral part of most organizations. But it’s important to remember that the main purpose of an organization is to be successful in its particular line of business. Of course, a business cannot operate without accepting some risk.

A security program’s ultimate goal should be to mitigate risk while enabling the business to be successful. For example, if the business needs to move to the cloud in order to stay competitive, the security organization should focus on how to mitigate and minimize risk before, during, and after that move.

Unfortunately, the frame of reference of many security organizations is structured around a knee-jerk “no” response. The trouble with this is that many areas of the business very quickly learn to go around the security team, rather than work cooperatively and collaboratively with it. In some cases, the security team may even be seen as an adversary. The end result is that the organization’s security posture does not improve at all -- in fact, quite the opposite.

The program of “no” frame of reference most often results in exactly the opposite of what it intended. A frame of reference that seeks to build trust with the business to enable the business to operate more securely produces much better results. After all, security is a business function and should operate accordingly.

Not Focusing on Risk
I, along with many others, have previously written on risk-based approaches to security. This approach is quite strategic in nature. It involves prioritizing risks and threat to the organization and subsequently working through mitigating those risks and threats. Unfortunately, some organizations don’t build security programs from this frame of reference.

There are a number of different types of approaches I’ve seen that are not risk-based in nature. For example, organizations may build their frame of reference around intelligence, certain categories of technology, certain skillsets, or other things. Each of the examples I’ve mentioned is important and has its place in security, but none of them should be used as the basis for a frame of reference. For example, although intelligence is important, building a security program solely around intelligence causes an organization to rely too heavily on what someone else tells them is important, rather than the real risks and threats to their organization.

Building a frame of reference around mitigating risk allows an organization to incorporate multiple techniques to reach the desired end goals. But the risk-based frame of reference ensures that the organization will properly address the risks and threats it faces regardless of the techniques it employs. Alternate frames of reference address some risks and threats, but they do so informally, rather than strategically. That leaves an organization vulnerable.

Chasing Ghosts
I’ve seen some organizations that run from one “strategy” to the next, following the latest fad, buzzword, shiny object, or otherwise. The fault in this frame of reference is obvious. Fads come and go, but at the end of the day, they were not defined to address the risks that an organization faces.

Of course, new technologies, novel approaches, and fresh thinking can always be used to improve and strengthen a strategic approach to security. But again, they need to be incorporated within a strategic frame of reference. The “new” cannot itself be the frame of reference. That often results in organizations investing heavily in areas that don’t actually mitigate much risk for them -- in other words, chasing ghosts.

Unfortunately, there are far too many “crooked” frames of reference within which an organization can find themselves. A strategic, risk-based approach to security can help an organization build a frame of reference geared towards its needs. Having a “straight” frame of reference is critical for properly guiding the efforts of a security organization to adequately address the risks and threats facing the organization.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Uri Rivner
Uri Rivner,
User Rank: Author
12/9/2015 | 10:48:17 AM
Dynamic risk-based decisions
Great as always Josh.

Beyond making risk-based choices, it's time the enterprise begin to realise that the authentication and authorization paradigms that have been with us since the dawn of corporate security history are all but dead. What does an authentication session mean anyway these days? All fraud cases in online banking come from authenticated sessions. All hacks come from authenticated nodes.

The same applies to authorization. Take RBAC - a fundumental principal in security. Josh is a CTO, so he has access to this-and-that. Unless Josh changes his role, or unless that role needs an updated access scheme, that's basically it. But in today's reality, it's totally rubish. Yes, Josh is entitled to access this-and-that, but only if I think it's really Josh, and he really needs that access right now. If there are signs of foul play, I may change my mind. And if I have an ability to dynamically change my mind about authorization, and make sure people get access based on the risk for this specific activity, I'm far better off.

The same goes for my smart home app, the one I'm using to control my smart home. Once I authenticated, I have full access to everything. That's history. Future is different: far more agile and adaptive. The more it looks like me, and the lowest the risk with my current actions, the greater control I should have. And think of IOT appliances as well - they also have authentication and authorization controls that are totally black and white, and without giving it shades and adaptiveness - we'll be screwed a few years from now.

The enterprise security paradigms need some heavy shaking, become far more dynamic, adaptive and risk-based, so real time decisions can be made instantly for every activity.

User Rank: Apprentice
12/7/2015 | 6:00:08 PM
Risk based approach is the king
The risk based approach is the only way that ensures money and time is spent on the right things for protecting the organisation. Risk can be managed on multiple levels, starting from the business risks, throughout IT and infosec risks all down to the code level.

I also wrote an article today on risk driven approach, but on incident management. This approach allows incident response teams to focus on the critical areas with their efforts. The post is available on Rainbow and Unicorn blog.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.