IT@Intel Blog

23 Posts tagged with the value tag 1 2 Previous Next
Click to view Matthew Rosenquist's profile
1

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.


Common Sense
I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.


Here is my Fortune Cookie advice for June:

A perfect security program does not make your environment invincible! It would be astronomically too expensive. The 'perfect' security program achieves the optimal balance of spending, loss prevented, and acceptable losses (residual loss).


Now if I can just figure out how to stuff these little cookies...

Am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

Fortune Cookie Security Advice - May 2008

1 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Click to view John Simpson's profile
2

It is vitally important to give data consumers an indicator of the quality of your information. This helps to build a trust in the completeness and review state related to what they are consuming. What we have implemented is real-time, includes embedded business rules and a pretty little display.

So what did we do?

  • Created a Five tiered rating system Data Quality(DQ) State
  • Moving through each tier means that data completeness and audited quality checks are performed
  • As the software application moves through its life cycle, additional data elements become mandatory, which effects the dynamically calculated rating
  • DQ State value exposed for interfaced consumption
  • Shown on-screen with graphical representation

What is involved in each DQ State tier level?

  • DQ State 0: does not meet minimum required data
  • DQ State 1: Name, Business Description, Status, Manufacturer, Owner (Group/Contact)
  • DQ State 2: State 1 plus - Host, Software Type, User (count/location), Data Classification, Technology categories
  • DQ State 3: State 2 plus - Cost Assessment
  • DQ State 4: State 3 plus - Capability categories, Network communication details, Business Continuity details

This tiered approach begins to define higher quality for the data completeness as it moves up the defined levels. Not only having the blanks filled in, but the application of embedded business rules-based analysis to validate content, drives the state calculation. These are updated based on any change to any of the evaluated content.

What do you do in your organization? How do you ensure that the data "freshness" is preserved?

Previous topics include Application inventory, what do you capture?, Application inventory starts with a definition, Application inventory as a cost savings initiative and Application Inventory, the start of data sustainability?.

2 Comments Permalink Tags: value, software_development, application_inventory, cost_savings, data_quality
Click to view Matthew Rosenquist's profile
0

Measuring the value of information security programs is difficult and a problem for the entire industry. In the second of the three part series, Intel discusses a practical approach to determine value of information security initiatives. Intel security professionals Tim Casey, Enrique Herrera, and Matthew Rosenquist discussed the success of Intel’s security value methodology outlined in the Whitepaper - Measuring the Return on IT Security Investments


Listen to how Intel utilizes this strategy as one means to measure the value of security programs. The whitepaper is available for download.

The 30 minute discussion can be replayed here:


The last of the three part series, Future State of Security Measurement, will occur on Wednsday June 4th. Everyone is welcome to participate or just listen in. Details can be found here:
http://communities.intel.com/openport/blogs/it/2008/05/12/how-do-you-measure-something-that-doesnt-happen

0 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, radio, whitepaper, tim_casey, enrique_herrera
Click to view Matthew Rosenquist's profile
1

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.


Common Sense.
I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.


Here is my Fortune Cookie advice for May:

Two types of victims exist...
Those with something of value, and those who are easy targets.
Therefore: Don't be an easy target, and protect your valuables.


Now if I can just figure out how to stuff these little cookies...


So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

1 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Click to view Matthew Rosenquist's profile
1

Good security conversations benefit all involved. The more we share, discuss, and challenge each other, the more we advance our industry. Thankfully, I have the benefit of working closely with a brigade of information security professionals and we banter at every opportunity, for the sheer pleasure and insights. In that same spirit, we hosted our first Blog-Talk radio session. This was a general discussion of the problems of measuring security.


http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/1430/Blog+Talk+Radio+picture+Tim+and+Matt+May+2008a.jpg

The 30 minute discussion can be replayed here
Two other internet chats are planned. Everyone is welcome to participate or just listen in. Details can be found here.

1 Comments Permalink Tags: security, roi, value, measure, rosi, information_security, optimal_security, model, risk, tim_casey, matthew_rosenquist, rosenquist, casey
Click to view Matthew Rosenquist's profile
6

Recently, security expert Bruce Schneier expounded security ROI figures were meaningless! Is it true? Well, yes and no.

The brutal truth.
Well respected information security expert Bruce Schneier recently provided a stark opinion regarding the value of ROI's.
http://www.zdnetasia.com/news/security/0,39044215,62037905,00.htm


In brief, Bruce stated security because numbers can be manipulated to justify anything.

