Tuesday, December 18, 2007

Does Failure Sell?

I often find myself in situations trying to explain the value of Network Security Monitoring (NSM). This very short fictional conversation explains what I mean. This exchange did not happen but I like to contemplate these sorts of dialogues.

NSM Advocate: I recommend deploying network-based sensors to collect data using NSM principles. I will work with our internal business units to select network gateways most likely to yield significant traffic. I will build the sensors using open source software on commodity hardware, recycled from other projects if need be.

Manager: Why do we need this?

NSM Advocate: Do you believe all of your defensive measures are 100% effective?

Manager: No. (This indicates a smart manager. Answering Yes would result in a line of reasoning on why Prevention Eventually Fails.)

NSM Advocate: Do you want to know when your defensive measures fail?

Manager: Yes. (This also indicates a smart manager. Answering No would result in a line of reasoning on why ignorance is not bliss.)

NSM Advocate: NSM will tell us when we fail. NSM sensors are the highest impact, least cost way to obtain network situational awareness. NSM methodologies can guide and validate preventative measures, transform detection into an actionable process, and enable rapid, low-cost response.

Manager: Why can't I buy this?

NSM Advocate: Some mainstream vendors are realizing a market exists for this sort of data, and they are making some impact with new products. If we had the budget I might propose acquiring a commercial solution. For the moment I recommend pursuing the do-it-yourself approach, with transition to a commercial solution if funding and product capabilities materialize.

Manager: Go forth and let your sensors multiply.


Now you know that it's fiction.

Notice the crux of the argument is here: Do you believe all of your defensive measures are 100% effective? As a statement, one would say Because prevention eventually fails, you should have a means to identify intrusions and expedite remediation. A manager hearing that statement is likely to respond like this.

Manager: Do you mean to tell me that all of the money I've spent on firewalls, intrusion prevention systems, anti-virus, network access control, etc., is wasted?

NSM Advocate: That money is not wasted. It's narrowed the problem space, but it hasn't eliminated the problem.

This is a tough argument to accept. When I worked at Foundstone the company sold a vulnerability management product. Foundstone would say "buy our product and you will be secure!" I worked for the incident response team. We would say "...and when you still get owned, call us." Which aspect of the business do you think made more money, got more attention, and received more company support? That's an easy question. How is a salesperson supposed to look a prospect in the eye and say "You're going to lose. What are you going to do about it?"

Many businesses are waking up to the fact that they've spent millions of dollars on preventative measures and they still lose. No one likes to be a loser. The fact of the matter is that winning cannot be defined as zero intrusions. Risk mitigation does not mean risk elimination. Winning has to be defined using the words I used to explain risk in my first book:

Security is the process of maintaining an acceptable level of perceived risk.

This definition does not eliminate intrusions from the enterprise. It does leave an uncomfortable amount of interpretation for the "acceptable level" aspect. You may have noticed that most of the managers one might consider successful are usually self-described or outwardly praised as being risk-takers. On the other side of the equation we have security professionals, most of whom I would label as risk-avoiders.

The source escapes me now, but a recent security magazine article observed that those closest to the hands-on aspects of security rated their companies as being the least secure. Assessments of company security improved the farther one was removed from day-to-day operations, such that the CIO and above was much more positive about the company's security outlook. The major factor in this equation is probably the separation between the corner office and the cubicle, but another could be the acceptable level of risk for the parties involved. When a CIO or CEO is juggling market risk, credit risk, geo-political risk, legal risk, and other worries, digital risk is just another item in the portfolio.

The difference between digital risk and many of the other risk types is the consequences can be tough to identify. In fact, the more serious the impact, the least likely you could be to discover the intrusion.

How is that possible? What causes more damage: a DDoS attack that everyone notices because "the network is slow," or a stealthy economic competitor whose entire reason in life is to avoid detection while stealing data?

Without evidence to answer the question are you secure?, managers practice management and defense by belief instead of management and defense by fact.

6 comments:

Lance Spitzner said...

Richard, I believe you have explained this several times before, but being the lazy bastard I am, I was hoping you could explain what you believe the difference to be between IDS and NSM? If you have the right rules, could not IDS be NSM? If you have the right rules, it lets you know when you have been owned.

I know I'm setting myself up here, but looking forward to your explanation :)

lance

Richard Bejtlich said...

Lance, that is worth its own blog post. I will try to get to that soon.

Bob Huber said...

@Lance, you can make an IDS an NSM solution, but my belief is that it's more than an IDS. In the past I had done this by the following: 1). Deploy IDS. 2). Load argus on the IDS and sends those logs to a central location. 3). Run tcpdump on the IDS and send those logs to a central location. Of course, I had to keep resource utlization in mind, so a lot of times I could not have these all on the same device, but where I could, I did. So really, is the IDS equivalent to NSM, in this case, no. I was really just cross-purposing the hardware since I was already sniffing the traffic. The entire reason we started doing this was because the IDS didn't provide the context we required to see what actually happened. What did they do before the IDS fired? what did they do after?...and I'm just really paranoid

LonerVamp said...

Whew, my feelings exactly! I hate the idea that so many people buy and/or implement security and then stare wide-eyed when an intrusion still occurs; wondering why they threw so much money away. It's a tough pill to swallow, especially as you go up the chain, the demand for absolutes and results seems to get stronger. Spend money on a solution that won't fully protect us? No! :(

And I 100% agree that as you get further from hands-on, the belief of security gets more out of hand. It's a firm belief of mine that if you want to know the real pulse of security in a company, you don't typically ask the CSO, CIO, or middle managers. You ask the techs in the trenches watching the monitors or responding to incidents. Maybe you can get away with their immediate boss.

Of course, the works in other ways too. The techs may want obscene amounts of security, whereas higher level managers are willing to accept the risks.

I really cling to my analogy of how people manage risk to being like that of risk in our cars. We have rules and we know them. The risks are obvious: financial impact from fixing our cars and physical harm, both to us and others. Yet we still make poor risk judgements every day while driving. Let alone trying to understand the highly ephemeral risks associated with digital security. The costs are often more subtle than the obvious physical theft of a laptop and the cost of the hardware and lost productivity. Combined with the analogy that home security is obvious but few bother with the minimal cost until they've been deeply violated...and it's no wonder we're fighting up a steep hill. :)

LonerVamp said...

Of course, I should add that it is a conveniently close line that we approach where people will refuse to spend more money saying we're throwing out FUD. Does Failure sell? Does FUD sell? We like to denounce FUD, but we cannot deny the impact it has when budget time comes around... Is saying "You *will* have an intrusion incident," FUD? To some it seems to be...those that confuse healthy paranoia / realistic pessimism with FUD.

Brian Dykstra said...

Richard, I'd be happy if any of the locations we have responded to this year were thinking IDS or NSM.

Of the sites we've responded to this year only one actually had any credible network logging and they weren't reviewing it.

As you referenced, we normally find that management is completely out-of-touch with the security posture of the company (sometimes this includes the CIO and CSO). Worse, at many companies we find that the IT staff has just given up on security because it isn't a management priority.

Again in 2007 we haven't responded to a single location that was alerted to their situation by an IDS, NSM, SIM, AV or anything else that should be doing the job.