IT@Intel Blog : Tags : security

0

Explaining the value of security spending - video

Posted by Matthew Rosenquist Jul 7, 2009

Measuring the Return on Investment (ROI) of information security is challenging but not impossible. It is important to understand the necessary components and how they interrelate. In this brief video, I discuss one way of expressing value in relation to the positive impacts of security spending.

.

Video Length: 3:26 minutes

This video provides a high level explanation. For more information regarding the challenges of information security ROI, please take a look at the following links:

The Problem of Measuring Information Security

How Security Programs Reduce Loss

Whitepaper - Measuring the Return on IT Security Investments

Are Security ROI Figures Meaningless?

BlogTalk Radio Discussion - The Problem of Measuring Security

BlogTalk Radio Discussion - Return on Security Investment – Intel Case Study

The Four Dirty Questions of Measuring Information Security

0 Comments Permalink Tags: optimal_security, roi, matthew_rosenquist, rosenquist, openportpromo, risk, security, value, rosi, information_security, model

1

Can optimal and flexible security be mandated?

Posted by Matthew Rosenquist Jun 23, 2009

I was recently trading thoughts with Anton Chuvakin, a respected security metrics professional, in a philosophical discussion of perfection and quality of security. Admittedly, I was on auto-pilot (operating without the benefit of coffee) rattling away with my ‘Optimal Security’ rhetoric, when Anton posed two thought provoking questions: CAN one "mandate optimal security"? How do you "mandate flexible"?

I was stopped in my tracks. This got me thinking. After fetching a tall cup of coffee to start my brain juices flowing in earnest, I reached back into the pages of history to come up with the following perspective and examples:

I believe, to a certain extent, we can mandate flexibility and optimization. Surely we can act in ways which deny both. So why can’t we act in a manner which intrinsically promotes them?

I think back to lessons of WWII and the Maginot line. The French chose to create a fortification which was static by design and lacked mobility or a capability to adapt to changing enemy tactics. They invested heavily into this control, which became the backbone of their country's eastern defense. It was an appalling failure. Alternatively, the German blitzkrieg, and the stratagems of both Rommel and Patton prevailed. Flexibility through mobility was far more effective than an elaborate static defense.

I would argue that flexibility can be mandated through proper planning and design. We have examples in the history of information security. In the early years of Anti-Virus (AV) products, they were non-memory resident applications which were prescribed to be run once a week. Updates were a rarity if at all. That rigid design quickly lost effectiveness, with the rise in velocity of new malware. AV vendors were forced to adapt. The overall design has changed to one which is flexible, can be updated to meet emerging malware, and continuously runs in the background to provide persistent security.

Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization. Create security to be flexible and you enable the service to keep up with the continual changes.

In general, design a system to be flexible and its longevity for effectiveness is extended. Plan how systems can continuously adjust itself to align to what is 'optimal' and you increase the sustaining efficiency.

We must be strategic in our planning and design of security, lest we suffer the fate of France's Maginot line.

Check out Anton’s Blog for other thought provoking viewpoints; just be sure to have your coffee at the ready.

Fortune Cookie Security Advice – Strategic Competitive Secure - June 2009

Posted by Matthew Rosenquist Jun 16, 2009

Think strategic. Act competitive. Be secure.

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

The key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for June, 2009:

Think strategic. Act competitive. Be secure.

Security is a sustaining commitment where long term planning provides a distinct advantage. Threats are derived from intelligent adversaries. Success requires maneuvering in a competitive manner to remain secure.

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - February 2009

Fortune Cookie Security Advice - March 2009

Fortune Cookie Security Advice - April 2009

Fortune Cookie Security Advice - May 2009

0 Comments Permalink Tags: security, it@intel, analysis, secure, matthew_rosenquist, information_security, openportpromo, model, threat, optimal_security, it, value, rosenquist, strategy, measure, corporate_security, intel_it, risk

0

Strategy for Sustaining Optimal Security

Posted by Matthew Rosenquist Jun 12, 2009

Optimal security must not only be attained, but also sustained over time. A good security strategy must be forward thinking to understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment.

'Optimal Security' is the right balance of security spending and losses prevented where business acceptable losses are achieved. It changes often and likely maintains different targets for the dissimilar parts of the entity.

Organizations are likely to mandate security expectations which typically manifests in a set of configurations, specifications, and operating standards. The risk is these security controls may be relatively static and entrenched.

