Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > Tags > rosenquist
Up to Blog Posts in IT@Intel
1 2 3 4 5 Previous Next

IT@Intel Blog

61 Posts tagged with the rosenquist tag
Matthew Rosenquist
3

Crazy as it may sound, digital appliances and accessories can infect your computers with viruses and worms. It is happening more and more. Although not near a tipping point, an evil cloud is rising.

 

 

 

 

 

Unlikely Threats

It is concerning enough we have to worry about USB drives, WiFi hotspots, mobile phones, PDA's, printers, email attachments, file downloads, search engines, and surfing just about any website. But now we must keep a suspicious eye on our new net-enabled refrigerator, digital picture frames, music playing sunglasses, and even the toaster.

 

 

Recent articles shows how consumer devices integrated with network enabled computers are sources for malware infections. It is not shocking software CD/DVD's, or USB Drives might have nasty code lurking. Suspicion is the norm anytime we are connecting or installing something directly to our trusty computer. In those situations, we take proper precautions. But what about media players, GPS devices, and most recently wireless digital picture frames? These devices may not directly connect via traditional cable. Does the average consumer realize when they flip the power button they may be turning on a wireless device infected with malware seeking to infect anything within range?

 

 

 

 

The toaster is out to get you!

It is not just the geek toys anymore. Not to long ago, an enterprising individual took it upon himself to hack a regular toaster, just to prove it could be a source of malware. A toaster! Very impressive, but what is next?

 

 

As computers are integrated into everything and are being upgraded with more power and connectivity, the threat landscape grows. Our cars, major appliances, personal electronics, accessories, and even clothing are potentially at risk. We are dragging these items into the digital world and in doing so, overlaying cyber risks on them.

 

 

Although not widespread, more and more stories are emerging and the list of products grows longer. At some point we will be forced to re-evaluate the standard threat categories to include some non-traditional vectors. Personally, I am waiting for shoe manufacturers to implant computers in their products so we can have "walk-by attacks". Can't wait.

 

 

 

Some news reference links:

http://www.securityfocus.com/news/11499

http://www.pcworld.com/article/id,141295-pg,1/article.html

http://www.theregister.co.uk/2008/01/14/sans_threat_list/

3 Comments 0 References Permalink Tags: optimal_security, model, risk, matthew_rosenquist, rosenquist, threat, vulnerability, security, information_security
Matthew Rosenquist
1

With the old year grinding to a close and opportunities of a new year opening before us, it is a good time to take a moment and make some new year's information security resolutions. Some are good holdovers from last year and a few are new to the list. I think all are good practices to promote security and hopefully will keep a smile on my face throughout the year (no matter what cyber meltdown may occur).

 

  1. Vigilance. Maintaining effective legacy security programs is critical. Loss of such capabilities opens the door to old, known, and well refined attacks

  2. Embrace/Beware of disruptive technology. Double edged bleeding technology can be a blessing and a curse. It can reduce costs, increase efficiency, open markets, and change your way of thinking, but is also like walking into a darkened room in a horror movie. You never know what may jump out at you and in hindsight you may think "well that was painful". On the hot-list:

    • Virtualization technology in all its glory

    • Smart-phones and other PC OS/application based portable devices

    • Social media sites, tools, and accompanying behaviors

  3. Careful with my PII. Our Personally Identifiable Information (PII) is more important than anyone can measure. I will handle mine with care, insure others do the same, and simply say ‘no' more often than not, when asked.

  4. Don't be a fish. Just say no to phishing and spam. Filters are wonderful but a few will creep through. If it looks suspicious, it probably is. Don't be shy, even with the weird stuff sent by people you trust. Just pick up the phone and call them: "Hey Ralph, did you send me this executable attachment via email?" Is it not that tough.

  5. Give an effort for disaster preparedness. Regular backups and encryption are my friends. Nothing huge mind you, but at least apply where it makes sense

  6. Choose not to be a victim and let common sense prevail. Two types of victims exist: those with something of value, and those who are easy targets. Therefore, don't be an easy target and protect your valuables

  7. Talk and share security. We are stronger as a team striving for security, than alone. The bad guys are working together; it is about time we do the same. Talk about security and share what works or doesn't. Don't be shy.

Not rocket science, but most of the great ideas rarely are. Feel free to chime in and be heard. What are your security resolutions for 2008?

1 Comments Permalink Tags: security, value, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, virtualization, social_media
Matthew Rosenquist
31

Intel IT developed a model for measuring Return on Security Investment (ROSI) in our manufacturing environments that produces a much higher level of accuracy than other methods currently available. Our model has enabled us to make business-driven decisions about security programs, resulting in savings in excess of USD 18 million per year in avoided losses.

 

 

 

 

Whitepaper now Available! Measuring the Return on IT Security Investments

 

Quantifying value for security programs is difficult at best. Intel successfully developed and employed a method to measure the value of security programs across our worldwide factories. Although not the silver bullet to measure all security programs, it does show in some circumstances, value can be quantified to the level needed to make sound business decisions.

 

 

This is one of many different methods which Intel leverages to determine value of security programs. The difference is being able to tie in hard numbers for prevented losses and the ability to predict future impacts with reasonable accuracy. Other available methods rely on more qualitative descriptions of value and lack a dollar and sense measure. Although no single methodology fits all situations, Intel has found a niche for this insightful metric which is an empowering view of security value.

 

Other related blogs:

 

Practical Aspects of Measuring Security

 

Getting a Return on IT Security Investment

 

Managing the Effort to Measure Security

 

The Problem of Measuring Information Security

 

The Four Dirty Questions of Measuring Information Security

31 Comments Permalink Tags: whitepaper, security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, security
Matthew Rosenquist
1

To defeat cyber attacks, we must first understand their characteristics and how they come about. Deconstructing threats is a way of comprehending the factors which drive information security strategy. Without understanding the nature of attacks, an organization is destined to thrash about trying to effect change, only addressing symptoms and oblivious to the root causes of the problems.

 

 

 

 

In the Beginning

The most important aspect to comprehend is all malicious security threats and attacks begin with a person who has an objective. This represents the attacker, or sometimes referred to as the ‘[Threat Agent|d-1151]'. Make no mistake, a virus is not the attacker. The author and implementer of the virus is the attacker. Eliminating a virus is a short term solution to the symptom of the problem, leaving the threat agent to find another method to achieve their objectives.

 

 

Threat agents are people and therefore driven by human nature. People compelled to expend energy manifesting in an attack on your organization have some desired outcome, a goal in mind. Their objective may be vague or precise, motivated by passion or logic, it may be inspired by emotional, intellectual, or economic needs. Their actions may target you directly or your organization may simply be caught in their sweeping net of activity. The permutations are mind boggling, especially when you take into account attackers include trusted persons intimately associated with the organization. Most importantly, they are thinking opponents who may plan, react, adapt, weigh options, and make decisions necessary to achieve their objective. Security success is heavily dependant on never losing sight of this key perspective. Attacks and threat agents are irrevocably tied together.

 

 

 

 

Building a Model

So if you have an attacker and their objective, the only component missing is the means for this person to achieve their goal. This path is the method. In reality, it most likely is a number of methods which are evaluated and one or more eventually employed. The term ‘vulnerability' is a catch-all phrase attached to express these methods. The term itself is far too broad to be meaningful. Anything can be a ‘vulnerability', including a security control itself. If you have a deadbolt on your door and someone kicks it in, an expert may declare the deadbolt is the vulnerability. Somewhat absurd, which is why I personally dislike using the term. So don't expect to see that word much from here forward.

