Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Playing It Straight: Building A Risk-Based Approach To InfoSec

What a crooked haircut can teach you about framing the discussion about organizational security goals and strategies.

I don’t remember much from my school days, but I do remember one particular statement from one of my teachers. During the course of delivering the lesson, she illustrated her point by remarking: “If you hold your head crooked, you get a crooked haircut.” You might ask yourself what exactly this means and what this has to do with information security. Allow me to elaborate.

What my teacher illustrated with that phrase was the idea of building the proper frame of reference. The haircut analogy illustrates this as follows. A barber or stylist approaches a haircut from his or her frame of reference. Generally, the person giving the haircut is standing up, and thus their frame of reference is based on that (vertical). The person receiving the haircut is generally seated. If that person holds his or her head straight, then both people share the same frame of reference. If, however, that person tilts his or her head, his or her frame of reference becomes different than that of the barber or stylist. As a result, what appears to be a straight haircut to the barber or stylist will in fact be a crooked haircut to the customer.

In other words, if we want to achieve a certain outcome, we have to work towards it from within the correct frame of reference. Otherwise, no matter how much time, money, and resources we invest into our efforts, the outcome may be different from what we expected.

We can extend this analogy to the security realm and learn some valuable lessons from it. Almost all organizations now realize that they need to build or enhance their security programs. Of course, strategies, approaches, and methodologies will vary widely in this endeavor. Results will also vary widely. When undertaking this effort, frame of reference becomes extremely important. If an organization does not properly calibrate its efforts, it can end up investing a lot of time, money, and resources into a security program that misses the mark. In other words, having the right frame of reference guides a program to success. Building or enhancing a security program in a “crooked” frame of reference can ultimately lead to a program that does not adequately address the needs of the organization and does little to improve its security posture.

I’d like to illustrate this concept by sharing a few examples of incorrect frames of reference that I sometimes see in organizations. My goal is to help organizations understand the concept and identify any potential areas for improvement internally.

The Program of “No”
Unfortunately, security professionals sometimes get a reputation for being the people in an organization who always say “no.” In recent years, security has become an integral part of most organizations. But it’s important to remember that the main purpose of an organization is to be successful in its particular line of business. Of course, a business cannot operate without accepting some risk.

A security program’s ultimate goal should be to mitigate risk while enabling the business to be successful. For example, if the business needs to move to the cloud in order to stay competitive, the security organization should focus on how to mitigate and minimize risk before, during, and after that move.

Unfortunately, the frame of reference of many security organizations is structured around a knee-jerk “no” response. The trouble with this is that many areas of the business very quickly learn to go around the security team, rather than work cooperatively and collaboratively with it. In some cases, the security team may even be seen as an adversary. The end result is that the organization’s security posture does not improve at all -- in fact, quite the opposite.

The program of “no” frame of reference most often results in exactly the opposite of what it intended. A frame of reference that seeks to build trust with the business to enable the business to operate more securely produces much better results. After all, security is a business function and should operate accordingly.

Not Focusing on Risk
I, along with many others, have previously written on risk-based approaches to security. This approach is quite strategic in nature. It involves prioritizing risks and threat to the organization and subsequently working through mitigating those risks and threats. Unfortunately, some organizations don’t build security programs from this frame of reference.

There are a number of different types of approaches I’ve seen that are not risk-based in nature. For example, organizations may build their frame of reference around intelligence, certain categories of technology, certain skillsets, or other things. Each of the examples I’ve mentioned is important and has its place in security, but none of them should be used as the basis for a frame of reference. For example, although intelligence is important, building a security program solely around intelligence causes an organization to rely too heavily on what someone else tells them is important, rather than the real risks and threats to their organization.

Building a frame of reference around mitigating risk allows an organization to incorporate multiple techniques to reach the desired end goals. But the risk-based frame of reference ensures that the organization will properly address the risks and threats it faces regardless of the techniques it employs. Alternate frames of reference address some risks and threats, but they do so informally, rather than strategically. That leaves an organization vulnerable.

Chasing Ghosts
I’ve seen some organizations that run from one “strategy” to the next, following the latest fad, buzzword, shiny object, or otherwise. The fault in this frame of reference is obvious. Fads come and go, but at the end of the day, they were not defined to address the risks that an organization faces.

Of course, new technologies, novel approaches, and fresh thinking can always be used to improve and strengthen a strategic approach to security. But again, they need to be incorporated within a strategic frame of reference. The “new” cannot itself be the frame of reference. That often results in organizations investing heavily in areas that don’t actually mitigate much risk for them -- in other words, chasing ghosts.

Unfortunately, there are far too many “crooked” frames of reference within which an organization can find themselves. A strategic, risk-based approach to security can help an organization build a frame of reference geared towards its needs. Having a “straight” frame of reference is critical for properly guiding the efforts of a security organization to adequately address the risks and threats facing the organization.

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Uri Rivner
Uri Rivner,
User Rank: Author
12/9/2015 | 10:48:17 AM
Dynamic risk-based decisions
Great as always Josh.

Beyond making risk-based choices, it's time the enterprise begin to realise that the authentication and authorization paradigms that have been with us since the dawn of corporate security history are all but dead. What does an authentication session mean anyway these days? All fraud cases in online banking come from authenticated sessions. All hacks come from authenticated nodes.

The same applies to authorization. Take RBAC - a fundumental principal in security. Josh is a CTO, so he has access to this-and-that. Unless Josh changes his role, or unless that role needs an updated access scheme, that's basically it. But in today's reality, it's totally rubish. Yes, Josh is entitled to access this-and-that, but only if I think it's really Josh, and he really needs that access right now. If there are signs of foul play, I may change my mind. And if I have an ability to dynamically change my mind about authorization, and make sure people get access based on the risk for this specific activity, I'm far better off.

The same goes for my smart home app, the one I'm using to control my smart home. Once I authenticated, I have full access to everything. That's history. Future is different: far more agile and adaptive. The more it looks like me, and the lowest the risk with my current actions, the greater control I should have. And think of IOT appliances as well - they also have authentication and authorization controls that are totally black and white, and without giving it shades and adaptiveness - we'll be screwed a few years from now.

The enterprise security paradigms need some heavy shaking, become far more dynamic, adaptive and risk-based, so real time decisions can be made instantly for every activity.

User Rank: Apprentice
12/7/2015 | 6:00:08 PM
Risk based approach is the king
The risk based approach is the only way that ensures money and time is spent on the right things for protecting the organisation. Risk can be managed on multiple levels, starting from the business risks, throughout IT and infosec risks all down to the code level.

I also wrote an article today on risk driven approach, but on incident management. This approach allows incident response teams to focus on the critical areas with their efforts. The post is available on Rainbow and Unicorn blog.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...