He explained that the amount spent on a product can change significantly by simply playing with the equation.
"If the chance of you being attacked is one in a million and I change it to one in two million... I have halved the amount of money you should spend.
"I can make an ROI model say whatever I want. I could justify or not justify anything based on these very, very rare and very, very damaging events," he said.

Tell me it is not true!
I believe Bruce is both right and is delivering a message which is a little incomplete. His general message is accurate and shocking enough to garner the right level of attention. Most of the information security ROI's I have read were speculative, could not be validated, were impossible to reproduce, and had great latitude to provide results which benefit the desires of the author. Nowadays audiences are being provided ‘information' under the auspices of ‘fact', when in reality they are more of an opinion. Such valuation assessments are based on qualitative data versus quantitative metrics.

I blogged about the The Problem of Measuring Information Security back in August 2007

Awareness must be raised. I applaud Bruce in helping to make this happen. His message, as brutal as it sounds, is bringing to light a shadowy area in our industry. I think the follow-up message for audiences is to scrutinize and apply common sense to any ROI they come across. Understand the methodology and if it makes sense in their context. Lifting the curtain can quickly reveal a puppet master pulling the strings to artificially show value.

Like Bruce, I too have a jaded perspective. I have seen some WILD ROI's. Much of what I have read from security vendors is pure folly. However, just because most are fiction, it does not mean all methodologies are without merit.

Intel published a Whitepaper - Measuring the Return on IT Security Investments which is applicable to some situations. This method, far from being a silver-bullet, is a good start and has proven its truthfulness.

For any method, the accuracy should be scrutinized. Can it be validated, repeated? Was the method exclusively developed solely for self serving purposes from someone trying to sell something shiny? Does it make sense? These are the questions I ask myself.

On the bright side, many bright sharp people are working very hard to make the industry better and develop more rigid processes to insure both accuracy and confidence.

In the end, there is much work to be done in the information security valuation space. In the meanwhile, savvy consumers should be aware of the challenges and dive deeper into prospective ROI's and determine if they are ‘meaningless'.

6 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Click to view John Simpson's profile
2

Up to this point I have covered Application inventory as a cost savings initiative followed by a discussion of Application inventory starts with a definition, and finally Application inventory, what do you capture?

Following the natural progression of:

  • Why inventory
  • Boundaries of what to capture
  • What to capture
  • How to capture

The "How to capture" is not a simple task completed in a week or two. For a company our size this task is still ongoing after fourteen months. And our progress shows us that we will need at least till the end of year to approach some semblance of sustainability. By sustainability I mean that the information, process and people will be in place to keep the data in a fresh state so that true data-based decisions can be made at near real-time.

Every day the clarity of our inventory gets sharper and sharper as we identify and pull in the data owners. The quality of the information becomes more focused as more of the profile is filled out. There are internal systems that are starting to rely on the data we have captured. That data is being transformed into true business information which has value and can be used to make the right decisions at the right time. At times, it still feels like an uphill battle. Each day we stand side-by-side with those who see the value and push on the back of our partners as we slowly progress up the hill.

Now knowing the definition and what data we want to capture we could have progressed in a multitude of ways:
  • Distributed work-load, individual owners
  • Focused work-load, our team owning (interviewing)
  • Centralized gathering (combination of above, driving people to a single location)

We chose to adopt the creation of a simple to use, centrally located (Intranet Application), that stored the data we needed. As mentioned in the past, we did our analysis by looking at applications on our enterprise that already contained the types of data we were interested in. What we discovered was that none of them had the flexibility to store the additional information nor the development resources to alter their systems. This pushed us to obtain permission to build a new application.

At this point you may be saying, "You built an application to reduce the number of applications?" Sometimes it is necessary to do the wrong thing in order to do the right thing. It would have been too easy to drop a spreadsheet out there and start gathering information. Short-term this would have cost the least and potentially would have allowed us to get part of the way there. The issue is the long-term sustainability and trust that comes from a solution like that. We would have security concerns, updating collision as well as the reduced ability to share the data easily with other applications.

Yes, we built a new application, using two people, in four weeks. Since implementation started we have supported weekly releases while expanding the data being captured, the usability for customers (and consumers) as well as enabling the removal of the majority of those other systems with parallel capabilities. We have great internal hosting solutions and have been operating non-stop since December 2006.

Our goal is still to do the right thing and properly manage our inventory through reduction. We were instrumental in providing the information and process needed to remove over 500 applications (and associated hardware) from our environment since we started our process.