 

 

What do methods look like? It depends on the attacker, what opportunities are available to them, and their objectives. If an attacker is seeking personal satisfaction through ego gratification of power, they may decide to employ a Denial of Service attack to show they can affect a target network. An accounts payable employee may secretly use their legitimate access to issue checks to collaborators for their personal financial gain. Again, the possibilities and permutations are as vast and varying as the people involved.

 

 

 

 

Threat Model

This basic model is straightforward. A threat agent, willing to effort an attack, has an objective in mind and selects one or more methods to succeed. Once committed, they initiate their plans and the game begins. Defenders may put up obstacles, close possible methods and the attacker, if still motivated, will respond.

 

 

 

 

 

Defeating the Attack

The game continues until the attacker succeeds, the attacker is removed or demoralized, the methods are rendered ineffective, or the objective is removed. Removing the attacker is a good but very difficult prospect, usually involving some type of law enforcement. More often the attacker is demoralized by making the prospect of achieving their objective very costly, so they either give up or move to an easier target.

 

 

Prevention activities are heavily weighted toward closing the most likely methods. A good strategy, which scales across many different attackers, but the simple fact is an attacker only needs one winning method to triumph. Much of the efforts to close different paths to the objective are intended to make it progressively more difficult for attackers to succeed. Not every path or vulnerability (ugg, hate that word) must be eliminated, only the ones which the attackers are willing to effort. The more inconvenient and inhospitable the environment is for the attacker, the better it is for the defending organization.

 

 

Lastly, removing the objective from temptation makes an attack pointless. The famous bank robber Will Sutton purportedly replied to the question "why do you rob banks?" with "because that's where the money is". The same no-nonsense principle applies to information security. Take away the objective, and the very reason for the attack is undermined.

 

 

Understanding the characteristics of attacks is paramount to good security strategy. It helps clear the fog of effectiveness and provides a perspective on how attacks can be stopped in a coordinated manner.

1 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, threat, matthew_rosenquist, rosenquist
Matthew Rosenquist
3

Ethics represent the very cornerstone by which any security organization is built. Without them, a security team is doomed. They will not be respected only feared, they will not be supported only ridiculed or ignored. It is a downward spiral of failure for security organizations practicing unethical behaviors. Management and customers will lose faith, leading to a loss of funding, access and representation. Resources, tools, and overall capability will diminish, leading to loss of effectiveness and value, further advancing the loss of faith by management and customers. Concealment, inconsistency, indifference, or treading in the gray areas of ethics is just prolonging the inevitable trip on the downward slide to defeat. So how can it be, many security professionals have a casual attitude and apathetic commitment toward ethics?

 

I have been reading some disturbing stories about security professionals being unethical and in some cases fired or arrested for their activities. They stories aren't hard to find. Trusted security people breaking into systems and networks, deciding not to report criminal activities, or ignoring inappropriate activities to avoid complications are common examples of poor ethos. People violating policies they are employed to enforce and uphold is downright despicable. In many cases, what are worse are the comments left by readers, condoning inconsistent behaviors on behalf of security. Comments like "pick your battles", "follow your conscience", or you should only be ethical if others are, is very upsetting.

 

 

 

 

Reader Beware

I am a fanatic about ethics. I firmly believe ethics, following a code of conduct, is the foundation of every professional security organization. Without consistent ethical behavior, a security team is destined for failure, will open the organization to increased liability and sour future investments in security.

 

 

Okay, let me be the first to admit, I have it easy. The security professionals I have the pleasure to know and work closely with are of the highest moral caliber. I am fortunate to work in an organization which embraces the principles of ethics. We derive our support from the corporate principles which are ingrained within the company as a whole and are driven out to all corners. My company (I am a shareholder too) spends time to train, discuss, and reinforce ethics with all employees.

 

 

I support ethics in all vocations, but some are more important than others. Security personnel must be held to a higher standard, just as judges and law enforcement must be viewed as incorruptible. Ethics must also reign supreme in financial and medical industries as well. Nothing less is acceptable. We too, as security professionals, should be put under the microscope and make firm commitments to consistency and the highest level of behavior. Our organizations place trust and faith that we will be honest, capable, and perform our duty in an unwavering manner.

 

 

 

Intel's Security Operations Center - Code of Conduct

When I spun up Intel's Security Operations Center, every employee was trained on ethics and we developed a Code of Conduct to insure the expectations were clear and as a team we would all conduct ourselves in a conservative manner.

 

Intel's Security Operations Center - Code of Conduct

1. Provide diligent and competent service to principals

  • Provide timely, professional, and productive response to our customers, peers, vendors, business partners, and management

  • Act honestly, justly, responsibly, and legally

  • Act impartially to all groups, persons, and organizations

 

2. Protect and conserve Intel property, resources, and reputation

  • Preserve and protect the value of corporate systems, applications, and information

  • Operate fully within the law, observe corporate policy, and align efforts with standard operating procedures

  • Disclose waste, fraud, abuse, and corruption to appropriate management or oversight bodies

 

3. Promote and preserve company trust and confidence of the team

  • Take care not to injure the reputation of the team through malice or indifference

  • Be truthful and accurate in representation and all communications

  • Respect the trust, access, authority, and privileges the company grants you

  • Promote, comply, and reinforce company security policies, procedures, and intentions

  • Avoid conflicts of interest or the appearance thereof

 

 

 

 

Everyone is ethical, right?

Ever ask somebody if they are a good person or ethical? I will bet you will hear some variation of the same answer, "yes. Of course I am!". How many people openly admit or believe they are not ethical? So are you? Yea, exactly what I thought you would say.

 

 

So, Mr/Ms Ethical, you wouldn't be averse to answering a few ethics related questions? These are a subset of questions I ask when delivering the ethics class to our Security Operations Center. They should be easy for an ethical security minded professional such as yourself...

 

  • 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"

You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: _____

  • 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.

You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software

  • 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.

You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software

  • 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?

You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management

 

Life is vague. Ethics don't need to be.

We all find ourselves in unique circumstances which are complicated and tricky. Applying a code of conduct illuminates the right ethical path. Allowance of ‘flexible ethics' and ‘gray area' practices are ultimately self destructive and leads to instability and demise. Make a stand.

 

 

 

So what are the answers to the above questions? Well, as we all indicated we are ethical, their really is no need for me to provide the answers. We all know them.

3 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, ethics
Matthew Rosenquist
6

Want to get serious about Information Security? It is time for a Defense in Depth strategy. Interlocking Prediction, Prevention, Detection, and Response capabilities is the key. As no single solution provides comprehensive security, the way to achieve optimal security bliss is to apply a Defense in Depth approach of complementing capabilities to protect your computing environment and the data within. This strategy is highly effective at providing security assurance, cost efficient, scalable to large organizations, adaptive to changing threats, and proven to work.

 

The concept is straightforward. Establish a system of capabilities and services which align to attackers, their objectives and the methods they are most likely to attempt. Couple this with an understanding they will succeed sometimes and embed the fact at every turn there exist a learning opportunity to improve the system.

 

!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10702-1127/DefenseinDepth.JPG!

 

 

 

Prediction:

Security threats are about opposition. These threat agents are living, breathing opponents who are creative, knowledgeable, motivated, and have personal objectives in mind. These agents utilize available methods and resources to achieve whatever goals they seek by leveraging vulnerabilities in people, computing systems, and communication networks. In total, this represents a massive potential target landscape to be protected, edge to edge. Good luck.

 

 

The reality is you can't protect against everything and everyone. It is too cost prohibitive and in most cases impossible anyways. Although the truly paranoid may disagree, not everyone is interested in attacking you and within the realm of possible attack methods; it is more than likely only a few would be employed. The "path of least resistance" rule applies here.

