Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:40 PM
Connect Directly

How Netflix Makes Security Decisions: A Peek Inside the Process

A senior information security risk engineer explains how Netflix's risk management program helps businesses leaders make key decisions.

It's difficult for risk managers to help decision-makers after a risky choice has been made. Unfortunately for many organizations, that's how traditional risk management programs work — and by the time an assessment has been done, the risky decision has already done its damage.

"We all accept certain amounts of risk in order to engage in business, but at what point is risk too much?" asks Tony Martin-Vegue, senior information security risk engineer at Netflix, who discussed the topic at this week's FAIR Conference.

Related Content:

Singapore Asks Big Cybersecurity Questions to Improve National Defense

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

In most companies, a risk management program covers any aspect of a business that takes on risk. Business leaders make a decision and implement it; the risk team then comes in, tests it, and reports issues. The first time a risk manager gets involved is when these problems are put on the risk register, at which point it's too late to help the enterprise decision-makers, he says.

Risk analysis is forecasting, Martin-Vegue explains. Analysts should want to be closer to the CEO, CFO, CIO, and other executives before major decisions are made so they can help make the optimal choice. Netflix has long used quantitative models, including the FAIR model, to make decisions because it puts threats into context and helps explain risk to business execs.

Most companies use the traditional paradigm of rating decisions as high/medium/low or red/yellow/green, he says. While this works for comparing three or four similar items or prioritizing projects, it does little when a security analyst is faced with three red alerts costing $10 million, $15 million, and $20 million each. Which one should they remediate first?

"You don't know," Martin-Vegue says. "You can't make that type of value-at-risk comparison."

Quantitative risk, instead of saying an alert is "high" or "red," will indicate how much exposure the business has. If you know one risk has $200 million in exposure, and you can buy that risk down to $20 million with a $10 million investment, it provides a distinct course of action. If a pen tester has two red alerts, and quantitative analysts reveals one has $10 million of exposure and the other has $50,000 of exposure, it's obvious which should be remediated first, he notes.

"Now you can start to make comparisons using dollars [and] financial people will recognize this as a cost-benefit analysis," he explains. "We're moving out of information security and speaking to the CFO, the CEO, the CIO: 'This is how much your investment can get you. This is how much risk you can buy down.'" 

This resonates with executives who are accustomed to speaking in terms of dollars and cents. It's easier to make a security focused-decision when they understand what an investment will get them, as opposed to making a choice based on a high-, medium-, or low-severity alert.

"It's no wonder there's always friction between the business and information security people," says Martin-Vegue. "We're making it hard for them." By framing the risk conversation around exposure, investments, and buying down risk, "people immediately get it, especially on the business side."

Making Big Decisions, from Executives to Practitioners
There are three different levels of risk abstraction that can be used to frame a security risk assessment, says Martin-Vegue, noting he loosely uses the National Institute of Standards and Technology (NIST) risk management framework. These include strategic, tactical, and operational decisions.

Tier one supports strategic decision making; this typically involves major investment decisions made about five years ahead of time. A few examples: How should executives frame a company strategy? Should they transition to the cloud? Should the business put its services in Amazon Web Services or do the hosting themselves? Should they do code development in-house or outsource it?

These are all nontrivial decisions, he says, and they're typically made without a risk analyst who could explain the cost-benefit analysis and ROI analysis of major enterprise strategies.

Tier two supports tactical decision-making for midlevel managers who are considering their initiatives, budget, and head-count planning a year or two ahead of time. Those managers are asking questions such as "Do we employ server virtualization?" "What vendors should we use?" "Can we do a risk analysis on the vendor before we move to the vendor?"

Most organizations hear about a vendor security issue after they've already signed a contract, Martin-Vegue says. This should be on the risk register before the vendor partnership begins.

Tier three supports operational decision-making, which is for individual contributors and their teams. This may include security architects, pen testers, or developers on the business side who design customer-facing web apps. If a coder wants a security control and has a choice between password-only or passwords and multifactor authentication (MFA), which should they choose?

What may seem like an easy investment choice to security practitioners is tougher for business executives. Today's organizations have tight purse strings, and implementing MFA is expensive. Quantitative risk requires security pros to use data to make a case and prove why an investment is worth it.

Operational decision-makers are faced with several choices that can be evaluated with quantitative risk analysis: How do we configure endpoint protection? How do we configure antivirus software? Should we use full disk encryption? How do we configure data loss prevention tools?

Quantitative Risk Modeling: Getting Started
For organizations that want to adopt the FAIR model or other quantitative risk models, Martin-Vegue advises starting slow. Risk analysts don't need to rip out their current model and implement FAIR in a major overhaul. Start with a couple of decisions. Find someone in the organization trying to make a difficult, data-driven choice and help using the quantitative model.

His other tip is a word of caution: "There's a big myth that we have to bust about quantitative risk — there's a perception people have that you need to have perfect historical quantitative data in order to an assessment, and you don't." Martin-Vegue says risk professionals can use the subjective judgment of people within the organization to do a credible assessment.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.