In my next entry I will talk about some future enhancements to get us through the next year and the further reduction in application inventory we are charged with. Perhaps its time to start looking at how our original analysis for "Low Hanging Fruit" was successful and now we find ourselves making hard decisions in order to continue refining our inventory.

Have you had similar issues at your company? Do you currently have this challenge before you? I'm curious to hear some of those challenges and potential solutions.

2 Comments Permalink Tags: value, software_development, application_inventory, cost_savings
Click to view John Simpson's profile
0

Up to this point I have covered Application inventory as a cost savings initiative followed by a discussion of Application inventory starts with a definition.

In our specific implementation, we started with a base set of attributes. Some of those were very obvious while others were necessary for managing some of our base enterprise capabilities. Items that were only captured in a 1:1 (one-to-one) relationship to any single specific application were:

  • Name
  • Description
  • Importance (a tiered level detailing the impact to our company)
  • Status (or state of the implementation)
  • Type (of application)
  • Manufacturer (if purchased)
  • Version
  • Owning Group
  • User Count

We also had some 1:M (one-to-many) related attributes which we cataloged in order to further build out the metadata for each instance.
  • Contact
  • Cost (develop, host, support, license)
  • Link (to external data)
  • Support
  • Technology

This was sufficient information for us to move along and begin consolidating data. As we engaged more and more teams and discovered localized stores of this data, our metamodel expanded to include a few more elements. Some of these also included associated increase in our own inventory tool capability. As this capability was implemented we were able to start turning off applications through consolidation (one of our key goals).

Additional Items (one-to-one)
  • Product Line (for ease of grouping and management)
  • Hosting Platform
  • User Description
  • Cross-Site Consumption
  • Customer Located External (to Intel)
  • Data Classifications (for information security and control)
  • Disaster Recovery Details
  • End of Life Tracking (legal and recovery data)

Additional Items (one-to-many)
  • Alias (alternate naming; the key to our success)
  • Capability
  • Component/Module
  • Customer Country/Region
  • Interface (consumption and providing)
  • Network Ports/Protocol
  • Product Testing (results, for future enterprise releases)

Many of them are specific to how we do business inside our company, however, you might find value in some of our learning's.

As I mentioned we discovered pockets of data and some little (and big) applications utilizing some of this data. It has become increasingly easy to implement an additional module that relates and consumes the data from the larger metamodel. From an architecture stand-point, we need to be careful not to develop this into a "jack-of-all-trades" application that does everything for everyone.

Up to this point we still only capture data (and functionality) that is related to the Application through direct relationship. As an example, we associate the application to what network port/protocol it uses, but not necessarily the network that is can pass across. We will capture the hosting platform name but not the specifics of that host. Instead we rely on interrelated systems to draw the larger picture of the whole enterprise.

Are we done?
Not even close. As noted in our Intel Information Technology 2007 Performance Report (page 12), this application and the associated capabilities we are developing is having a big impact. During 2007 we were instrumental in the end-of-life of over 450 applications. The metadata we capture and maintain have helped to identity instances of duplicity as well as opportunities where support and consumption have dropped to the point we can turn off the application.

In my next entry I will talk about how we were able to use two people resources and build an application in four weeks to solve this problem. Also how that solution has been running non-stop, for fifteen months with no downtime or impact to customers while increasing capability and usability while doing releases on average of every two weeks. Future posts will talk about some future enhancements to get us through the next year and the further reduction in application inventory we are charged with.

Have you had similar issues at your company? Do you currently have this challenge before you? I'm curious to hear some of those challenges and potential solutions.

0 Comments 0 References Permalink Tags: value, software_development, application_inventory, cost_savings
Click to view John Simpson's profile
3

Every software project I have worked on always started with some form of conflict and complicated interactions. This usually resolved itself through the use of a definition regarding roles and responsibilities. That definition kept people on the same page and helped everyone to understand who was doing what.

Now depending on when you happened to look at my job title over the last 13 years, you may have seen one of the following:

  • Software Engineer
  • Application Developer
  • Enterprise Application Developer
  • Software Developer

This means only that I moved from one department to another, however, the physical tasks I employed were the same. My output may have had a different installer/wrapper/output, however, it was the same. I designed, developed, tested and deployed an application into our environment.

When it was time to define the characteristic (metadata) of an application, we needed to start with definitions. Not only what an "Application" is but what "Software" is and how (if) it differs from each other and from an "Operating System".

This is vitally important because no matter who you talk to, they will have a difference of opinion in this area. Let me give you an example that we are currently dealing with. We are implementing a CMDB (Change Management Database) for our Service and Support organization. As our application data is pumped into that solution we had to decide whether it is an application or software. The CMDB definitions basically stated that software was the core items used to build a hosting platform whereas an application is the code hosted on that platform. A very specific definition for their very specific implementation.

