Monday, August 29, 2011

TaoSecurity Security Effectiveness Model

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.

Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses".

I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.

I call the area covered by the Live Defenses as "Defended," but I don't assume the defenses are actually sufficient. Some threats will escalate to whatever level is necessary to achieve their mission. In other words, the only way to not be compromised is to not be targeted! So, I call areas that aren't defended at all "Compromised" if the adversary targets them. Areas not targeted by the adversary are "Compromise Avoided." Areas targeted by the adversary but also covered by Live Defense are "Compromise Possible."

The various intersections produce some interesting effects. For example:

  1. If you're in the lower center area titled "Incorrect, defended, compromise possible," and your defenses hold, you're just plain lucky. You didn't anticipate the adversary attacking you, but somehow you had a live defense covering it.

  2. If you're near the left middle area titled "Correct, undefended, compromised," this means you knew what to expect but you couldn't execute. You didn't have any live defenses in place.

  3. If you're in the area just below the previous space, titled "Incorrect, undefended, compromised," you totally missed the boat. You didn't expect the adversary to target that resource, and you didn't happen to have any live defenses protecting it.

  4. If you're in the very center, called "Correct, defended, compromise possible," congratulations -- this is where you expected your security program to operate, you deployed defenses that were live, but the result depends on how much effort the adversary applies to compromising you. This is supposed to be "security Nirvana" but your success depends more on the threat than on your defenses.

  5. The top-most part titled "Incorrect, undefended, compromise avoided" shows a waste of planning effort, but not wasted live defenses. That's a mental worry region only.

  6. The right-most part titled "Incorrect, defended, compromise avoided" shows a waste of defensive effort, which you didn't even plan. You could probably retire all the security programs and tools in that area.

  7. The area near the top titled "Incorrect, defended, compromise avoided" shows you were able to execute on your vision but the adversary didn't bother attacking those resources. That's also waste, but less so since you at least planned for it.


What do you think of this model? Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack. That's the idea of threat-centric security in a nutshell -- or maybe a Venn diagram.

11 comments:

Anonymous said...

You should number/label each area for discussion.

Pete

Phim said...

I personally like this model and think that it would be an excellent teaching tool for information security practitioners. However, I would not neccessarily use this model in a presentation to leadership - the model seems as though it would be too complex to explain in a short amount of time. In that case I would stress the biggest takeaway - the fact that security plans need to overlap advisory actions for effective security.

Anonymous said...

This model is nice. I will try to turn the good-bad upside down, just for the fun of it. I'd say the best is if the intersection between Defensive plan and Threat actions is as small as possible. That might mean the attacker missed the real and painful target. Go chase some ghosts, my friend, be happy and hack the ip connected office coffee machine, let there be nothing to stop, all live defenses teach the attacker and take away cpu and human cycles.
You might want to keep "crown jewels" in "Incorrect defended compromise avoided". Nobody wants to fight near them, not at all. If it can be helped.

Juhani Tali

Jim Voorhees said...

This is a model well worth thinking through. A couple quick thoughts:

--The hardest part is determining what the adversary thinks matters (there might be a better term for this area than 'Threat Actions'). In practice, we are unlikely to get this quite right.

--The model is static, a picture of defenses at one point in time. Over time, Threat Actions will change, even if the other two circles do not. But, of course, they should.

--Given the common understanding that we, as defenders, need to defend everything, I, for one, would appreciate some examples of "Incorrect" Live Defenses.

That concept--of an "Incorrect" Live Defense--could use some explication. Why does the adversary not target something? Because there is nothing of value to be gained by attacking it? Or because it is, in fact, too well defended to make an attack worthwhile? Or a combination of the two; that is, the attacker's cost/benefit analysis leads the attacker elsewhere. If that is the case, is the defense really incorrect?

John said...

I don't think it's intuitive enough. Can you tell the difference between "Live Defenses" and "Defensive Plan" at a glance? I don't think so. If this model's audience is intended for non-security folks, I see glazed eyes in your future. Maybe "Current Defenses" or "Current Set-up" or something like that for "Live Defenses". I don't know what I would call the other fields. All in all, a good visual that needs a little tweeking marketing-wise.