 

 

A common pitfall is to rely exclusively on vulnerability assessments to determine where to focus. Although vulnerability assessments are valuable, they are misleading if the only source for Prediction. Understanding your opponent is fundamentally different than being aware of the weaknesses inherent to your environment. The result will be expending effort on areas which will never be targeted for exploit. Consequently, fewer resources will be available for areas under siege.

 

 

The best security professionals understand the relationship between attacks and the environment they protect. They marshal their resources to intercept the most likely attack vectors for the greatest effect. Prediction is the first step in the efficient use of security resources. Knowing why your organization would be attacked, likely targets, and the ‘easy' ways which tantalize attackers, provides the insights necessary to prevent such incidents.

 

 

 

Prediction:

Security threats are about opposition. These threat agents are living, breathing opponents who are creative, knowledgeable, motivated, and have personal objectives in mind. These agents utilize available methods and resources to achieve whatever goals they seek by leveraging vulnerabilities in people, computing systems, and communication networks. In total, this represents a massive potential target landscape to be protected, edge to edge. Good luck.

 

 

The reality is you can't protect against everything and everyone. It is too cost prohibitive and in most cases impossible anyways. Although the truly paranoid may disagree, not everyone is interested in attacking you and within the realm of possible attack methods; it is more than likely only a few would be employed. The "path of least resistance" rule applies here.

 

 

A common pitfall is to rely exclusively on vulnerability assessments to determine where to focus. Although vulnerability assessments are valuable, they are misleading if the only source for Prediction. Understanding your opponent is fundamentally different than being aware of the weaknesses inherent to your environment. The result will be expending effort on areas which will never be targeted for exploit. Consequently, fewer resources will be available for areas under siege.

 

 

The best security professionals understand the relationship between attacks and the environment they protect. They marshal their resources to intercept the most likely attack vectors for the greatest effect. Prediction is the first step in the efficient use of security resources. Knowing why your organization would be attacked, likely targets, and the ‘easy' ways which tantalize attackers, provides the insights necessary to prevent such incidents.

 

 

 

Prevention:

This is where the magic happens. Preventing or deterring attacks is where everyone wants to be. Given the insights of Prediction, which includes incorporation of industry best-known-methods, you can put forth a front line of defense representing the bulk of your cost efficiency. The purpose is to render ineffective the most likely methods the attackers will employ and deny the attacker's their objectives.

 

 

Prevention can take many forms, both technical and behavioral. Here are some examples, but don't take this as a complete list or even a recommendation, as selecting the right prevention solutions is specific to the environment and organization. Policy, security awareness, web proxies, and email filters are examples intersecting people based attacks. Computing systems can be protected with anti-virus, system hardening, compartmentalization, authorization and authentication controls, host firewalls, and timely patching to name a few. Communication network attacks are prevented mostly with high speed automated technical solutions such as firewalls, proxies, as well as secure device configurations and a good network architecture plan.

 

 

At its best, a solid prevention plan will eliminate threat agent's easy attacks and protect those critical assets most sought by the attackers. Doing a good job here translates into the biggest bang for the security buck.

 

"Two types of victims exist: Those with something of value and those who are easy targets. Therefore, don't be an easy target and protect your valuables."

Detection and Monitoring: ( ...when the security drums fail - video)

Unfortunately, at some point a number of attacks will succeed. Although it is most efficient to deter or prevent attacks, ignoring those that do get through the front line defenses is ill advised. Security incidents and intruders must be promptly identified, cornered and squashed like bugs. The first step is the ability to rapidly ascertain when the Prevention defenses have been breached and track the actions of the buggers. Detection and monitoring capabilities sound the alarms and direct the Response resources to the source. Speed and accuracy is most important in detection. However, it must be designed to look in the right areas as it is cost prohibitive to watch everything. Again, Prediction can play a role in deciding what to watch as well as how to monitor.

 

Response & Recovery:

How an organization responds to successful attacks will have a great determination on what residual losses are finally realized. When an event occurs, having the right processes, people, tools, and capabilities in place to contain the security event is critical. Time is on the side of the attacker. The goal of the security professional is to eradicate the security problem and restore the environment to normal operations. This may range from minor efforts to catastrophic recovery. The earlier the Detection capabilities alert the organization, the easier it is to corral the issues and recover. The savviest attackers are stealthy. They want plenty of time working on achieving their objectives and they dig deep like an infected tick. The longer they have inside, the more damage they can cause and become progressively more difficult to eradicate.

 

Don't be caught without proper Response and Recovery capabilities. Inability to restore the organization to a safe and normal state, translates to hemorrhaging money, time, resources, productivity, and maybe worse.

 

 

Continuous Improvement:

Information security is a continuous process. Key learning's from every event can improve individual areas as well as feed the Prediction services, thus giving a better understanding for the next time around. Defense in Depth can successfully be managed centrally or in a distributive model, as long at the overall strategy remains intact and interactions drive continuous improvements.

 

 

 

 

 

If you are ready to take the Defense in Depth plunge, you will be rewarded. Interlocking your strategy in a coherent manner gives better insights to reach and maintain your optimal level of security.

 

The Problem of Measuring Information Security

Getting a Return on IT Security Investment

Information Security Defense In Depth Whitepaper is Now Available

6 Comments Permalink Tags: security, roi, value, defense_in_depth, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Matthew Rosenquist
1

Enough fluff, smoke, and flash: get to the point. Why have security?

 

At the end of the day, it is all about loss. If you don't like experiencing loss then you must do something to avoid, minimize, or control it. Welcome to the world of Security.

 

Let's first get something out of the way. If you are seeking to eliminate all loss, I admire you enthusiasm, but you are out of your mind. Totally eliminating loss would be wildly expensive and in most cases impossible. How much would it cost to eliminate all auto theft in the world? Much more than is feasible, as just about any solution you propose would have some weakness and require additional measures, which in total would exponentially increase the cost as you near 100% effectiveness. It would become more cost effective to find a better replacement for cars, and destroy them all, rather than prevent all future thefts. Optimal security is not about 100% protection, rather a balance of spending, prevention, and acceptable losses.

 

 

 

The Profile of Loss

Back to reality. Security is about preventing loss and some would argue managing loss or the risk-of-loss. Well, it is splitting hairs, but I would agree with both as they are one in the same. When we talk about loss it encompasses all the tangible costs and impacts as well as the intangibles of missed opportunities, reputation, and goodwill. Only a few types of loss can easily be measured and most cannot easily be mentally grasped, much less quantified.

 

Security strives to prevent the ‘Loss' of reputation, financial assets, customer goodwill, operations uptime, computing resources, personnel productivity, intellectual property, liability protection, and the list goes on. Some of these are obvious such as a worm which brings your operations to a grinding halt for two days. Others are not as obvious. Losing Personally Identifiable Information (PII) of customers would open the liability of lawsuits, potentially incur governmental fines, tarnish the corporate reputation, sour customer goodwill, and invoke long term recovery costs. Failure to meet Sarbanes-Oxley requirements may result in and having to cope with a CFO indictment and the associated difficulties of finding a temporary replacement while your executive spends an extended vacation in a federal penitentiary. A single security incident can inflict many different types of losses which in turn may vary wildly in overall impact.

 

 

The Evolving Security Landscape

All security programs exist in an evolving state. The enemies get smarter, move faster, and grow. The technology by which information flows rapidly changes. The very organization being protected and the assets within evolve over time. Regulations, customer expectations, experts' recommendations, and industry best-known-methods morph on a continual basis at a dizzying rate. The effectiveness and efficiency of security varies due to these external drivers as well as internal reasons.

 

 

So what does security look like over time? What are the key indicators? Here is my perspective. An organization will experience loss, period. If people are involved and any type of value is inherent, loss is expected. No surprise here. To get a better insight, let's apply the Greed Principle.