Our definition was much more simple.
If it's coded, if you develop it, it is a software application simply referred to as an "Application". This can be developed internally or purchased. An application is not an operating system.
That means that everything running on our environment, that is loaded on top of an operating system, is an application and needs to be inventories. That also means if it is a web-based solution, with software code, hosted within a web-hosting solution, however, it is still an application.

We did draw a very discreet line in that we did not want to inventory certain things. Those are items that are "configured" inside of other applications. Item such as:
  • Web sites without dynamic content, hosted within a dynamic web solution such as Microsoft Sharepoint or created with Microsoft Frontpage or another WYSIWYG client.
  • Templates configured for an application.
  • Fileshare
  • Hosting Platforms (configuration of hardware and application software)

To put forth some simple rules, that people can evaluate their "Application" before attempting to add it for evaluation, we came up wtih some simple rules. It has to meet all of these with a yes response.
  • Installed on Intel (or contracted) hardware?
  • Initially used by more than one person (or application) at Intel?
  • Does this have (or has it ever had) a development/support team?
  • Does this have (or has it ever had) a development/release process?

This minimizes the possibility that we inventory applications that are sitting in a box, not installed on the environment. It also means that items we paid for, installed, licensed and such, are included. Whether on a server or on a client, we need to know about them so that we can work towards the simplification of our inventory.

Next I will cover how we have gone about gathering this data. Some approaches work well while others don't. Additionally, before you start gathering data you must have a solid review, maintenance and data quality processes in place or the data will be of no use for future analysis.

Have you undergone a similiar process? Are you struggling with doing this inside your company? Have questions? Let us know.

3 Comments 199,001 References Permalink Tags: value, software_development, application_inventory, cost_savings
Click to view John Simpson's profile
2

Fourteen months ago my (new) manager approached me with a unique problem. It was discovered that we did a very poor job of keeping track of the applications (software) that we build and/or install within our enterprise environment. This lack of tracking also included all the associated data related to hosting (hardware, configuration and such). That's not to say that some organizations inside our company weren't doing a great job, however, these pockets of excellence were the exception not the norm.

My (now) manager explained that a new group will be forming to help find opportunities to save money in the application and hardware space. His problem for me to solve was that there was no single solution, no one source for data, nor any single location for recording information. As a technical lead with several years of experience in metadata modeling and tracking, he asked me to go off and propose a solution.

As I mentioned we had several pockets inside the company that were tracking data as necessary to perform their job functions. After performing an internal environment scan, analysis and in several cases, engaging with the teams and their tools, I was left holding an empty bag.

What did I discover? There were 12 different applications (out of vendorprovided and internally custom built) and around 14 additional data sources(spreadsheets and databases). Through engagement, it was determined that of the solutions, many were on aged technology and some had lost their developers to other projects. Additionally, most of the existing inventories had only one small piece of the puzzle. They were only concerned with that one bit of information that solved their business need. This meant that enhancing an existing solution was not going to work.

So off to the drawing board I went to try and come up with a quick solution that would enable us to rapidly gather our application inventory, the right way, the first time. My proposal was taken to senior management and four weeks later, three of us had completed the first version of an application which is still in use and the Record of Origin (ROO) for application metadata within our company.

How does this all save us money?
Let me give you an example that anyone can relate to. Think of this in terms of an inventory of the food in your cupboards. If you go to the store without any knowledge of what food (canned, packaged, frozen or fresh) you have, how do you know what to buy? One of the kids may know you have some corn, another may know you have a pot roast, however, is the inventory accurate? Until you get into all your cabinets and do an inventory, you'll never know what you have. Additionally, without putting a system in place to maintain that inventory, the next time you make dinner, your list is completely useless.

Continuing my food sample, let's say you want to make a lasagna. How do you know if you have the ingredients? How do you know you don't have one already, frozen and ready to heat?

This is the problem we found ourselves in (applications not food). We had no idea if we had overlapping functionality. Our capabilities were meeting our (internal) customer demands, however, were we meeting that need at a higher cost than necessary? Were we asking people to use a tool that was outdated (technically speaking) when a newer, faster, cheaper solution existed in the room next door?

These are some of the problems that we looked to solve. And with this, we have some pretty interesting plans on how to save money. I will cover that in my next entry.

Have you had similar issues at your company? Do you currently have this challenge before you? I'm curious to hear some of those challenges and potential solutions.

