TaoSecurity Security Effectiveness Model
After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.
Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses".
I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.
I call the area covered by the Live Defenses as "Defended," but I don't assume the defenses are actually sufficient. Some threats will escalate to whatever level is necessary to achieve their mission. In other words, the only way to not be compromised is to not be targeted! So, I call areas that aren't defended at all "Compromised" if the adversary targets them. Areas not targeted by the adversary are "Compromise Avoided." Areas targeted by the adversary but also covered by Live Defense are "Compromise Possible."
The various intersections produce some interesting effects. For example:
What do you think of this model? Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack. That's the idea of threat-centric security in a nutshell -- or maybe a Venn diagram.
Tweet
Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses".
I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.
I call the area covered by the Live Defenses as "Defended," but I don't assume the defenses are actually sufficient. Some threats will escalate to whatever level is necessary to achieve their mission. In other words, the only way to not be compromised is to not be targeted! So, I call areas that aren't defended at all "Compromised" if the adversary targets them. Areas not targeted by the adversary are "Compromise Avoided." Areas targeted by the adversary but also covered by Live Defense are "Compromise Possible."
The various intersections produce some interesting effects. For example:
- If you're in the lower center area titled "Incorrect, defended, compromise possible," and your defenses hold, you're just plain lucky. You didn't anticipate the adversary attacking you, but somehow you had a live defense covering it.
- If you're near the left middle area titled "Correct, undefended, compromised," this means you knew what to expect but you couldn't execute. You didn't have any live defenses in place.
- If you're in the area just below the previous space, titled "Incorrect, undefended, compromised," you totally missed the boat. You didn't expect the adversary to target that resource, and you didn't happen to have any live defenses protecting it.
- If you're in the very center, called "Correct, defended, compromise possible," congratulations -- this is where you expected your security program to operate, you deployed defenses that were live, but the result depends on how much effort the adversary applies to compromising you. This is supposed to be "security Nirvana" but your success depends more on the threat than on your defenses.
- The top-most part titled "Incorrect, undefended, compromise avoided" shows a waste of planning effort, but not wasted live defenses. That's a mental worry region only.
- The right-most part titled "Incorrect, defended, compromise avoided" shows a waste of defensive effort, which you didn't even plan. You could probably retire all the security programs and tools in that area.
- The area near the top titled "Incorrect, defended, compromise avoided" shows you were able to execute on your vision but the adversary didn't bother attacking those resources. That's also waste, but less so since you at least planned for it.
What do you think of this model? Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack. That's the idea of threat-centric security in a nutshell -- or maybe a Venn diagram.
Tweet
Comments
Pete
You might want to keep "crown jewels" in "Incorrect defended compromise avoided". Nobody wants to fight near them, not at all. If it can be helped.
Juhani Tali
--The hardest part is determining what the adversary thinks matters (there might be a better term for this area than 'Threat Actions'). In practice, we are unlikely to get this quite right.
--The model is static, a picture of defenses at one point in time. Over time, Threat Actions will change, even if the other two circles do not. But, of course, they should.
--Given the common understanding that we, as defenders, need to defend everything, I, for one, would appreciate some examples of "Incorrect" Live Defenses.
That concept--of an "Incorrect" Live Defense--could use some explication. Why does the adversary not target something? Because there is nothing of value to be gained by attacking it? Or because it is, in fact, too well defended to make an attack worthwhile? Or a combination of the two; that is, the attacker's cost/benefit analysis leads the attacker elsewhere. If that is the case, is the defense really incorrect?
Nonetheless, a complex model like this definitely could use analogies/examples. And that should include examples that fall outside the desired areas. For instance, if you desire to have all 3 circles to overlap as much as possible, then we're again just talking about defending everything, yeah? Though maybe that at least limits really strange things like tempest, printers, low-value tiny devices, or something...
Of course, it doesn't help adoption/understanding of a model that will only be valid for 1 organization/situation for a range in time. Too often we get people wanting to find these universal models that fit everyone, when I really don't think that exists outside nebulous Best Practices and some compliance checklists.
-LonerVamp
I start a lot of presentations with a chessboard on the screen, I then move a white piece, (usually a white pawn to e4), then I ask the audience - "was that a chess move?"
Inevitably someone says yes.
But in chess a "move" is one white move AND one black move. So its the combination of white and black that make a single move.
Like your model this shows how the defensive plan is necessary but not sufficient, no one in chess sets up a Ruy Lopez opening or any other favorite opening and says to themselves - "well i am done - got my pawns and all my pieces where I want them - no one can defeat that."
Its the same in infosec, have to have a defensive plan but have to watch all the other player moves as well
I think this model illustrates as much about planning your defenses well, as it does about commercial sense. I.e. If you do not have unlimited budget to pour into your security program, then using a threat-centric model which is specific to your organisation's risk profile is going to be far more effective and give you the best value for your money spent.
A comparison could be drawn with the 80/20 rule of security which was published by MSI, Inc. -- it proposes the concept that 80% of an organizations’ real information security comes from only 20% of the assets and effort put into the program.
This is opposed to a vulnerability-centric approach which would be to try and protect against all vulnerabilities, without necessarily taking time to analyse the actual risk presented to the organisation. Sure, a high severity vulnerability may have a CVSS aggregate score of 10, but if the affected asset is of little significance to an attacker (low value target) then spending a lot of time/money to fix that vulnerability should be less important than fixing a vulnerability which would have a higher value to an attacker if they went after it. High severity does not always equal highest overall risk.
Threat modelling will provide you with a sharper view of where you should focus your efforts. Protect what you value, monitor what you can, and constantly evaluate the effectiveness of which ever model you apply to your security program.
Excellent post!
You have ended your post with "Obviously you want to make all three circles overlap as much as possible..."; while I totally agree that we, as defenders, want "defensive plan" and " live defenses" circles to overlap as much as possible, I would argue that "threat action" should not "touch" the other two circle - i.e. the organization should strive to *appear* as irrelevant or unimportant to potential adversaries.
Regards,
John.
Appreciate your pointing out that being defended is not being secure.
I agree with Jim that it portrays a static view of things.
What I've learned working with risk is that there are two categories of threat sources - intentional and accidental. Merely focusing on adversaries misses something important and that would be my main 'objection' re this model version.
Interesting initiative, it certainly helps illustrate a couple of key perspectives. Thanks for sharing.