Tuesday, October 28, 2008

Unify Against Threats

At my keynote at the 2008 SANS Forensics and IR Summit I emphasized the need for a change in thinking among security practitioners. To often security and IT groups have trouble relating to other stakeholders in an organization because we focus on vulnerabilities. Vulnerabilities are inherently technical, and they mean nothing to others who might also care about security risks, like human resources, physical security, audit staff, legal staff, management, business intelligence, and others. I used the following slide to make my point:



My point is that security people should stop framing our problems in terms of vulnerabilities or exploits when speaking with anyone outside our sphere of influence. Rather, we should talk in terms of threats. This focuses on the who and not the what or how. This requires a different mindset and a different data set.

The business should create a strategy for dealing with threats, not with vulnerabilities or exploits. Notice I said "business" and not "security team." Creation of a business-wide strategy should be done as a collaborative effort involving all stakeholders. By keeping the focus on the threats, each stakeholder can develop detective controls and countermeasures as they see fit -- but with a common adversary in mind. HR can focus on better background checks; physical security on guns and guards; audit staff on compliance; legal staff on policies; BI on suspicious competitor activities, and so on. You know you are making progress when management asks "how are we dealing with state-sponsored competitors" instead of "how are we dealing with the latest Microsoft vulnerability?"

This doesn't mean you should ignore vulnerabilities. Rather, the common strategy across the organization should focus on threats. When it comes to countermeasures in each team, then you can deal with vulnerabilities and the effect of exploits.

Note that focusing on threats requires real all-source security intelligence. You don't necessarily need to contract with a company like iDefense, one of the few that do the sort of research I suggest you need. This isn't a commercial for iDefense and I don't contract with them, but their topical research reporting is an example of helpful (commercial) information. I would not be surprised, however, to find you already have a lot of the background you need already held by the stakeholders in the organization. Unifying against the threats is one way to bring these groups together.

3 comments:

Jack said...

So, Richard, Im curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats?

If there are people like that, they really need to be fired.

This is stuff that's been understood...forever? You can see it in one of CERT's classification schemes from 1998 (it represented classification of threat as something like: attacker->tool->vulnerability->asset->technical goal->strategic goal).

From where I am, it doesn't look like people aren't more than aware of the realities you describe. Instead, we lack good business process connecting our organization from those supposedly doing risk and threat management to those people sitting in front of hardware and software on the front line.

I sit in cyber security working group meetings, attend ISAC stuff, etc, and people there understand threats - but not vulnerabilities.

My question is where are the mechanisms to connect these groups of people (within enterprises and cross-sector/industry)?

-jofny/sintixerr

Victor said...

So, Richard, Im curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats?

If there are people like that, they really need to be fired.


Most application owners are going to want something tangible that they can fix (i.e. a vulnerability) and tick off their list. The unquantifiable threat is just there to scare them into taking action.

Jet said...

Richard.

The business should create a strategy for dealing with threats, not with vulnerabilities or exploits.

I will call the strategy - "Risk Management".