Establishing a baseline security is a good practice, but in order to remain effective it must adapt to changes in the environment by remaining dynamic to keep in lock-step with rapidly changing threats, vulnerabilities, and resulting exposures. It must be a fluid posture, able to rapidly change based upon different internal priorities and external changes. Sustaining business structure must be designed to continually predict areas needing modification and support design and deployment of those changes. Rigid security postures lack the ability to remain effective over time and are likely derived by an equally rigid infrastructure which will struggle to adapt to new threats and changes within the organization. Design security to be flexible and you enable the service to keep up with the continual changes in the information branch of security.

I recently spoke with an organization who had established a security posture which relied heavily on a hardened OS and application build for their systems. At the time, they deployed a platform which took into consideration all the best configurations for hardening. They were so confident they had satisfied security requirements they considered the problem solved. They integrated the security design into their normal platform refresh cycle of system replacement every few years. They never comprehended the fact they would need to continually update the build to compensate for changes in threats, new vulnerabilities and malware, and evolving business usage models.

The platform’s security, which initially was strong, began to quickly erode. With no internal mechanism to identify when changes needed to be made, nor the testing and distribution capability, they soon found themselves in a situation where they were responding to individual incidents and changing systems one at a time based upon particular end-user needs. This created inconsistencies in the builds which was more difficult to support. Without proper forethought, the security team turned themselves into a firefighting organization, losing the initiative in the war of security.

This is one simple technical example. The same holds true for the expanse of automated solutions and behavioral security controls as well. Highly effective and efficient security strategies are forward thinking and understand how intervention and continual maintenance will be needed, then implement those capabilities as part of a complete service deployment. Overall, the concept of ‘optimal security’ is one of fluid adaptations of controls to meet an ever changing target for risk acceptance.

0 Comments Permalink Tags: openportpromo, it, it@intel, strategy, model, rosi, matthew_rosenquist, information_security, corporate_security, intel_it, optimal_security, roi, security, value, risk, rosenquist

0

Fortune Cookie Security Advice - May 2009

Posted by Matthew Rosenquist May 26, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for May:

Fear and anxiety will lead to poor risk analysis conclusions

Stay focused on the available facts, use a dose of reality to fill in the gaps, and trust reliable risk models to generate analytical conclusions.

Excerpt from the Traps of Measuring Security Blog: In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth. It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand. Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - April 2009

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - August 2008

0 Comments Permalink Tags: fear, corporate_security, information_security, measure, optimal_security, matthew_rosenquist, openportpromo, risk, model, analysis, threat, it, value, concern, it@intel, rosenquist, intel_it, security

0

Traps of Measuring Security Risks

Posted by Matthew Rosenquist May 12, 2009

We naturally take comfort in being able to quantify the vagueness of challenges in our existence. This past week, I was again reminded the cup of information security is filled partially with the complexities of human perception and ambiguity of emotions weighing our mental models of judgment. These can be misleading.

This is not a revelation. I thrive in the trenches of security measures and metrics, and learned this lesson many seasons past. But it is so easy to fall back into the comfort of measuring, calculating, estimating, and even predicting risks with first impressions, and foregoing proper data collection and dispassionate analysis.

It is in our very nature to apply our big cognitive brains in an attempt to make sense of something which causes concern for our minds when we encounter situations we fail to grapple. We default to familiar structures of logic and experience to give some insight, even if it is invalid. If we cannot grasp a cloud, it makes us feel better to at least measure it.

I recently travelled to the beautiful city of Shanghai. In the sprawling city of 19 million, getting about requires the use of a local taxi. Drivers are aggressive by American standards. They creatively use all lanes, including those of oncoming traffic, to weave in and out between pedestrians, other vehicles, and bicycles, all at high speed. Roadway guides such as speed signs, stoplights, and lane markers are just cosmetic. The concept of ‘right of way’ is defined by the vehicle which gets there first. Tens of thousands of taxi drivers vie for pole positions at every light and traffic snarl. I counted no less than half a dozen head-on near misses the first day.

Not surprisingly I was a bit concerned for my safety. But what was the actual risk? It seemed high, with all the jockeying, speed challenges, and lurching in front of other cars at a moment’s notice. In formal terms, the security risk calculation was off the map. Keeping it simple, risk can be defined as equaling the (threat) x (consequence) x (vulnerability). Threats were abundant and vectoring from every angle. Vulnerabilities were painfully obvious as the situation was an example of near uncontrolled chaos heavily dependent upon human judgment and intervention. Lastly, the consequences registered as likely life threatening. Vehicle safety measures are not equal to US standards, with no airbags and rarely a functioning seatbelt. My brain began to do the rough math and formed a mental model where the conclusion was somewhere near the “I’m screwed” end of the spectrum.

