Gunnar Peterson of 1 Raindrop has blogged his Keynote at the recent Quality of Protection conference. It is a great read – and a defense in depth against the binary “secure / not secure” polarity that characterizes the thinking of those new to security matters.
His argument riffs on Dan Geer's famous Risk Management is Where the Money Is. He turns to Warren Buffet as someone who knows something about this kind of thing, writing:
“Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his 2007 shareholder letter talking about financial institutions’ ability to deal with the subprime mess in the housing market saying, “You don't know who is swimming naked until the tide goes out.” In our world, we don't know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late.
“So the security industry understands enough about risk management that the language of risk has permeated almost every product, presentation, and security project for the last ten years. However, a friend of mine who works at a bank recently attended a workshop on security metrics, and came away with the following observation – “All these people are talking about risk, but they don't have any assets.” You can't do risk management if you don't know your assets.
“Risk management requires that you know your assets, that on some level you understand the vulnerabilities surrounding your assets, the threats against those, and efficacy of the countermeasures you would like to use to separate the threat from the asset. But it starts with assets. Unfortunately, in the digital world these turn out to be devilishly hard to identify and value.
“Recent events have taught us again, that in the financial world, Warren Buffett has few peers as a risk manager. I would like to take the first two parts of this talk looking at his career as a way to understand risk management and what we can infer for our digital assets.
Analysing vulnerabilities and the values of assets, he uncovers two pyramids that turn out to be inverted.
To deliver a real Margin of Safety to the business, I propose the following based on a defense in depth mindset. Break the IT budget into the following categories:
-
-
Network: all the resources invested in Cisco, network admins, etc.
-
Host: all the resources invested in Unix, Windows, sys admins, etc.
-
Applications: all the resources invested in developers, CRM, ERP, etc.
-
Data: all the resources invested in databases, DBAs, etc.
-
Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.
Then do the same exercise for the Information Security budget:
-
-
Network: all the resources invested in network firewalls, firewall admins, etc.
-
Host: all the resources invested in Vulnerability management, patching, etc.
-
Applications: all the resources invested in static analysis, black box scanning etc.
-
Data: all the resources invested in database encryption, database monitoring, etc.
-
Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!
He relates his thinking to a fascinating piece by Pat Helland called SOA and Newton's Universe (a must-read to which I will return) and then proposes some elements of a concrete approach to development of meaningful metrics that he argues allow correlation of “value” and “risk” in ways that could sustain meaningful business decisions.
In an otherwise clear argument, Gunnar itemizes a series of “Apologies”, in the sense of corrections applied post-facto due to the uncertaintly of decisionmaking in a distributed environment:
Example Apologies – Identity Management tools – provisioning, deprovisioning, Reimburse customer for fraud losses, Compensating Transaction – Giant Global Bank is still sorry your account was compromised!
Try as I might, I don't understand the categorization of identity management tools as apology, or their relationship to account compromise – I hope Gunnar will tell us more.
The example I gave for identity management tools in the context of apologies, is that many companies’ incident response and fraud processes end up utilizing IDM tools for deprovisioning and such, IDM tools also cover many other Memory and Guess areas as well.
Interesting but all layers listed do fall under Vulnerability Management. The problem I commonly run into is companies thinking that vulnerability management is just security patching. But it is not. A good vulnerability management program touches all areas listed and provides checks and balances to ensure the environment is secure. A good example is the PCI Data Security Standard, as part of the requirement firewalls need to be hardened then assessed quarterly as part of vulnerability management. Also application security is often neglected and has security patching requirements similar to the operating system and should be track as part of the vulnerability management process. And as for Data a patched vulnerability protects the data from being compromised. Below I have provided an interesting link that provide great information related to network vulnerability management program development. Check it out.
http://www.guidance-consulting.com/component/content/article/38-security/116-benefits-of-network-vulnerability-management-program-development.html