2 Comments 0 References Permalink Tags: value, software_development, application_inventory, cost_savings
Click to view Matthew Rosenquist's profile
1

With the old year grinding to a close and opportunities of a new year opening before us, it is a good time to take a moment and make some new year's information security resolutions. Some are good holdovers from last year and a few are new to the list. I think all are good practices to promote security and hopefully will keep a smile on my face throughout the year (no matter what cyber meltdown may occur).

  1. Vigilance. Maintaining effective legacy security programs is critical. Loss of such capabilities opens the door to old, known, and well refined attacks
  2. Embrace/Beware of disruptive technology. Double edged bleeding technology can be a blessing and a curse. It can reduce costs, increase efficiency, open markets, and change your way of thinking, but is also like walking into a darkened room in a horror movie. You never know what may jump out at you and in hindsight you may think "well that was painful". On the hot-list:
    • Virtualization technology in all its glory
    • Smart-phones and other PC OS/application based portable devices
    • Social media sites, tools, and accompanying behaviors
  3. Careful with my PII. Our Personally Identifiable Information (PII) is more important than anyone can measure. I will handle mine with care, insure others do the same, and simply say ‘no' more often than not, when asked.
  4. Don't be a fish. Just say no to phishing and spam. Filters are wonderful but a few will creep through. If it looks suspicious, it probably is. Don't be shy, even with the weird stuff sent by people you trust. Just pick up the phone and call them: "Hey Ralph, did you send me this executable attachment via email?" Is it not that tough.
  5. Give an effort for disaster preparedness. Regular backups and encryption are my friends. Nothing huge mind you, but at least apply where it makes sense
  6. Choose not to be a victim and let common sense prevail. Two types of victims exist: those with something of value, and those who are easy targets. Therefore, don't be an easy target and protect your valuables
  7. Talk and share security. We are stronger as a team striving for security, than alone. The bad guys are working together; it is about time we do the same. Talk about security and share what works or doesn't. Don't be shy.
Not rocket science, but most of the great ideas rarely are. Feel free to chime in and be heard. What are your security resolutions for 2008?

1 Comments Permalink Tags: security, value, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, virtualization, social_media
Click to view Matthew Rosenquist's profile
5

Intel IT developed a model for measuring Return on Security Investment (ROSI) in our manufacturing environments that produces a much higher level of accuracy than other methods currently available. Our model has enabled us to make business-driven decisions about security programs, resulting in savings in excess of USD 18 million per year in avoided losses.

Whitepaper now Available! Measuring the Return on IT Security Investments

Quantifying value for security programs is difficult at best. Intel successfully developed and employed a method to measure the value of security programs across our worldwide factories. Although not the silver bullet to measure all security programs, it does show in some circumstances, value can be quantified to the level needed to make sound business decisions.

This is one of many different methods which Intel leverages to determine value of security programs. The difference is being able to tie in hard numbers for prevented losses and the ability to predict future impacts with reasonable accuracy. Other available methods rely on more qualitative descriptions of value and lack a dollar and sense measure. Although no single methodology fits all situations, Intel has found a niche for this insightful metric which is an empowering view of security value.

Other related blogs:

Practical Aspects of Measuring Security

Getting a Return on IT Security Investment

Managing the Effort to Measure Security

The Problem of Measuring Information Security

The Four Dirty Questions of Measuring Information Security

5 Comments Permalink Tags: whitepaper, security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, security
Click to view Matthew Rosenquist's profile
0

To defeat cyber attacks, we must first understand their characteristics and how they come about. Deconstructing threats is a way of comprehending the factors which drive information security strategy. Without understanding the nature of attacks, an organization is destined to thrash about trying to effect change, only addressing symptoms and oblivious to the root causes of the problems.


In the Beginning
The most important aspect to comprehend is all malicious security threats and attacks begin with a person who has an objective. This represents the attacker, or sometimes referred to as the ‘Threat Agent'. Make no mistake, a virus is not the attacker. The author and implementer of the virus is the attacker. Eliminating a virus is a short term solution to the symptom of the problem, leaving the threat agent to find another method to achieve their objectives.

Threat agents are people and therefore driven by human nature. People compelled to expend energy manifesting in an attack on your organization have some desired outcome, a goal in mind. Their objective may be vague or precise, motivated by passion or logic, it may be inspired by emotional, intellectual, or economic needs. Their actions may target you directly or your organization may simply be caught in their sweeping net of activity. The permutations are mind boggling, especially when you take into account attackers include trusted persons intimately associated with the organization. Most importantly, they are thinking opponents who may plan, react, adapt, weigh options, and make decisions necessary to achieve their objective. Security success is heavily dependant on never losing sight of this key perspective. Attacks and threat agents are irrevocably tied together.