Over time, I started to take a different perspective. By the end of the week, and too many close calls to count, I observed the city’s taxi’s did not show damage which would be consistent with rampant numbers of collisions. Although chaotic and unpredictable, they found a balance in avoiding impacts. My drivers’ never appeared nervous. Many were happy to take calls on their cell phones while racing into oncoming traffic and weaving back into our directional flow at the last second. Yet, they were not worried. The pedestrians who seemed intent on walking into direct paths of vehicles always looked up at the last possible moment and jumped out of the way of an untimely demise.

The dangers were still there. Nothing changed but my perception. The risks were high, controls were low, but it was the incident rate that was the telling measure. Lack of vehicle accidents in such a tremendous population meant they operated in an efficient manner which my brain could not comprehend as safe. But it was. My initial evaluation misled me to a wrong conclusion: an inaccurate determination of risk. I felt safer than before. To this day, I cannot comprehend how they do it.

In our world of information security, we must take a step back from the limitations and biases we possess and stay true to proper forms of analysis in order to see the truth. It is far too easy for us to slip backwards and inaccurately measure risk of situations we don’t understand. Let’s continue to remind each other of this fact and challenge risk assessments, especially in situations where concern is more prevalent than fact.

0 Comments Permalink Tags: it@intel, vulnerability, risk, threat, information_security, model, matthew_rosenquist, security, rosenquist, optimal_security, analysis, measurement, measure, openportpromo, it, intel_it

0

Fortune Cookie Security Advice - April 2009

Posted by Matthew Rosenquist May 12, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for April:

Capability, intent, and focus are the defining aspects to quickly prioritize threats.

The world of information security threats is vast. We can easily be overwhelmed with different components, processes, impacts, and concerns. Quickly identifying the benign from the urgent is a competitive advantage. In order to organize and prioritize, we must have a consistent method to judge criteria.

I submit the three most compelling aspects are related to the attacker who is committing the violation. Their capability to do harm, defines the likelihood of a successful attack. The intent of the attacker has significant implications for the likelihood to detect activity and the persistence of continuing attempts. Lastly, the focus of the attack, whether it is targeting you specifically or just looking for opportunistic victims, completes the overlapping picture to understand the precision of activities.

Given these three aspects, a quick evaluation can be made to determine the severity of the threat and attacks. Of course this is just the first step necessary for triage, while a full evaluation should be conducted for the areas which rise to the top of the severity list.

Fortune Cookie Security Advice - May 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - February 2009

Fortune Cookie Security Advice - March 2009

0 Comments Permalink Tags: it@intel, model, intel_it, information_security, openportpromo, it, security, rosenquist, strategy, corporate_security, threat, attack, attacker, matthew_rosenquist, risk, optimal_security

4

Has the value of patch management disappeared?

Posted by Matthew Rosenquist Apr 20, 2009

Is the value of patch management decreasing? Some experts say, due to a rise in privately held vulnerabilities, the value of patch management is eroding. Others feel patching is losing the race and becoming too little and too late with the rapid development of attackers. I too have chimed in on the topic and stated patching all vulnerabilities is not economical, as most are never widely exploited. But does this mean we should be looking at alternate paths, away from patch management? I stand firm in support of the end-node update concept, but take a slightly different view of the scope and value.

I see ‘patch management’ as the strategic capability of managing end nodes. I consider the delivery of ‘patches’ as a broad term which includes OS, application, and hardware BIOS upgrades which can benefit the security posture of the device. This includes and is akin to the widely accepted delivery of security product updates for anti-virus, anti-spyware, firewalls, etc. Some of which are updated daily.

Attacks are constantly changing. They normally take advantage of poor coding practices, use design functionality in unintended ways, or exploit avenues to misguided end-user judgment. The ability to update systems is crucial to maintain security equilibrium. It is a support function for systems to adapt to new threats. This capability has a multitude of benefits, both strategic and tactical. Being able to reach out to systems allows for a better understanding of the number, type, and usage of systems in the environment. An effective system can paint a picture of systems at risk. It is a sweeping means to close identified vulnerabilities in deployed code, which can reduce the exposure surface. It can be used to respond to compromises and drive clean-up activities. Such services can raise the general security level of a community and may drive to a more homogenous security stance, which strongly lends towards efficiency.