 

 

Greed Principle

From a security perspective, greed is a double edged sword, both good and bad. Greed drives people to do bad things and break the rules for their benefit, but good as it gives continuing opportunities for security to catch these people. The Greed Principle simply states "Losses will increase if unchecked". This principle manifests itself in many different ways but basically, if someone is successful at finding a way of stealing $10 from you, they will continue unless something intervenes. In fact, they will increase the amount they steal over time. If it worked for $10, why not try $15 and so on. As greed is a strong emotional driver for the bad-guys, it provides more and more opportunities to the good-guys to detect them. Hence ‘greed' being both good and bad.

 

 

The greed cycle may be disrupted. Intervention may be in the form of additional controls, prevention, deterrence, social pressure, or direct interdiction just to name a few. Many different mechanisms can influence an attacker. Ultimately, unless something changes, greed guarantees losses will increase over time.

 

 

Instituting a decent security program is a surefire way to disrupt the unchecked losses. Even a completely mindless security measure can have a great impact. Ever wonder why sales associates say ‘hello' to you when you enter a boutique shop? Even if they don't have time to help you directly, they will make eye contact, greet you with a smile, and say hello. Is this for better customer service? Well yes that is one side benefit, but the primary function is to reduce the shoplifting. Most small stores don't have the money to maintain a security staff and shoplifting can be a major problem (last I checked, retail prices are ~15% higher to cover the costs of security and residual losses). The simple recognition of someone entering a store has shown to dramatically reduce the chances they will steal. In larger retailers, where they have a security staff, you may not get such a greeting (unless you wander into a predatory commission sales area).

 

 

 

 

The Security Maturity Model

Initial landing of a security program will affect the losses from attacks. But there is a price, namely the cost of security. Security spending bubbles before stabilizing in the maturity phase where it becomes more effective by lowering losses and more efficient by optimizing spending. Management usually has a firm hand in the reduction of spending, as they play an important part in keeping tension in the system.

 

 

So what do you get for your money? The amount of loss which did not occur, because of the influences of security, is the Loss Prevented. More loss prevented the better. But it is relative as the cost of security plays into the efficiency calculation. Basically the (Loss Prevented) - (Cost of Security) is one measure of value. A negative number is mostly unfavorable, indicating you are spending more on security than you are preventing. I wouldn't recommend that model unless what is being protected is irreplaceable (life safety, unique items, etc.).

 

 

Lastly, one other factor must be discussed. Sadly, the organization will still experience loss, regardless of how much you spend on security. This is Residual Loss. Nobody really likes to talk about this ugly fact of life. It is important. This is the gauge by which the organization determines what is acceptable.

 

 

Reasonable Expectations

Every security program must continually evolve to align to a changing landscape of attacker, methods, and alterations in the environment being protected. Over the long run, a good security program will get better and cost less.

 

 

I have rattled the ‘optimal security' saber before in previous blogs and it continues to hold true: Optimally, an organization should spend the amount of money on security which prevents enough loss to bring the residual losses to an acceptable level. Only management can decide exactly where the sweet-spot exists for any given moment.

1 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Laurie Buczek
6

Matt Rosenquist, Information Security Strategist at Intel, says that measuring success in the security industry is difficult, since there isn't a perfect tool for measuring what doesn't happen. In this podcast, Matt talks about how Intel approaches security. How is measuring security programs any different than other IT or production programs? The heart of the problem is in trying to measure what does not occur. Security initiatives strive to prevent loss. So in effect they try and make something not happen or to lessen the outcome. And if something does not occur, how can you measure it?



Discuss this topic and more with Matt in his recent blogs:


The Problem of Measuring Information Security

Managing the Effort to Measure Security

Practical Aspects of Measuring Security

6 Comments Permalink Tags: rosenquist, optimal_security, information_security, value, security, it@intel, corporate_security, rosi, roi, risk
Matthew Rosenquist
7

As the industry moves towards the next big leap, virtualization, I can't help wondering will this be a security professionals dream or nightmare?

 

Disruptive technology:

I generalize virtualization as the necessary separation and compartmentalization of resources so things can be moved, consolidated, and managed better, across a wide swath of hardware platforms, users, and networks. It is a "disruptive technology" (not a bad term) which represents a fundamental change in how computer systems will operate, communicate, and be designed. It is a leap forward and represents greater agility, more functionality, and lower costs. The interesting security question is, what are we leaping into?

 

In the virtualization world you can name your poison....er, pleasure: Server, Client, Hardware, Operating System, Software, even data portability virtualization exists or is in development. I am not going to differentiate or explain the differences. Instead I am taking the strategic point of view. All these areas will be developed and instituted in some fashion. The details are far from being worked out. From a security perspective, it is the big picture that is important at the moment.

 

History has shown that the attackers have the advantage of ‘initiative' in technology, over the defenders. Basically, the attackers innovate and security then responds. But will this hold true for virtualization?

 

The Security Dream:

Virtualization holds the promise of security paradise by making systems more robust, hardened, simpler, and enabling new capabilities to make security more effective and cost efficient.

  • Virtualization allows a much greater consolidation of hardware resources. Multiple OS, applications, and databases on a platform equate to less platforms to protect. Consolidation and portability for efficiency sake, may result in less network traffic to monitor, scan, and secure

  • Virtualization allows for effective security sandboxes to be employed for un-trusted or questionable applications and processes

  • Segregation of resources for applications, processes, OS's, and users means a compromise in one will be easier to contain due to compartmentalization. This makes it tougher for an attacker to break a weak link and begin to elevate their control over a system

  • Application restoration is a snap and full systems restoration becomes easier when a client does bite-the-dust

  • Systems and applications can be designed to operate with multiple environments of trust: very secure, secure, marginally secure, and not-so-trusting secure, all on one box (or the informal version: I trust you with my sister secure, I trust you with my wallet secure, I trust you as far as I can throw you secure, and I trust you will steal from me the first chance you get secure)

  • Virtualization will drive standardization of application design and data types making them easier to secure

  • Failover systems become less painful to design and implement at many different levels

  • System upgrades become seamless as jobs can be moved temporarily to other systems and then returned without disruption

  • Virtualization and other supporting technologies will drive advances in real-time security state monitoring, potentially across the enterprise and deeply into applications, OS's, data, and users

  • My personal favorite is that eventually we will have the ability to monitor for suspicious activities from a trusted person, versus just looking at applications or data. Think insider threats. This will be the first significant advance in a long time for this problem

 

The Security Nightmare:

Virtualization may be the very bane of security for decades to come by circumventing every type of security technology and enabling new capabilities for attackers to do real damage, thus forcing an entire redesign and reinvestment of security.