Building a Model
So if you have an attacker and their objective, the only component missing is the means for this person to achieve their goal. This path is the method. In reality, it most likely is a number of methods which are evaluated and one or more eventually employed. The term ‘vulnerability' is a catch-all phrase attached to express these methods. The term itself is far too broad to be meaningful. Anything can be a ‘vulnerability', including a security control itself. If you have a deadbolt on your door and someone kicks it in, an expert may declare the deadbolt is the vulnerability. Somewhat absurd, which is why I personally dislike using the term. So don't expect to see that word much from here forward.

What do methods look like? It depends on the attacker, what opportunities are available to them, and their objectives. If an attacker is seeking personal satisfaction through ego gratification of power, they may decide to employ a Denial of Service attack to show they can affect a target network. An accounts payable employee may secretly use their legitimate access to issue checks to collaborators for their personal financial gain. Again, the possibilities and permutations are as vast and varying as the people involved.


Threat Model
This basic model is straightforward. A threat agent, willing to effort an attack, has an objective in mind and selects one or more methods to succeed. Once committed, they initiate their plans and the game begins. Defenders may put up obstacles, close possible methods and the attacker, if still motivated, will respond.

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10761-1168/Threat+Model+6.bmp


Defeating the Attack
The game continues until the attacker succeeds, the attacker is removed or demoralized, the methods are rendered ineffective, or the objective is removed. Removing the attacker is a good but very difficult prospect, usually involving some type of law enforcement. More often the attacker is demoralized by making the prospect of achieving their objective very costly, so they either give up or move to an easier target.

Prevention activities are heavily weighted toward closing the most likely methods. A good strategy, which scales across many different attackers, but the simple fact is an attacker only needs one winning method to triumph. Much of the efforts to close different paths to the objective are intended to make it progressively more difficult for attackers to succeed. Not every path or vulnerability (ugg, hate that word) must be eliminated, only the ones which the attackers are willing to effort. The more inconvenient and inhospitable the environment is for the attacker, the better it is for the defending organization.

Lastly, removing the objective from temptation makes an attack pointless. The famous bank robber Will Sutton purportedly replied to the question "why do you rob banks?" with "because that's where the money is". The same no-nonsense principle applies to information security. Take away the objective, and the very reason for the attack is undermined.

Understanding the characteristics of attacks is paramount to good security strategy. It helps clear the fog of effectiveness and provides a perspective on how attacks can be stopped in a coordinated manner.

0 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, threat, matthew_rosenquist, rosenquist
Click to view Matthew Rosenquist's profile
1

Ethics represent the very cornerstone by which any security organization is built. Without them, a security team is doomed. They will not be respected only feared, they will not be supported only ridiculed or ignored. It is a downward spiral of failure for security organizations practicing unethical behaviors. Management and customers will lose faith, leading to a loss of funding, access and representation. Resources, tools, and overall capability will diminish, leading to loss of effectiveness and value, further advancing the loss of faith by management and customers. Concealment, inconsistency, indifference, or treading in the gray areas of ethics is just prolonging the inevitable trip on the downward slide to defeat. So how can it be, many security professionals have a casual attitude and apathetic commitment toward ethics?

I have been reading some disturbing stories about security professionals being unethical and in some cases fired or arrested for their activities. They stories aren't hard to find. Trusted security people breaking into systems and networks, deciding not to report criminal activities, or ignoring inappropriate activities to avoid complications are common examples of poor ethos. People violating policies they are employed to enforce and uphold is downright despicable. In many cases, what are worse are the comments left by readers, condoning inconsistent behaviors on behalf of security. Comments like "pick your battles", "follow your conscience", or you should only be ethical if others are, is very upsetting.


Reader Beware
I am a fanatic about ethics. I firmly believe ethics, following a code of conduct, is the foundation of every professional security organization. Without consistent ethical behavior, a security team is destined for failure, will open the organization to increased liability and sour future investments in security.

Okay, let me be the first to admit, I have it easy. The security professionals I have the pleasure to know and work closely with are of the highest moral caliber. I am fortunate to work in an organization which embraces the principles of ethics. We derive our support from the corporate principles which are ingrained within the company as a whole and are driven out to all corners. My company (I am a shareholder too) spends time to train, discuss, and reinforce ethics with all employees.