Mapping ‘patch management’ against a defense-in-depth model shows it allows for Prevention of exposure to known vulnerabilities where patches exist. It can provide Detection capabilities to improve alerting of attempted as well as successful attacks. Once systems are compromised, this Response function aids in the restoration of services back to a norm state. The combination of indicators generated in these areas may assist in efficiency improvements and be used to comprehend future trends, therefore providing a potential Prediction opportunity

Overall, actively managing end-node security via ‘patch management’ is very important. I doubt any serious security professional is advocating turning off all patch or remote system security updates. The value may vary over time and across different systems, but we have a lot of control in how this capability evolves and the value it returns. We are empowered to maximize the return on investment.

The question still remains, from a measures and metrics perspective, how best can we show and quantify the benefits, efficiency, and value. The industry as a whole has yet been able to adequately or consistently tackle this challenge. That discussion is fodder for another blog.

4 Comments Permalink Tags: patching, roi, matthew_rosenquist, it@intel, patch, strategy, value, rosi, information_security, risk, optimal_security, security, model, rosenquist, it, intel_it

0

Bacteria and Malware Evolution

Posted by Matthew Rosenquist Apr 10, 2009

Research in how bacteria communicate and cooperate may be the future lessons of how computer malware evolves.

Bacteria and malware evolution

I recently watched a fascinating presentation by Bonnie Bassler on how bacteria communicate.

My information security brain started thinking of the similarities between the evolution of computer malware and bacteria. Bacteria over the course of billions of years, devised the most efficient way to communicate, survive, and even destroy large and complex systems. This may be the most logical path for the successful evolution of computer malware and a peek in the future of information security challenges.

Bonnie is a passionate and articulate speaker who outlined how these simple single cell critters work as a team to coordinate activities in a perfectly synchronized manner. Their actions are stealthy, methodical, and can accomplish incredible objectives through teamwork on the scale humans have never achieved. They infect, quietly multiply, and wait. Bacteria independently determine the size of their community and decide to act based upon rudimentary communication and awareness. When conditions are right, a level of potential virulence is attained, they team up in the billions and act in a choreographed manner. And they do it simultaneously to bring down their target.

In many ways, computer malware act similarly to bacteria. Malware infects computers which are part of a large community. Malware and bacteria want to remain stealthy until ready to strike. Malware exists as basic lines of code with simple rules. Bacteria are organisms which behave in simple ways.

We are seeing the malware industry evolve with more ambitious goals. Infection of a single node in a network is no longer sufficient to achieve desired objectives. Malware must be developed to meet new challenges. Bacteria are the masters at infiltration, stealth and surprised coordinated attacks against behemoth adversaries. In the future, malware may take some lessons from it biological doppelganger.

So how may malware evolve?

Malware design may shift to very small autonomous pieces. Modern malware is generally a single package of standalone code which may exist as a file or attach itself to other code. Deciphering of this complete nugget will typically reveal all its secrets. In the future such code may be broken up like pieces to a puzzle. Each piece means very little and appears harmless. Only when they come together does the malevolent picture come into view.

Code will replicate itself and seek deeper penetration to all manner of systems. With little risk of the big-picture exposure, these pieces can be distributed and replicated much more. Computer environments are full of innoxious code such as temp files, random packets, application remnants, and unneeded data. Most code and data is ignored unless deemed dangerous. These pieces can quietly infiltrate many different operating systems, applications, data, and communication traffic of clients, servers, storage, and network devices without raising alarm.

Malware will be very quiet, acting locally and not attempting to communicate outside of the environment. Much of today’s malware is detected as it attempts to communicate with command and control systems outside of the target network. Evolution of malware code will be harmless, quiet, and unnoticeable until the right success conditions are met. Local community awareness via ‘quorum sensing’ between the pieces within a target environment would likely not be detected. Only when the right elements are in place will the pathogenicity be realized as unified activation is initiated and virulence is rapidly achieved. This will offer little chance for security to offer a meaningful response.

Malware has a lot to learn from its slimy cousin. Maybe someday malware writers will become as smart as these microbes. On the upside, security can learn from the same teachers. Just don’t blame our microscopic symbiants of malice, as we exist in their world. The battle continues.

0 Comments Permalink Tags: risk, software, strategy, security, information_security, matthew_rosenquist, malicious_software, malware, rosenquist, virus, optimal_security, model, malicious, future

0

Fortune Cookie Security Advice - March 2009

Posted by Matthew Rosenquist Mar 18, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for March:

The most successful civilizations rose to power, not by ignoring security, rather they ensured greatness through strategy and achievement.

For this month’s advice, you are a victim of eye-candy. I created this slide for a recent presentation, to capture the audience’s attention and rouse some brain juices flowing.