  • At the highest level, virtualization offers pure stealth to an attacker. Currently, malware must hide, lay dormant, or be very quiet in order not to be detected. This limits what the bad guys can do. They must trade capabilities and impact for stealth. Not so with virtualization. Malware could have the best of both worlds

  • Total Control - it's mine, you can't find me, and if you do, you can't make me leave! I can see everything, I can control everything, and I can do anything! Mine, mine, mine! Control can extend well beyond a single system and permeate across the virtual domains, with the persistence requiring an entire group of machines be burned down and rebuilt with great care

  • Now for the sledgehammer effect. Virtualization technology will undermine every current type of security control (the short list):

    • Anti-Virus, HIPS/HIDS, and Host Firewalls - Cannot detect or monitor an attackers activities in a higher plane of control, making them ineffective while still giving the illusion of security

    • Patching - Controlling virtual instances, more importantly creating false ones, will have patches installed on fake instances, leaving the real one vulnerable and under the intruders control

    • Security scanning, used to check the system's state-of-security, can be fooled. Reporting back that all is fine when it is not

    • Encryption - At the right level, an attacker will be able to see before encryption, after decryption, and have your keys to decrypt at their whim

    • Security monitoring devices and agents can also be deceived, by showing them what they expect to see and nothing else

    • User Privacy will be compromised at many different levels and open the risks of aggregation across multiple data sources

    • Adware/Spam filters can be subverted

    • Secure channels can be monitored by attackers and setup between compromised systems

    • Security forensics may become a nightmare for many years due to the complexities inherent to virtualization and the fact that a high level compromise invalidates the integrity of logs

    • Even NIDS/NIPS & Network Firewalls become less effective. Hardware consolidation translates to less traffic on the backbone network and more in-between systems on a platform and within a local subnet. This gives less information to these network monitoring devices and lowers the chances they will detect malicious activity

  • The very same ‘sandbox' which can be used to isolate risky activities can be employed against security applications and processes, limiting their ability to control and protect the system

  • Virtualization adds more complexity and therefore risking more confusion when it comes to system management. Especially for patching and system scanning. Keeping track of who owns what is bad enough today. But at least if you track down a server owner, you can normally have a quick decision on when to patch and reboot. In the future, the server owner, may not know who owns the virtual instances running on their machine. So how does one coordinate downtime, patching, or other change control issues? These delays may extend the window of vulnerability giving attackers more options and targets

  • Less systems but more diversity and ambiguity gives places to hide and more opportunity to find a vulnerability

  • Virtualization portability will drive the standardization of application design and data types, making them predictable and easier to locate and compromise

  • Very complex designs which continually change are extremely difficult to restore and recover. Additionally, cascading failures can occur bringing down multiple systems whereas in a stovepipe environment they would be more insulated

 

Take the High Ground - Sun Tsu "Art of War"

The ultimate sweet spot for any computer attacker is to gain the deepest level of control, which in turn can control all other virtual instances. This is the proverbial high ground which can see and control everything, yet not be seen if it does not want to. Attackers are already making great advances and shown the initial ability to take the high ground. Defenders are quick on their heals, finding ways of detecting and defending this vital area.

 

Who can make the final determination in this battle? Intel and other hardware designers, of course! You can't get any deeper than the hardware. Imbedded security controls will be the key to victory. But here is the twist. You may have assumed I meant the victory to the glorious and honorable path of security. You are wrong. It is just the key to victory, period. Security and administrative controls are just functions with great power. Whoever controls those functions will be the victor.

 

Sometimes, the computer industry itself is its own worst enemy. Infighting on standards, rushing products to market, designing security as bolt-on afterthoughts, ill designed security solutions, etc may cause temporary self destruction. Even when a security function is developed, there is no guarantee it will be embraced by the industry or the consumer. It will take a small army of very smart people across the hardware, OS, application, and security services to design robust controls which present a value proposition necessary for widespread adoption.

 

In the end, the age old battle will continue to rage on between the attackers and defenders. Virtualization is simply the next battlefield. A new landscape to which these players will innovate, respond, jockey for position, and struggle for dominance. The rules and possibilities have yet to be defined. All we know about computer security will be thrown on its side and everything we do now will need to be rebuilt from the ground up. Virtualization is a brave new world, sure to bring both dreams and nightmares.

7 Comments Permalink Tags: security, virtualization, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Matthew Rosenquist
2

Note, this conversation occurred in the SecurityMetrics email discussion group and is a repost of select dialogue. Thanks to all the contributors who granted me permission to post their comments.

 

Will the recent data breach settlement by TJX be a landmark case, setting the precedent for future lawsuits?

 

[http://www.boston.com/business/globe/articles/2007/09/22/tjxoffers_deal_to_end_data_breach_suit/]_

 

This lawsuit focused on 45.7 million credit and debit card numbers that were stolen from TJX by hackers. The company will settle the case by offering $30 store vouchers, which equates to a value of the customer's time at $10 per hour. TJX will hold a "customer appreciation" 15% sale and will also offer credit monitoring and identity theft insurance to some customers. The total costs to TJX for this incident are around $256 million.

 

The Math of Liability Settlements

 

The discussion group was alight with the paltry $30 restitution per customer.

 

Dan Geer shed some light on the numbers by citing a legal precedent for liability and doing the math.

 

Given P = the probability of loss
L = the amount of said loss
B = the cost of adequate precautions
Then Liability whenever B < PL
So, taking data from the published FTC study[2] of 2003 where they said that 4.6% of the US population had had an identity theft problem and that in solving it the affected had expended 300 million hours and 5 billion dollars, and using the then Federal minimum wage, we'd thus have:

 

This leads to the question of whether $30.11/yr/consumer is enough to prevent identity theft, as defined by the FTC, and if it is, then liability would ensue.
This is close enough, excluding increases in minimum wage, to the $30 figure in the press report to make me wonder if the TJX folks have been reading the same stuff I've been reading.

Impacts on Stock Price

 

The TJX stock has seemingly not been adversely affected.

 

Bill Frank noted:

 

I just looked up TJX stock price. It's within two points of it's all time high at $30.16. It surely dipped when the story was new. But it seems to have completely recovered.
For one of the worst security breaches of all time, it does not look like there will be any permanent damage (to TJX).

Matthew Rosenquist:

 

Sadly, this does not surprise me. Until the distain of such breaches becomes personally embraced by the general populace, such incidents probably will not have a significant impact. I think it will be a slow curve as society begins to alter its perspective on how data-loss events affect 'others' and begin to comprehend that it very well could and does affect them. And that they are empowered to prevent being victimized, through the simple choice of where to spend their money and whom they choose to expose their PII/PHI and financial records. Only then will it change spending habits, investing choices, and ultimately begin a cascade effect with the economy directly surrounding organizations which allow, through ignorance or indifference, such losses.
Today is a sad day, but tomorrow will be a little better as the pain will continue to grow and slowly manifest change in the herd.
After some posts recommending more governmental regulations I threw out a couple of points:
1. I believe the free market system, with its inherent checks and balances, will prevail. But the key is fixating on the real issue: Money. Follow the money.... How much will this cost the TJX consumer? How much higher prices will the need to pay for the mismanagement by TJX officers? This is the real metric (IMHO). This will determine the velocity by which the curve will occur (see my previous ranting on this thread). bq.
2. The math (disclaimer: will someone with a bigger brain check my numbers, which are ballpark anyways - just for illustration purposes):
TJX estimates total losses for the security incident: $256M
TJX estimated Sales Revenue: $18000M
TJX estimated Sales Net Profit: $738M (I chose to use Net instead of Gross, but use whatever you believe is right)
TJX estimated profit margin: ~4%

In order to recoup the $256M in Net Profit, they would need to sell an additional $6400M in product ($256M / 4%), or INCREASE prices by ~25% without selling more. For those TJX customers, are you okay in eventually paying ~25% more for the same products, due to poor management practices of the retailer? (Yes, it is the decision of the management to decide how much they want to recoup, but you get the point).
...yes these are rough numbers, for discussion purposes only. The point is somebody has to pay. It will be the customers. Let's have a bright person do the math and show the customers what they are going to have to eat, as part of the cost of doing business with TJX (substitute company name of any organization who allows a data breach).

Bill Frank:

Matthew, the only metric that really counts is the stock price.
I see your math if the point is to recoup the money lost. But too often the stock price ignores one-off events. The point is that the stock price has recovered even though they lost $250 million because the incident is seen as a one-time event that will not have any effect on earnings going forward.