Anonymous said...

It seems like when you get far enough into looking at what threat agents are interested in, you're just going to cover everything. From APT/espionage to automated/opportunistic incidents to insiders doing whatever they think will hurt an organization (often related to Availability), it seems like everything of any value will eventually be covered. Especially if you take a management/counsel viewpoint that it matters if it can turn into a public notice of a breach and possible data disclosure.

Nonetheless, a complex model like this definitely could use analogies/examples. And that should include examples that fall outside the desired areas. For instance, if you desire to have all 3 circles to overlap as much as possible, then we're again just talking about defending everything, yeah? Though maybe that at least limits really strange things like tempest, printers, low-value tiny devices, or something...

Of course, it doesn't help adoption/understanding of a model that will only be valid for 1 organization/situation for a range in time. Too often we get people wanting to find these universal models that fit everyone, when I really don't think that exists outside nebulous Best Practices and some compliance checklists.

-LonerVamp

gunnar said...

Richard - this model makes a lot of sense to me and helps highlight some of the important distinctions a lot of people miss.

I start a lot of presentations with a chessboard on the screen, I then move a white piece, (usually a white pawn to e4), then I ask the audience - "was that a chess move?"

Inevitably someone says yes.

But in chess a "move" is one white move AND one black move. So its the combination of white and black that make a single move.

Like your model this shows how the defensive plan is necessary but not sufficient, no one in chess sets up a Ruy Lopez opening or any other favorite opening and says to themselves - "well i am done - got my pawns and all my pieces where I want them - no one can defeat that."

Its the same in infosec, have to have a defensive plan but have to watch all the other player moves as well

Kai Axford said...

Like it a bunch. Sure, there are a few tweaks that may make it better, but the industry has been lacking something like this for some time. Be nice to see where some specific threat vectors sit.

Matt K said...

Guys, remember the point of this model is to take on a threat-centric approach to executing a security program. I quite like this model. It's a nice way to look at protecting what matters, ensuring that protective and detective controls are not wasted on things which don't matter in the grand scheme of things.

I think this model illustrates as much about planning your defenses well, as it does about commercial sense. I.e. If you do not have unlimited budget to pour into your security program, then using a threat-centric model which is specific to your organisation's risk profile is going to be far more effective and give you the best value for your money spent.

A comparison could be drawn with the 80/20 rule of security which was published by MSI, Inc. -- it proposes the concept that 80% of an organizations’ real information security comes from only 20% of the assets and effort put into the program.

This is opposed to a vulnerability-centric approach which would be to try and protect against all vulnerabilities, without necessarily taking time to analyse the actual risk presented to the organisation. Sure, a high severity vulnerability may have a CVSS aggregate score of 10, but if the affected asset is of little significance to an attacker (low value target) then spending a lot of time/money to fix that vulnerability should be less important than fixing a vulnerability which would have a higher value to an attacker if they went after it. High severity does not always equal highest overall risk.

Threat modelling will provide you with a sharper view of where you should focus your efforts. Protect what you value, monitor what you can, and constantly evaluate the effectiveness of which ever model you apply to your security program.

John Markh said...

Hi Richard,

Excellent post!

You have ended your post with "Obviously you want to make all three circles overlap as much as possible..."; while I totally agree that we, as defenders, want "defensive plan" and " live defenses" circles to overlap as much as possible, I would argue that "threat action" should not "touch" the other two circle - i.e. the organization should strive to *appear* as irrelevant or unimportant to potential adversaries.

Regards,
John.

Per Stromsjo said...

Models simplify matters, that's what they should do, and so does this one.

Appreciate your pointing out that being defended is not being secure.

I agree with Jim that it portrays a static view of things.

What I've learned working with risk is that there are two categories of threat sources - intentional and accidental. Merely focusing on adversaries misses something important and that would be my main 'objection' re this model version.

Interesting initiative, it certainly helps illustrate a couple of key perspectives. Thanks for sharing.