The general message does hold true. Security strategy is the long term endeavor to protect an organization’s future. If the war is fought thinking exclusively about one battle at a time, you will lose the tide of initiative and ultimately spend most of resources responding to your opponent’s attacks. If however, we keep in mind the end goals and manage to a state of optimal security, we can progress towards an advantageous and sustainable level of security.

We don’t have to win every fight, lock every door, and close every exposure. Instead, we are in a position to selectively choose our victories to maximize our capabilities. Our victory is finding the right balance of risk and costs. Thinking strategically, in concert with tactical actions, will drive clarity for the desired end-state of security.

In practical terms:

Have a plan and communicate it
Understand the business need for security
Prioritize security initiatives based upon their value
Develop an overall defense-in-depth capability, with interlocking services
Characterize the most severe threats and identify the most likely and impactful exposures
Know what you are protecting
Be cognizant of when you need more, have enough, or too much security

My moment of enlightenment is over. It is time to get back to the grind of the security firefights. But my strategy is never far from my mind. It defines the boundaries and guides my tactical decisions.

0 Comments Permalink Tags: matthew_rosenquist, security, rosenquist, strategy, threat, value, corporate_security, information_security, optimal_security, model, risk

1

Top Techniques for Measuring Security Value

Posted by Matthew Rosenquist Mar 2, 2009

Choosing the right method to measure security value is important but not necessarily intuitive.

Some years ago, at the prodding of our department training expert, I developed a class teaching how to think critically while calculating information security value. The benefits of the course are twofold. The class helps security practitioners in creating more justifiable value assessments for their programs. Additionally, it assists audiences of such assessments to question the validity and identify weak justifications.

I offered to teach the class once a year, internally to Intel, and figured the audience would dry up after the first class. For some odd reason people continued to sign up year after year. I honestly figured not many people would willingly choose to spend their time on such a dry subject. In the first year, mostly information security professionals attended. In subsequent years, to my surprise, a slew of people from finance, manufacturing, marketing, and product development have taken the course. Sitting in my Inbox is my annual notification for instructing the class, with a list of students from multiple countries already signed up. Curse you Bruce (training expert)!

With such a diverse audience, I figured I would share some of the materials with the broader community. This is just a snippet, but one of the key chapters. Feel free to comment (all comments will be forwarded to Bruce)

This section of the class touches on recommended methods to show value. This is not an all encompassing list, but probably the most common to information security programs. These are archetypes of measurement techniques, not specific questions or audits. Most techniques in use today can be classified into one of these archetypes. Each has a set of common characteristics with strengths, weaknesses, and applicability considerations. Knowing these characteristics is to understand how best to validate or challenge the metric.

Information Security Metrics Archetypes

#1 Metric Type: Standards-Based Gap Analysis

Method: Compare the current state against a provided list
Measurement Scale: Nominal
Pro’s: Shows gaps against defined standards. Can be very fast to accomplish, compared to other methods
Con’s: Does not show actual value, only alignment to a defined state
Applicability: Compliance to regulations, alignment to best-known-methods
Output: Scorecard to expected compliance, gap list of non-compliant areas
Notes: The value of compliance to a predefined standard resides in the applicability and comprehensiveness of the standard itself. Typically, it is also specific to a particular area of risk. Interpretation also can skew measures, if the standard is vague.

#2 Metric Type: Raw Gap Analysis

Method: Brainstorm from knowledgeable persons on what they think needs fixing
Measurement Scale: Nominal
Pro’s: Identifies the most apparent issues to correct. May be as simple or complex as the organizer desires.
Con’s: Reliant on expertise of teams doing the analysis. Not tied to any quantifiable savings.
Applicability: Response to incidents which already occurred, to prevent recurrence
Output: List of issues to correct
Notes: The value resides in the knowledge of the people conducting the analysis. A mix of technologists as well as security is best, otherwise the output may lack real benefits

#3 Metric Type: Project Progress Tracking

Method: Metrics which track the start-to-finish progress of a security project
Measurement Scale: Interval
Pro’s: Shows advancement and progress of a project
Con’s: Does not tie the project to any savings or benefits
Applicability: Project management effectiveness
Output: Performance against schedule/budget metrics
Notes: This class of metric is often misused. Progress of project completion is largely independent of what value it provides once instituted. This can be used when a security project is a critical path item to another initiative where value is defined.