Matthew Rosenquist:

Bill, you make a good point. My contentions are that due to a lack of realistic and understandable metrics both the consumer as well as investor does not have sufficient data to comprehend the future ramifications, hence the propensity of classifying these issues as one-time events. Which time will prove, they are not. Basically, the customer and investor do not know how to react. They are pensive due to a lack of understanding and experience. We are all on a path of learning. Empowering people with insights, understanding, and a strategic view is the role of metrics. In this case, I see the true power of metrics as a tool to help escalate the learning curve. I believe sometime in the future such a breach would cause significant backlash by the consumer and reflect in the stock price. We just are not there yet.

Anton Chuvakin:

I feel that there is something very wrong with this math... just not sure what exactly. My guess is that if you increase your price by 25% in this business, you'd be gone within a quarter (see narrow margins, cutthroat competition, etc) So they probably won't. Can somebody then explain, who pays?

Matthew Rosenquist:

Yes, there is something wrong, but I use it for illustrative purposes only. The missing link is the decision by management on how much loss they are willing to accept. If they choose to eat the entire $256M, then they do not need to raise prices at all. On the other end of the spectrum, if they want all $256M back, then they have to raise prices. An increase by ~25% for one year would come close, although realistically, they would spread out the pain over several years so as to be only a slight increase over a longer period of time.
The key is what management decides, either consciously or unconsciously, to be an Acceptable Loss.
Note: I grabbed the company's financial data, including the margin figures, from yahoo.com/finance

Susan Bradley:

But isn't the free market system working now? The one that has Russian/Asian hackers/Spammers/Phishers sneaking into our servers, causing breaches now working quite nicely now?
Look at the free market system of software (and I'm not talking Microsoft here). Show me an accounting application that natively has encryption surrounding the PII data in it? Granted I hang in the SMB space, but do you guys in enterprise see movement up there or am I just not looking in the right places for vendors making changes reacting to PII losses?
If the free market system was working ...then why does my Bank of America have computer terminals that look like DOS on their desktops? Of course then again why am I still banking at them and not moving to Wells Fargo where they are at least running Win2k last I looked? Aren't I guilty of not shopping for the most secure bank when BoA lost a few PII here and there? I haven't taken my business elsewhere as a result. Shouldn't I?
I myself am guilty of this "bare minimum" view as I was on a virtual committee for the 'minimum' security standards for all sized entities organized by CISecurity.org and I couldn't (wouldn't) push for two factor authentication being a defacto standard since I didn't feel that the industry was mature enough to be a standard yet for SMBs.
So while the free market industry for the spammers, phishers, etc seems to be quite robust, are the applications responding to the free market of checks and balances?

Matthew Rosenquist:

I believe the system is working, albeit not as fast as we all would like. As proof, we have dramatic changes and tension in the system. Neither side (good guys/bad guys) is completely winning but both are rapidly changing and evolving. The information security industry has skyrocketed in the past 5 years. So has cyber crime. In this dance each side is looking for advantages and continually adapting to their respective opposition. Change is afoot. Other areas of cyber security are much farther on the maturity curve than privacy and data breach security.
Security will continually seek to mitigate losses in the most cost efficient manner. In doing so, the industry will change as well as the expectations of security. In the end, we are not trying to make everything impervious to attack, instead we are seeking to achieve and maintain the optimal level of security which balances the cost of security with the loss prevented to reach an acceptable level of loss. This is a wildly gyrating target as new vulnerabilities, threats, changes to environments, etc. are constantly changing. Adaptation is in small steps. I doubt we will wake up tomorrow to have every application using encryption. The cost is just too high and we would be overshooting the optimal level of security. Eventually however, the most critical applications will use encryption.

 

2 Comments Permalink Tags: security, information_security, corporate_security, risk, liability, privacy, breach, data_breach, optimal_security, model, matthew_rosenquist, rosenquist
Matthew Rosenquist
18

What are the risks to company employees embracing new social medial applications, such as Facebook, Myspace, IM, Twitter, etc. at work?

 

I recently had a great discussion with Josh Bancroft, an Intel software engineer deeply entrenched in the social medial world (truth be known, Josh has been a champion in this area for a while and Intel owes much of our social media maturity to Josh and others like him). Josh recently started a blog on this topic and is getting some great responses. Check it out!

 

 

 

Here is my position:

 

Corporations institute security mitigations to control and manage risks to the corporate network, systems, data, reputation, customer goodwill, liability protection, etc. Many of these new social applications expose employees to a new set of social engineering threats. Connecting to these services from company machines across corporate networks exposes potentially critical assets as well.

 

The benefits are undeniably great for these tools, but should corporations embrace such potentially risky communication channels? If so how?

 

Anytime an employee makes a connection through the corporate firewall to an external internet location, the risk meter goes up. Email is a perfect example. Uncontrolled email, as an example, would be a huge risk. Without spam and malware filters, a corporate network connected to the Internet would surely be overwhelmed. Organizations have instituted such security controls to manage the risk to an acceptable level. But with the rapid introduction of new social tools, designed to transverse proven security controls, how should companies manage the new risks?

 

What is worse, these social platforms may be used by savvy attackers, to profile targets and directly go after one of the traditionally weak links in any security program, the human element. Employees can be swayed to download malware and divulge sensitive information which can lead to tremendous compromises of corporate assets.

 

What to do, what to do. With my security hat firmly bolted on, I say employees must comply for the greater good, which means balancing function with security. Normally, corporate information security policies are in place to control what is allowable. Policies are formal means for management to determine the acceptable level of risks, thereby defining the function/security balance.

 

So how do we get beneficial social interfaces integrated into the corporate computing landscape? Well, it really is a senior management decision to accept the risks. Such an effort usually begins with a risk assessment to determine where on the risk spectrum it would be and what potential cost effective security mitigations could be applied. If senior management is willing to accept the residual risks, then it is time to move forward. With the sheer number of new social interfaces being introduced, it would be unlikely all would be embraced. Some, if not many users may be unhappy, but this is the cost of effective, efficient, security assurance in the corporate setting.

 

But what if the end users collectively ignore these policies? What responsibility does security management have to insure due care and due diligence are maintained? Security must consistently follow their rules of engagement. It is entirely tough enough to keep the environment secure without employees subverting policies. I recommend detection and enforcement as well as collaborating with the end users to determine if a middle ground can be found to meet the business need while maintaining the integrity of security. We are all in this together. We will succeed or fail together.

18 Comments Permalink Tags: security, information_security, corporate_security, risk, optimal_security, model, matthew_rosenquist, rosenquist
Matthew Rosenquist
1

Security in a Box

Posted by Matthew Rosenquist Sep 24, 2007

Are you looking for that special gizmo in a box which will provide your organization a warm blanket of security? Buy it, plug it in, and viola! You are now secure. Fold up the tents and walk away, the job is done. Well, keep looking. Regardless of what some security vendors peddle to uninformed IT managers, it simply does not exist.

 

 

Security is an on-going process of diligence. The simple fact is, as long as the environment being protected changes, and the threats to that environment look for ways to take advantage, security must also adapt. No one product sufficiently spans the current and potential spectrum of attack vectors, nor does any one solution cover all aspects of technology and behaviors which may be exploited.

 

The booming growth of security products over the past few years can partly be attributed to organizations dumping money into the market. A common mistake of many senior IT managers was to invest bags of money under the false belief it was a one-time expenditure. As if security could be purchased in a box, installed, and the issue resolved. Especially in IT departments, people new to the realm of security apply IT thinking to the ‘problem' of security, expecting to find an engineering solution ‘fix' so life can move on. I can't blame them really, as most technology minded people deal with obstacles rather than opponents. An obstacle can be overcome. Engineers are great at going over, under, around or through obstacles. Find the right technology, gadget, toy, process, or application and the problem is solved so the diligent IT person can move on to the next obstacle.

