Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:40 PM
Connect Directly

How Netflix Makes Security Decisions: A Peek Inside the Process

A senior information security risk engineer explains how Netflix's risk management program helps businesses leaders make key decisions.

It's difficult for risk managers to help decision-makers after a risky choice has been made. Unfortunately for many organizations, that's how traditional risk management programs work — and by the time an assessment has been done, the risky decision has already done its damage.

"We all accept certain amounts of risk in order to engage in business, but at what point is risk too much?" asks Tony Martin-Vegue, senior information security risk engineer at Netflix, who discussed the topic at this week's FAIR Conference.

Related Content:

Singapore Asks Big Cybersecurity Questions to Improve National Defense

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

In most companies, a risk management program covers any aspect of a business that takes on risk. Business leaders make a decision and implement it; the risk team then comes in, tests it, and reports issues. The first time a risk manager gets involved is when these problems are put on the risk register, at which point it's too late to help the enterprise decision-makers, he says.

Risk analysis is forecasting, Martin-Vegue explains. Analysts should want to be closer to the CEO, CFO, CIO, and other executives before major decisions are made so they can help make the optimal choice. Netflix has long used quantitative models, including the FAIR model, to make decisions because it puts threats into context and helps explain risk to business execs.

Most companies use the traditional paradigm of rating decisions as high/medium/low or red/yellow/green, he says. While this works for comparing three or four similar items or prioritizing projects, it does little when a security analyst is faced with three red alerts costing $10 million, $15 million, and $20 million each. Which one should they remediate first?

"You don't know," Martin-Vegue says. "You can't make that type of value-at-risk comparison."

Quantitative risk, instead of saying an alert is "high" or "red," will indicate how much exposure the business has. If you know one risk has $200 million in exposure, and you can buy that risk down to $20 million with a $10 million investment, it provides a distinct course of action. If a pen tester has two red alerts, and quantitative analysts reveals one has $10 million of exposure and the other has $50,000 of exposure, it's obvious which should be remediated first, he notes.

"Now you can start to make comparisons using dollars [and] financial people will recognize this as a cost-benefit analysis," he explains. "We're moving out of information security and speaking to the CFO, the CEO, the CIO: 'This is how much your investment can get you. This is how much risk you can buy down.'" 

This resonates with executives who are accustomed to speaking in terms of dollars and cents. It's easier to make a security focused-decision when they understand what an investment will get them, as opposed to making a choice based on a high-, medium-, or low-severity alert.

"It's no wonder there's always friction between the business and information security people," says Martin-Vegue. "We're making it hard for them." By framing the risk conversation around exposure, investments, and buying down risk, "people immediately get it, especially on the business side."

Making Big Decisions, from Executives to Practitioners
There are three different levels of risk abstraction that can be used to frame a security risk assessment, says Martin-Vegue, noting he loosely uses the National Institute of Standards and Technology (NIST) risk management framework. These include strategic, tactical, and operational decisions.

Tier one supports strategic decision making; this typically involves major investment decisions made about five years ahead of time. A few examples: How should executives frame a company strategy? Should they transition to the cloud? Should the business put its services in Amazon Web Services or do the hosting themselves? Should they do code development in-house or outsource it?

These are all nontrivial decisions, he says, and they're typically made without a risk analyst who could explain the cost-benefit analysis and ROI analysis of major enterprise strategies.

Tier two supports tactical decision-making for midlevel managers who are considering their initiatives, budget, and head-count planning a year or two ahead of time. Those managers are asking questions such as "Do we employ server virtualization?" "What vendors should we use?" "Can we do a risk analysis on the vendor before we move to the vendor?"

Most organizations hear about a vendor security issue after they've already signed a contract, Martin-Vegue says. This should be on the risk register before the vendor partnership begins.

Tier three supports operational decision-making, which is for individual contributors and their teams. This may include security architects, pen testers, or developers on the business side who design customer-facing web apps. If a coder wants a security control and has a choice between password-only or passwords and multifactor authentication (MFA), which should they choose?

What may seem like an easy investment choice to security practitioners is tougher for business executives. Today's organizations have tight purse strings, and implementing MFA is expensive. Quantitative risk requires security pros to use data to make a case and prove why an investment is worth it.

Operational decision-makers are faced with several choices that can be evaluated with quantitative risk analysis: How do we configure endpoint protection? How do we configure antivirus software? Should we use full disk encryption? How do we configure data loss prevention tools?

Quantitative Risk Modeling: Getting Started
For organizations that want to adopt the FAIR model or other quantitative risk models, Martin-Vegue advises starting slow. Risk analysts don't need to rip out their current model and implement FAIR in a major overhaul. Start with a couple of decisions. Find someone in the organization trying to make a difficult, data-driven choice and help using the quantitative model.

His other tip is a word of caution: "There's a big myth that we have to bust about quantitative risk — there's a perception people have that you need to have perfect historical quantitative data in order to an assessment, and you don't." Martin-Vegue says risk professionals can use the subjective judgment of people within the organization to do a credible assessment.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-15
Use after free in Accessibility in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
Use after free in Extensions in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
Use after free in Network service in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untruste...