#4 Metric Type: Qualitative Risk Assessment

Method: Organized collection of concerns from knowledgeable persons on what they believe needs fixing and an explanation statement of the severity of the problems
Measurement Scale: Ordinal
Pro’s: Generates a list of areas to address with prioritized descriptions
Con’s: Reliant on the expertise of teams doing the analysis. Not tied to any quantifiable savings. Can be time consuming. May not be comprehensive. May be skewed to only areas evaluated. Personalities of the team may significantly alter the priority descriptions of items.
Applicability: Basic state of security gap analysis, scalable to an entire organization.
Output: Description of prioritized line-item gaps
Notes: This is one step above the Raw Gap Analysis method. Best use is to identify and describe the priority of the most severe issues. Rarely is this method comprehensive.

#5 Metric Type: Qualitative to Quantitative Risk Assessment

Method: Formal severity ranking, typically on a scale, of problems gathered from a Qualitative Risk exercise
Measurement Scale: Ordinal to Interval
Pro’s: Generates a prioritized list of areas to address, with relative values for comparison. Can track over time to show incremental changes.
Con’s: Reliant on expertise of teams doing the analysis. Relative values are not tied to any quantifiable savings. Time consuming, requires tools for scalability. Expect +/- 40% accuracy
Applicability: Advanced state of security gap analysis, scalable to an entire organization.
Output: Ranked descriptions of line-item gaps
Notes: This is one step more advanced from the Qualitative Risk assessment, giving numerical values to priority aspects (example: threat, vulnerability, consequences, etc.)

#6 Metric Type: Vulnerability Analysis

Method: Thorough inspection which documents all vulnerabilities
Measurement Scale: Interval
Pro’s: Identifies a list of vulnerabilities which exist
Con’s: Existence of vulnerabilities is not tied to losses. Output can be overwhelming and underscores only a snap-shot in time of a rapidly changing environment. Can be very time consuming, requires tools and interpretation.
Applicability: Applied to specific hardening initiatives or fed into a risk assessment
Output: Descriptions of potential vulnerabilities, may be ranked on severity or overall exposure
Notes: Vulnerability analysis poorly correlates to losses. Just because a vulnerability exists, does not mean it will be exploited. If exploited, it does not necessarily equate to a meaningful loss. Question any vulnerability analysis, which claims specific dollar savings!

#7 Metric Type: Against Previous Performance/Operational Efficiency

Method: Statistical comparison against historical data, known costs, and trends (example: actuary tables)
Measurement Scale: Interval to Ratio
Pro’s: Uses actual data to derive the measurement. Can show the value of a program. Can be used to both predict value as well as derive sustaining value after project landing.
Con’s: Accuracy may suffer as historical patterns change. Significant work to accomplish this metric. Accuracy may be outdated quickly as the environment changes quickly.
Applicability: Before and after comparison of effects for value measurements.
Output: Historical performance and trend graphs showing relative positions. Net Present Value (NPV) for operational spending. Forecasts of high-level changes to risk. Can provide a ‘value’ in terms of dollars.
Notes: Depending upon the historical data, it may not tie to actual security value. Data trends in the security field tend to be incomplete, limited, and can be manipulated. Operations costs may not reflect the benefit of security. Best when used to compare data prior and after landing a security program.

#8 Metric Type: Value Calculation for a Return on Security Investment

Method: Financial model quantifying the dollar benefits of a security program
Measurement Scale: Interval to Ratio
Pro’s: Uses actual data to derive the measurement, based upon trends and control groups. Potential to generate dollar values derived for both losses and loss prevented. May comprehend defense-in-depth solutions, showing the individual as well as cumulative value. Statistical predictions quantify accuracy
Con’s: Extremely difficult to produce. Must have significant amounts of accurate data and understanding of the security environment. Must use complex calculations and factor in unknowns. Very difficult to scale. Tools and processes are not well defined or mature in the industry.
Applicability: When sufficient historical data is available, an intuitive understanding of the security environment is present, and business values can be measured. For use when justifiable estimates of dollar value of a security program is needed.
Output: Incident reduction metrics, estimated losses, and loss prevented metrics. Single Loss Expectancy (SLE), incident and loss predictions. Derived dollar value of individual security projects as well the value for multiple overlapping/complementary security systems.
Notes: Not for the faint of heart. These types of analysis are ugly monsters to produce and validate. All assumptions, calculations, and data sources must be documented. Complete raw data sets must be provided. May include limited aspects of other measurement archetypes to fill in gaps, thereby affecting accuracy.

Lastly, there is another choice which can be made: the decision to not measure the value of a security program. I think this option is pursued more often than not and done for the entirely wrong reasons. Measuring value is not easy. It consumes time, resources, requires expertise, and once it is published the author may be under the spotlight to answer and justify the analysis for years to come. But for all the sweat, tears, and pain, having a good understanding of the value, has merit for security programs of significant investment.