 

 

Opponents, not obstacles

Well, security is not about obstacles, it is about opponents. Every security threat can be traced back to a person. That person, if malicious, has an agenda and an objective. Put an obstacle in their way, they will find a way to counter or go around it in the pursuit of their objective. In fact, the behavior of attackers is usually predictable, as they follow the ‘path of least resistance' to achieve their objective.

 

 

If you treat an opponent like an obstacle, you will be fighting a never-ending set of losing battles. One hole is plugged and the opponent simply adjusts to the actions and comes at you from another direction. It can degrade into a battle of attrition. The defense in this manner can only hope they ‘fix' enough things to make the attacker move on to another target. However, the cost of each ‘fix' is much greater than the cost for the attacker to adapt. For a dedicated attacker, the odds are in their favor, unless the target is willing to spend an inordinate amount of time and resources to continually fight the ‘obstacle' battle in hopes that eventually the attackers will tire or find an easier target.

 

I plan on going more in depth on this Attacker -> Methods - > Objective model in another blog and may go into great depth in a whitepaper, time permitting. Traditional IT thinking, when applied to security, is an endless treadmill consuming time and resources.

 

 

Feel the Pain

Be careful what you wish for. If senior management maintains a simplistic view of security, then many problems are sure to follow. Time to bring on the pain. Choosing to adopt the deceptively straightforward �obstacle� defense is an unpleasant education in futility as new issues quickly replaces ones just remedied. It is both costly and frustrating. Losses begin to tally and security spends increase as the organization is stuck in a routine of responding to each new type of attack. Management can get very aggravated at the continuing expense and interruption with such a poor strategy. From the perspective at the top, it is easy to blame the security staff and not obvious the lack of a comprehensive security strategy is the real culprit.

 

In this cycle, it is a safe bet management would not comprehend the strategic need to identify an optimal balance of security. Such viewpoints tend to distill the situation to a binary state, either the company is secure or it is not. Trying to argue a gradient or any other perspective may fall on deaf ears. Expect the commitment to be limited to short term security expenditures and no allowance for much in the way of sustaining costs or future additional costs necessary to mitigate new threats. Budget discussions can be frustrating; with management expecting a dramatic decrease in future security spending while those in the trenches are struggling just to maintain effectiveness against new types of attacks. The lure of an easy solution or product is very tempting, but nothing more than a mirage which distracts leaders and reinforces an overly simplistic way of thinking, leading the organization down a path of inadequate preparedness for sustaining needs of the future.

 

 

On the converse, if an organization maintains the perspective that an ‘opposition' exists, then an entirely different game is played. One which can be won or at least managed efficiently. The organization can implement a thorough defense-in-depth strategy which starts with Prediction. Predicting the opposition's objectives, capabilities, and most likely methods is the first step in applying a cost effective structure to Prevent, Detect, and Respond to attacks.

 

 

Cost of the Magic Box

If your organization is looking for the magic security box then it is suffering from the ‘obstacle' way of thinking. This will be costly. The security programs implemented under this way of thinking will most likely be rigid and have a short effective shelf-life. Many security initiatives will be in response to successful attacks and will be rushed into production. Stacking an increasing number of independent solutions weighs heavily on the computing infrastructure, complicating the very environment it is trying to protect, and sets in motion steadily increasing sustaining and support costs, with no end in sight. Bleak to say the least.

 

Management perception and strategy are very important aspects when evaluating the value of security programs. Security is not a snap-shot in time. Sure, buying a flashy product may fix a specific problem which cropped up, but the long term costs must be factored in. Will this product ever be End-of-Life'ed? Is their a different product which not only closes this gap in security but also provides broader protection against future issues? What are the real operating and sustaining costs? Will the product be maintained by the vendor and continually upgraded to address new threats?

 

 

The bottom line

When measuring security it is important to understand the threats, solutions, as well as the organization which everything will be applied. With all other factors equal, the value of a security product is greatly different in an organization with a comprehensive defense-in-depth strategy, versus an organization with a haphazard strategy with non-integrated solutions. No one product or service does it all. The attackers are dynamic and will adapt to an organizations defenses. Understanding the concept of ‘opposition', even embracing the idea, will thrust your organization ahead in this game.

 

Practical Aspects of Measuring Security

Security in a Box

The Four Dirty Questions of Measuring Information Security

Managing the Effort to Measure Security

1 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Matthew Rosenquist
1

Measuring security must be done in a manner which is a benefit to the organization. Yes, it is difficult to obtain data, determine key factors, calculate value estimations, analyze results, conduct sanity checks, and translate the information to the intended audience. Yes, even the most expeditious professional can be consumed for weeks, months, and even years due to the complexities, lack of data, and sheer desire to make it a little more accurate. But this exercise has a purpose and a window of applicability. Taking six months to conduct a ROI for a project, which management wants integrated in 4 months, is a waste. Every request is different and the resulting analysis should flex to meet its intended purpose.

 


I know what you are going to say: "You can have it fast, cheap, or accurate, just pick two". This is very true and must be taken into account when tackling the ugly job of measuring security. In the example of the 4 month project, setting an expectation of a 1 week ROI to give ball-park accuracy may be entirely acceptable to management. They get what they need to make a go/no-go decision and the analyst does not waste effort on over-kill.


Beware the frustration inherent in trying to achieve accuracy to the second decimal place (or any other ridiculous granular measure). It is a mirage you will never grasp. Methods in measuring information security value are still in their infancy. No silver bullet exists which delivers precise results and applies to all situations. Know the situational limitations and align the analysis with the business decision trying to be made.


Understanding what is needed is the first step of any security measurement endeavor. Having discussions early on regarding the scale of accuracy, how the output will be formatted (dollars, MTTR, compliance to regulations, etc.), and a timeline for completion will set clear expectations and avoid the "bring me a rock" situations.


My advice is to apply the Security Judo mantra:


{color:blue} "Exert the minimum amount of energy necessary to achieve the security business objective" {color}!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-1123-1029/Security+Judo+3.bmp!


Principles of good planning and project management apply to measuring security. Don't go overboard and calculate the exact strength of a hurricane if management only wants to know if they should take an afternoon pleasure cruise.

 

Practical Aspects of Measuring Security

1 Comments Permalink Tags: optimal_security, model, risk, matthew_rosenquist, rosenquist, security, roi, value, rosi, information_security
Matthew Rosenquist

Measuring security is very much a practical matter. It is important for an organization to understand the efficiency, effectiveness, and overall value in order to make decisions which lead to an optimal level of security.

 

 

 

 

History tells a tale

The industry has been witness to a recurring pattern. As companies begin to focus on security concerns the need to measure and understand the value proposition becomes increasingly important to make good business decisions. Many organizations jump into security based upon fears, uncertainty, and doubt (FUD) without the benefit of security value measurements. In classic knee-jerk reaction, some companies initially poured money into security programs and only when the dust settled did they begin to ask about the actual value and cost effectiveness of sustaining operations. As reality sets in they begin to ask, did this make a difference? Did I do too much? Why is the sustaining cost so high?

 

 

 

The maturity cycle takes over and the tough questions lead to the understanding they are not seeking a state of perfect security, rather a balance. Having sufficient security to insure zero negative impact from threats would be wildly expensive and most likely impossible. Too little security can allow unacceptable business impact and losses. So their must be a sweet-spot. This is where security metrics come into play, to help find the right balance and help leaders make the right decisions to attain it.

 

 

 

 

What is value?

We all know what value is, right? A quick check in the Encarta Dictionary will return:"the worth, importance, or usefulness of something to somebody". It is not limited to dollars or rate of return or some other finite indicator. In reality, it can be the absence of discomfort, compliance to regulation, satisfaction of key people, uptime, ability to seize opportunities, something tied to emotions, etc. Those who only seek to put a dollar sign on security value are missing the boat. Don't get caught in that tar pit. It will limit your visibility and undermine the accuracy of any analysis.