I support ethics in all vocations, but some are more important than others. Security personnel must be held to a higher standard, just as judges and law enforcement must be viewed as incorruptible. Ethics must also reign supreme in financial and medical industries as well. Nothing less is acceptable. We too, as security professionals, should be put under the microscope and make firm commitments to consistency and the highest level of behavior. Our organizations place trust and faith that we will be honest, capable, and perform our duty in an unwavering manner.


Intel's Security Operations Center - Code of Conduct
When I spun up Intel's Security Operations Center, every employee was trained on ethics and we developed a Code of Conduct to insure the expectations were clear and as a team we would all conduct ourselves in a conservative manner.

Intel's Security Operations Center - Code of Conduct
1. Provide diligent and competent service to principals

  • Provide timely, professional, and productive response to our customers, peers, vendors, business partners, and management
  • Act honestly, justly, responsibly, and legally
  • Act impartially to all groups, persons, and organizations

2. Protect and conserve Intel property, resources, and reputation
  • Preserve and protect the value of corporate systems, applications, and information
  • Operate fully within the law, observe corporate policy, and align efforts with standard operating procedures
  • Disclose waste, fraud, abuse, and corruption to appropriate management or oversight bodies

3. Promote and preserve company trust and confidence of the team
  • Take care not to injure the reputation of the team through malice or indifference
  • Be truthful and accurate in representation and all communications
  • Respect the trust, access, authority, and privileges the company grants you
  • Promote, comply, and reinforce company security policies, procedures, and intentions
  • Avoid conflicts of interest or the appearance thereof


Everyone is ethical, right?
Ever ask somebody if they are a good person or ethical? I will bet you will hear some variation of the same answer, "yes. Of course I am!". How many people openly admit or believe they are not ethical? So are you? Yea, exactly what I thought you would say.

So, Mr/Ms Ethical, you wouldn't be averse to answering a few ethics related questions? These are a subset of questions I ask when delivering the ethics class to our Security Operations Center. They should be easy for an ethical security minded professional such as yourself...

  • 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"
You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: _____
  • 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.
You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software
  • 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.
You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software
  • 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?
You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management

Life is vague. Ethics don't need to be.
We all find ourselves in unique circumstances which are complicated and tricky. Applying a code of conduct illuminates the right ethical path. Allowance of ‘flexible ethics' and ‘gray area' practices are ultimately self destructive and leads to instability and demise. Make a stand.


So what are the answers to the above questions? Well, as we all indicated we are ethical, their really is no need for me to provide the answers. We all know them.

1 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, ethics
Click to view Matthew Rosenquist's profile
0

Want to get serious about Information Security? It is time for a Defense in Depth strategy. Interlocking Prediction, Prevention, Detection, and Response capabilities is the key. As no single solution provides comprehensive security, the way to achieve optimal security bliss is to apply a Defense in Depth approach of complementing capabilities to protect your computing environment and the data within. This strategy is highly effective at providing security assurance, cost efficient, scalable to large organizations, adaptive to changing threats, and proven to work.

The concept is straightforward. Establish a system of capabilities and services which align to attackers, their objectives and the methods they are most likely to attempt. Couple this with an understanding they will succeed sometimes and embed the fact at every turn there exist a learning opportunity to improve the system.

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10702-1127/Defense+in+Depth.JPG

Prediction:
Security threats are about opposition. These threat agents are living, breathing opponents who are creative, knowledgeable, motivated, and have personal objectives in mind. These agents utilize available methods and resources to achieve whatever goals they seek by leveraging vulnerabilities in people, computing systems, and communication networks. In total, this represents a massive potential target landscape to be protected, edge to edge. Good luck.

The reality is you can't protect against everything and everyone. It is too cost prohibitive and in most cases impossible anyways. Although the truly paranoid may disagree, not everyone is interested in attacking you and within the realm of possible attack methods; it is more than likely only a few would be employed. The "path of least resistance" rule applies here.

A common pitfall is to rely exclusively on vulnerability assessments to determine where to focus. Although vulnerability assessments are valuable, they are misleading if the only source for Prediction. Understanding your opponent is fundamentally different than being aware of the weaknesses inherent to your environment. The result will be expending effort on areas which will never be targeted for exploit. Consequently, fewer resources will be available for areas under siege.

The best security professionals understand the relationship between attacks and the environment they protect. They marshal their resources to intercept the most likely attack vectors for the greatest effect. Prediction is the first step in the efficient use of security resources. Knowing why your organization would be attacked, likely targets, and the ‘easy' ways which tantalize attackers, provides the insights necessary to prevent such incidents.