On the other hand, the simple reality is that in many cases a full blown analysis does not make sense. For example, when a program is required to meet regulatory requirements or when the security investment is very small. I would not do a comprehensive value assessment for justification to purchase a $10 cable lock. Let common sense prevail. If the value must be understood to compare to other options, articulate security posture, or justify spending, then do an assessment. Otherwise, ask yourself if it is really needed.

1 Comments Permalink Tags: security, model, rosi, information_security, value, rosenquist, risk, measure, roi, matthew_rosenquist, metric, optimal_security

0

Fortune Cookie Security Advice - February 2009

Posted by Matthew Rosenquist Feb 20, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for February:

A worthless metric is one which fails to drive decisions, even when the metric result radically changes.

The world of information security is full of metrics. Sadly, many are worthless. A valuable metric is one which drives decisions. Unfortunately, our industry also persists in publishing metrics which may nicely fill graphs and catch attention with flash, but in the end are meaningless. The true test: can it facilitate change.

One of my favorite metrics to pick on is a graphic which shows the percentage of internet attacks by country. Provided every year, this metric presentation is visually stunning, usually consisting of a background of the globe with offending countries in vibrant colors. It is clear, attention grabbing, and even interesting in a sublime way. Media outlets love the eye candy. But at the end of the day, the data is meaningless. It does not really matter where attacks initiate from. Organizations will not change their course of security if the numbers shifted drastically over time. The proximity and country of origin simply does not matter. The number and types of attacks are far more relevant, but not the division of origin based upon international borders.

Whenever we are presented with metrics, we must think critically to understand their value. Don’t get caught up in beautiful graphics or catchy titles. Challenge everything. Would you do something differently in your approach to securing your environment if the data changed radically? If not, then move along, nothing here to see.

Fortune Cookie Security Advice - January 2009

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

0 Comments Permalink Tags: optimal_security, rosenquist, metric, risk, value, matthew_rosenquist, threat, data, corporate_security, security, information_security, model

2

Targeting the Attacker

Posted by Matthew Rosenquist Feb 13, 2009

The security industry has spent an inordinate amount of effort focusing on defense against vulnerabilities. But there are other opportunities.

Listen to the Audiocast: Targeting the Attacker(4:54 minutes)

The concept of targeting attackers has merit. It is another path to undermine attacks and may make sense as part of a comprehensive security package. It is time our industry recognizes the potential and put thought into developing such security programs.

2 Comments Permalink Tags: attacker, optimal_security, threat, model, matthew_rosenquist, value, rosenquist, threat_agent, risk, security, information_security

1

Fortune Cookie Security Advice - January 2009

Posted by Matthew Rosenquist Feb 2, 2009

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

Fortune Cookie advice for January:

Insider threats will always outpace external threats.

Insiders, those people you trust at some level, represent a significantly greater risk than outsiders. External threats may have a numerical advantage, but insiders have the access to cause staggering losses. They possess the permissions, system and process knowledge, authority, visibility to critical systems and valuable resources, and can more easily circumvent existing behavioral controls. Overall, insiders are tougher to detect, investigate, interdict, and prosecute. Security organizations may inadvertently reinforce this disproportional risk by focusing on thwarting external threats, leaving insiders more latitude to conduct undesired activities.

It is a frustrating problem for security to address. There are complex political, business, technical, legal, and behavioral aspects which plague efforts. Due to their nature, insiders have an advantage, can be stealthier, and easily overlooked. Security organizations may discount this slippery threat or lose sight of this aspect and exclusively focus on more noisy external threats. I believe insiders represent the greatest challenge in the security industry.

Every security organization should purposely put in mechanisms to keep the ‘insider threat’ in the equation. Regularly talk about it. Do an annual risk assessment for senior staff. If it makes sense, launch projects to manage the risk. Anything! Just don’t let it slip from memory. Don’t overlook the risks. The challenge is tough and may appear insurmountable, but that is not just cause to ignore the problem. This is a battle worthy of fighting.

Fortune Cookie Security Advice - December 2008

Fortune Cookie Security Advice - November 2008

Fortune Cookie Security Advice - September 2008

Fortune Cookie Security Advice - August 2008

Fortune Cookie Security Advice - June 2008

Fortune Cookie Security Advice - May 2008

1 Comments Permalink Tags: rosenquist, model, information_security, risk, matthew_rosenquist, security, insider, threat, optimal_security, corporate_security

0

Data Privacy Day - Security Challenges

Posted by Matthew Rosenquist Jan 28, 2009

Momentum continues to gather for the protection of people’s private data. On January 28th, the US, Canada, and 27 European countries will celebrate Data Privacy Day. The security aspects seem simple in principle, but are proving to be more challenging than anyone predicted.