 

 

 

 

Who are these people and what are they asking for?

It may seem, to those in the security world, everybody wants to know the value. But it is more complex than that. Everybody wants it expressed in a different way, their way. Talk to a finance analyst and they will be demanding NPV (Net Present Value) or IRR (Internal Rate of Return) numbers. The friendly business analyst will prefer the *BV *(Business Value). The efficiency manager will be firm on CB and CE (Cost Benefit/Efficiency) ratios, while the product and service managers hold to the trusty ROI (Return On Investment) model. Savvy senior managers know to ask for overall ROSI (Return On Security Investment) numbers while mid-level operations folks live and die by the MTTR (Mean Time To Repair) and MTBF (Mean Time Before Failure) metrics. The list goes on, as auditors, compliance, corporate purchasing, etc. each has their preferred vernacular. Even the security researchers will tend to lean towards their expertise. It is easy to recognize those who have an economics, mathematics, and operations background, as they express their ideas in ways relative to those disciplines.

 

 

 

My advice is to ignore these people and their fancy acronyms. Express value in the most applicable and accurate way possible for the circumstance. It is hard enough just to do that! Keep it practical, keep it real.

 

Practical Aspects of Measuring Security

Permalink Tags: optimal_security, model, risk, matthew_rosenquist, rosenquist, security, roi, value, rosi, information_security
Matthew Rosenquist
2

In my experience over the years, calculating security value and providing consulting to others doing the same, I have noticed the same 4 questions tend to rear their ugly heads. Requests by senior managers, finance analyst, business value analysts, project and program managers all fall into one or more of these types of inquires. And when I say they are ugly, oh they are.

 

In most cases the parties seeking information are in some phase of the decision cycle:

 

Should I spend money on security? - This is a business decision based upon compelling drivers, usually loss of some kind, including non-compliance to regulatory requirements (which could send a C-level officer to spend an extended vacation at Club Fed) or risk of a catastrophic blunder sufficient to crater the organization. The business aspects must include how many coins are in the coffers, amount of loss (both realized and unrealized) on the table, and if money could be better spent elsewhere (opportunity costs)

 

How much should I spend? - A value decision considering what the organization is willing to accept in losses, what can be spent on security, and the amount of loss which could be prevented. Optimally, there exists a point at any given time which management is willing to spend a certain amount on security, which prevents enough loss to bring the residual losses to an acceptable level.

 

 

What should I spend it on? - An exercise in comparative analysis of available options which drives down overall costs, while increasing the losses prevented, and maintaining the optimal level of security and residual loss.

 

 

 

 

 

On to the ugly questions (feel free to share your experiences):

 

 

Ugly Question #1: How do I select the security product/program with the best value?

This is typically asked by senior management or by a product/service manager seeking to identify the best solution among a pool of several competing initiatives. As an example, they might be looking to purchase an Intrusion Prevention System (IPS) and looking for the best of breed. Conversely they may be looking to establish or improve a security capability (example: data protection) and trying to determine the best product among multiple solutions (encryption, IPS, document tracking, data destruction policy, etc.) across multiple vendors.

 

 

The challenge is to be able to compare which solution will best achieve the optimal level of security. This is a function of security cost, losses prevented (effectiveness), and acceptance of residual loss. To simply go for the cheapest, most effective, or fastest to adopt is most often than not, the wrong long term answer. (..and security is a long term proposition)

 

 

Ugly Question #2: What is the value of this security product/program?

This is asked by management and project managers when a solution is in the proposal stage, by the sustaining operation folks once it has been implemented into the environment, and by management during times when the organization is looking for opportunities to cut costs. As value is a dynamic concept, it can radically change based upon business, legal, and social aspects as well as the normal fluctuations in the threat landscape. First step here is to identify what types of value was intended to be provided and the appropriate metric to measure those aspects.

 

As an example, management may be seeking to protect the organization's image and liability from the loss of Personal Identifiable Information (PII) through the implementation of a hard drive encryption program for company laptops. The metrics may be as simple as determining the saturation of the program and if encryption is sufficient to protect from liability in the geographies they do business in. In this manner you can estimate the amount of coverage for which liability and image concerns are abated.

 

You might think, wait, that is not a dollar figure! Where is the value? Well, in this case, management may be looking for the establishment of a capability. Either we are protected from this threat or we are not protected. The same stratagem could be compliance with HIPPA or other regulations. To attempt to quantify a dollar figure in this example would be overkill and may detract from what is intended. Realistically, a dollar savings cannot reasonably be calculated now matter what kind of magic hat you possess. I have seen some attempts, by people with the best intent, to do this very calculation. But not knowing if or when or to what extent a loss may occur, nor to be able to truly measure the potential losses due to the large number of unknown variables which have an astronomical range of potential damage, these assessments are pure folly (but really fun to poke holes in). Half the battle in measuring the value of security is to know what limitations exist regarding the granularity of what can realistically be measured and validated.

 

 

Ugly Question #3: How do I compare the value between security and non-security initiatives?

This one bites. Really. It is almost impossible to do, anyone can challenge the results, and if you get this wrong everybody hates you. This comes up when senior management must decide where to spend hard earned budgetary dollars. It becomes an "us versus them" battle between security and some other group. Each party wants the money to spend and the infighting can get downright dirty. So what is a manager to do? Just tap your friendly neighborhood security analyst to calculate the value (just as long as it is not me), then compare against the value of the non-security program. Easy, right?

 

 

I wish. Security programs rarely have the benefit of real dollar justification attached. Unless you are in the security products/service industry, security does not generate revenue, it is just overhead. More on that in a different blog. Non-security programs have the edge here. A marketing program may generate XX dollars, an operations efficiency program may save YY downtime or be able to cut ZZ heads from the budget. These strong arguments bark loudly to management. Security value will retort with a whimper, maybe a risk reduction of xx% or at best a loss prevented of yy dollars. Did I mention even calculating such values takes more time, with more assumptions, and can't, in most cases, ever be validated as compared to the non-security programs? Pure ugliness. Alas it is not impossible. I have seen the fight won (ie. management given accurate and comparable data to make the best decision), but be beware, the deck is stacked against security.

 

 

Ugly Question #4: How much should my organization spend on security?

This is the big-daddy of questions, posed by senior management or if the organization is large enough, by a divisional head. Although I plan on discussing this in greater detail in another blog and whitepaper, the path to take is to identify the optimal level of security.

 

Every organization is different with ever changing business needs and drivers. What one company desires from its security program and is willing to spend will differ from its neighbor. The willingness to accept different levels of loss also vary greatly. But there are common perspectives which are shared to a great degree by all organizations. As an example, in most instances we don't want to spend more on security than we get in return (typically in the loss prevented).

 

 

If we look at an organization individually and imagine an increasing line of spending, for each point on that line we have an amount of residual loss which will be experienced (in theory, trending down to some degree as the security spending goes up) and therefore an amount of loss prevented for each point as well. At a strategic level, these three lines give us what is needed to answer this ugly question.

 

 

How much should be spent? Optimally, an organization should spend the amount of money on security which prevents enough loss to bring the residual losses to an acceptable level. What I have found, is the target exists somewhere between the low point of a diminishing rate of return and the high crossover point where the spending exceeds the loss prevented. Only management can decide exactly where the sweet-spot exists for any given moment.

 

 

Now your turn. What ugly question has been thrown in your direction?

 

Practical Aspects of Measuring Security

2 Comments Permalink Tags: optimal_security, model, risk, matthew_rosenquist, rosenquist, security, roi, value, rosi, information_security, measure
1 2 3 4 5 Previous Next

Popular Blog Posts