Prediction:
Security threats are about opposition. These threat agents are living, breathing opponents who are creative, knowledgeable, motivated, and have personal objectives in mind. These agents utilize available methods and resources to achieve whatever goals they seek by leveraging vulnerabilities in people, computing systems, and communication networks. In total, this represents a massive potential target landscape to be protected, edge to edge. Good luck.

The reality is you can't protect against everything and everyone. It is too cost prohibitive and in most cases impossible anyways. Although the truly paranoid may disagree, not everyone is interested in attacking you and within the realm of possible attack methods; it is more than likely only a few would be employed. The "path of least resistance" rule applies here.

A common pitfall is to rely exclusively on vulnerability assessments to determine where to focus. Although vulnerability assessments are valuable, they are misleading if the only source for Prediction. Understanding your opponent is fundamentally different than being aware of the weaknesses inherent to your environment. The result will be expending effort on areas which will never be targeted for exploit. Consequently, fewer resources will be available for areas under siege.

The best security professionals understand the relationship between attacks and the environment they protect. They marshal their resources to intercept the most likely attack vectors for the greatest effect. Prediction is the first step in the efficient use of security resources. Knowing why your organization would be attacked, likely targets, and the ‘easy' ways which tantalize attackers, provides the insights necessary to prevent such incidents.


Prevention:
This is where the magic happens. Preventing or deterring attacks is where everyone wants to be. Given the insights of Prediction, which includes incorporation of industry best-known-methods, you can put forth a front line of defense representing the bulk of your cost efficiency. The purpose is to render ineffective the most likely methods the attackers will employ and deny the attacker's their objectives.

Prevention can take many forms, both technical and behavioral. Here are some examples, but don't take this as a complete list or even a recommendation, as selecting the right prevention solutions is specific to the environment and organization. Policy, security awareness, web proxies, and email filters are examples intersecting people based attacks. Computing systems can be protected with anti-virus, system hardening, compartmentalization, authorization and authentication controls, host firewalls, and timely patching to name a few. Communication network attacks are prevented mostly with high speed automated technical solutions such as firewalls, proxies, as well as secure device configurations and a good network architecture plan.

At its best, a solid prevention plan will eliminate threat agent's easy attacks and protect those critical assets most sought by the attackers. Doing a good job here translates into the biggest bang for the security buck.

"Two types of victims exist: Those with something of value and those who are easy targets. Therefore, don't be an easy target and protect your valuables."
Detection and Monitoring: ( ...when the security drums fail - video)
Unfortunately, at some point a number of attacks will succeed. Although it is most efficient to deter or prevent attacks, ignoring those that do get through the front line defenses is ill advised. Security incidents and intruders must be promptly identified, cornered and squashed like bugs. The first step is the ability to rapidly ascertain when the Prevention defenses have been breached and track the actions of the buggers. Detection and monitoring capabilities sound the alarms and direct the Response resources to the source. Speed and accuracy is most important in detection. However, it must be designed to look in the right areas as it is cost prohibitive to watch everything. Again, Prediction can play a role in deciding what to watch as well as how to monitor.

Response & Recovery:
How an organization responds to successful attacks will have a great determination on what residual losses are finally realized. When an event occurs, having the right processes, people, tools, and capabilities in place to contain the security event is critical. Time is on the side of the attacker. The goal of the security professional is to eradicate the security problem and restore the environment to normal operations. This may range from minor efforts to catastrophic recovery. The earlier the Detection capabilities alert the organization, the easier it is to corral the issues and recover. The savviest attackers are stealthy. They want plenty of time working on achieving their objectives and they dig deep like an infected tick. The longer they have inside, the more damage they can cause and become progressively more difficult to eradicate.

Don't be caught without proper Response and Recovery capabilities. Inability to restore the organization to a safe and normal state, translates to hemorrhaging money, time, resources, productivity, and maybe worse.


Continuous Improvement:
Information security is a continuous process. Key learning's from every event can improve individual areas as well as feed the Prediction services, thus giving a better understanding for the next time around. Defense in Depth can successfully be managed centrally or in a distributive model, as long at the overall strategy remains intact and interactions drive continuous improvements.

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10702-1128/Defense+in+Depth+process.JPG


If you are ready to take the Defense in Depth plunge, you will be rewarded. Interlocking your strategy in a coherent manner gives better insights to reach and maintain your optimal level of security.

The Problem of Measuring Information Security
Getting a Return on IT Security Investment

0 Comments Permalink Tags: security, roi, value, defense_in_depth, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
1 2 Previous Next