Today we celebrate Privacy Day, to promote fundamental principles of privacy and to raise awareness in our society. The advancement and adoption of everyday technology has pulled this issue into the attention of the world stage. In recent years, consumers insatiable desire for convenience, efficiency, and speed have placed our identities, purchases, interests, medical records, debts, communications, and social interactions into the digital world. Indeed, our very lives are being tracked, processed, stored, and transmitted electronically.

There is a cost to all the inherent benefits: our Privacy. One of the most important liberties in our free and open society is our right to privacy. Our ability to choose what others know about us grants individuals some semblance of control in how we can be manipulated by others. Protecting our private data is key.

The realms of security and privacy are beginning to blur. I see a trend of security organizations being asked to tackle this tricky problem. On the surface, it appears to be straightforward. Find the data and secure it. However, the picture starts to get complicated when we consider regulations, security controls, data lifecycles, and the immense behavioral challenges.

Regulations

The European Union strongly influenced the direction back in the 1990’s with the development of privacy directives which outlined some basic principles. Since, decentralized regulations have been germinating and beginning to take hold with different verbiage, requirements, and exemptions all over the world. Even within each country, different regulations may exist for different states, provinces, or jurisdictions. Today’s landscape is ever changing with overlapping policies, gaps, and regulations which touch different aspects. It is a mess. Well, Rome was not built in a day and neither will a unified privacy stance. Security, with the goal of meeting all the regulations, must understand the requirements and make them magically come to fruition.

Security controls

The security controls, including tools, standards, and processes, are themselves new and trying to keep up with the changing types of data and how they are handled by organizations. It is akin to herding cats. Finding private data is tough enough, but securing it with a comprehensive strategy without impacting the business value of how it must be used is problematic. To compound the problem, new technologies and more types of data are being added to the pool. Everyone loves data. Nobody loves the job of securing it.

Data lifecycles

It is not enough to simply lock up data from prying eyes. Data must be managed. In some cases, the very person which the data represents must be given a chance to review and correct inaccurate data. Information may be obtained only in certain ways, stored securely, accessed in a controlled manner, and most importantly, data must be destroyed. Yes, destroyed. Which means security must have a strong hand in how data is managed across its entire lifecycle.

Behavioral Challenges

Securing data may sound tough, but the most difficult problem is not technical in nature. It is the behavioral challenges of educating people why security is necessary and to convince them it is in everyone’s best interest. The toughest audience to convince are the end-users, especially the next generation who are just now leading the social media exploration of cyber communication and on-line communities. They are willing to share very personal data without comprehending the risks or understanding how it may adversely affect their future.

Which brings us back to Data Privacy Day. As an employee, I am proud Intel is actively participating in Privacy Day
http://www.intel.com/policy/dataprivacy.htm Check out the event details, other participants, and resources!

Exerpt:

“Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country.

One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.”

0 Comments Permalink Tags: security, optimal_security, privacy, risk, strategy, matthew_rosenquist, information_security, privacy_day, rosenquist

IT@Intel Blog

Explaining the value of security spending - video

Can optimal and flexible security be mandated?

Fortune Cookie Security Advice – Strategic Competitive Secure - June 2009

Think strategic. Act competitive. Be secure.

Think strategic. Act competitive. Be secure.

Strategy for Sustaining Optimal Security

Fortune Cookie Security Advice - May 2009

Traps of Measuring Security Risks

Fortune Cookie Security Advice - April 2009

Has the value of patch management disappeared?

Bacteria and Malware Evolution

Bacteria and malware evolution

So how may malware evolve?

Fortune Cookie Security Advice - March 2009

Top Techniques for Measuring Security Value

Information Security Metrics Archetypes

#1 Metric Type: Standards-Based Gap Analysis

#2 Metric Type: Raw Gap Analysis

#3 Metric Type: Project Progress Tracking

#4 Metric Type: Qualitative Risk Assessment

#5 Metric Type: Qualitative to Quantitative Risk Assessment

#6 Metric Type: Vulnerability Analysis

#7 Metric Type: Against Previous Performance/Operational Efficiency

#8 Metric Type: Value Calculation for a Return on Security Investment

Fortune Cookie Security Advice - February 2009

Common Sense

Targeting the Attacker

Fortune Cookie Security Advice - January 2009

Common Sense

Data Privacy Day - Security Challenges

Regulations

Security controls

Data lifecycles

Behavioral Challenges

Exerpt:

Recent Comments

Popular Blog Posts

Filter Blog