Overview

Over the past few years, information security policies and controls were guided primarily by regulatory compliance requirements.  ESG believes this behavior is now changing.  Why?  Information security defenses based upon regulations alone can help large organizations pass compliance audits, but they aren’t nearly as effective at protecting them against the growing volume of sophisticated threats and targeted cybercrime attacks.

Addressing these new virulent threats demands a new mindset based upon IT risk management rather than regulatory compliance or reactive security alone.  Unfortunately, many enterprises have a long way to go to make this transition.  Why? Of ESG research respondents:

• Only 58% of organizations claim that they are “well aware and well protected against IT security risks.” 
• Just 3% of organizations claim to have 100% visibility into the risk posture of their IT environment.  Alternatively, more than half of all respondents said that they either had 50% or less visibility into the risk posture of their IT environment or they didn’t know. 

This data points to an alarming reality: many organizations realize that they are not only inadequately protected against security threats, but they lack the right level of visibility to understand or sufficiently address these risks.  Regrettably, many organizations are simply “flying blind” when it comes to risk management.

Risk Management Review

From an information security perspective, risk management is the process of assessing the likelihood of security threats across the organization and determining the vulnerabilities exposing organizations to each threat.  With risk management, threats and vulnerabilities are defined as follows:

• Threat: A man-made or natural event that could have a negative consequence to the organization.  Man-made examples include power failures, but also Web threats, spear phishing, and internal attacks. Examples of natural events include natural disasters like earthquakes, hurricanes, and floods.
• Vulnerability. A flaw, loophole, oversight, or error that can expose an organization to a threat.  A distribution center on the U.S. Gulf coast is vulnerable to hurricanes and floods.  Likewise, a Windows server that has not been patched with the latest operating system updates may be vulnerable to specific types of malware attacks.

With IT risk management, threats and vulnerabilities should be assessed on an asset-by-asset basis. Risk management decisions can then be made depending upon the level of exposure (i.e., threats and vulnerabilities) as well as the asset’s value (i.e., the relative significance each asset delivers in overall business operations).

Armed with these metrics, organizations can make qualitative and quantitative risk management decisions such as risk acceptance, risk assignment, or transfer (i.e., transferring potential risk to a third party such as an insurance company) or risk reduction (i.e., mitigating risk by implementing security controls, policies, and procedures).  In this case, a control is defined as a mechanism used to restrain, regulate, or reduce vulnerabilities.

Risk Management:  What’s Needed?

The data cited above demonstrates that IT risk management needs a lot of work.  Why?  First, IT risk management is relatively new and undeveloped; this will improve over time. But IT risk management faces another challenge beyond immaturity alone.  The fact is that IT is a rapidly-evolving system: large organizations are currently in the midst of a massive IT metamorphosis driven by SOA, virtualization, cloud computing, consumerization, and mobility.  In this environment, threats, vulnerabilities, and even IT assets change on a daily basis.  This situation is exasperated by the rapid rise in threats; the convergence of the two results in a perfect storm for CISOs.

How can CISOs maintain sound risk management practices in an environment of constant change?  Today’s risk management must be based upon (see Figure 1):

• Instantaneous knowledge. Given the dynamic nature of both IT and the threat landscape, it is no longer adequate to perform risk assessments at predefined internals (i.e., weekly, monthly, quarterly, etc.).  Rather, asset changes, vulnerability assessments, and threat data must be available in real-time.  Security tools must correlate this information and immediately report on new types or levels of risks.  Security practitioners must be trained to digest these inputs, present them to business managers, and expedite risk management mitigation without delay.
• Comprehensive visibility and coverage. IT is composed of a multitude of assets like hardware devices, databases, business applications, and virtual appliances.  It is no longer enough to understand a sub-segment of the entire IT portfolio alone or adopt a piecemeal view of the entire IT infrastructure through a potpourri of tools.  To keep up with assets and their associated vulnerabilities, CIOs need a consistent data, visibility, and alerts across the entire IT spectrum. It’s not enough to get a partial picture (remember that more than half of all respondents said that they had 50% or less visibility into the risk posture of their IT environment). Organizations need to understand all of the vulnerabilities that exist and how they impact the environment.
• Constant controls assessment and adjustment. Security controls don’t fit into the “set-it-and-forget-it” category.  Rather, controls need persistent assessment to ensure that they adequately address new or changing risks.

The Rise of Real-Time Risk Management

CISOs should anticipate a new category of security management solutions for “Real-time Risk Management.”  Real-time Risk Management demands wide (i.e., across the entire IT infrastructure), deep (i.e., strong technical insight into each technology), and constant visibility into threats, vulnerabilities, assets, and controls.  The best real-time threat management systems will also be supported by:

• Threat monitoring intelligence. To keep up with rapid changes in the threat landscape, real-time risk management platforms will be constantly updated by the latest threat data from leading security researchers, academics, and public organizations. Along this line, security practitioners require vulnerability assessment content that delivers depth and breadth of coverage to ensure proper controls can be dispatched to thwart risks that materialize from the ever-changing/evolving threat landscape. Don’t be caught with partial coverage—finding 100% of half of the vulnerabilities still leaves a business highly exposed.
• Deep security knowledge. To help security professionals sort through mountains of threat, vulnerability, and asset data, real-time risk management will be instrumented with heuristics, correlation engines, and alerting capabilities.  The goal?  Help security professionals understand where best to focus security controls.
• Automation. Aside from gathering and sorting through information, real-time risk management platforms will also integrate with security controls and enforcement technologies in order to automate risk management responses.  When the risk management system detects un-patched laptops on the network, it can prompt security operations teams to begin an immediate patch cycle or other security control.

The Real-Time Truth

Real-time Risk Management is more than a new evolving set of security tools; it is a mindset shift.  CISOs should begin with more frequent security assessments, asset discovery, vulnerability scans, and configuration management.  It is also worthwhile to implement IT best practice models like ITIL, COBIT, or the NIST-800 series.  These guidelines will help lock down error-prone activities such as IT provisioning, configuration management, and change management.

CISOs should also take a pragmatic look at risk management blind spots.  How current are asset databases?  Do existing tools discover and alert IT when new assets are added to the network?  Do vulnerability scanning tools cover all technology elements or just a subset?  Do those tools use timely content and cover the spectrum of databases, applications, systems, and devices that define the organization with a comprehensive set of vulnerability checks? Remember that visibility gaps represent security vulnerabilities and should be analyzed and mitigated as such in a risk management context.

Finally, ESG firmly believes that early Real-time Risk Management systems are already available today. Smart CISOs will research available solutions, query vendors on product roadmaps, and evaluate leading solutions as soon as possible.  The goal?  Deploy Real-time Risk Management tools that can keep up with business-driven IT changes and help establish a Real-time Risk Management discipline throughout IT.

Traditional threats like e-mail viruses and automated Internet worms still exist, but the bad guys now find the Web more effective. Cybercriminals can use dynamic links, scripts, URLs, or files to infect PCs. Even worse, they regularly exploit sites like Facebook for social engineering attacks.

This is a very serious threat– each and every enterprise should be implementing Web threat defenses. There are a number available from companies like Blue Coat, Cisco, McAfee, Symantec, Trend Micro, and Websense. Unfortunately, this activity isn’t as urgent as it should be because:

1. Users don’t always understand. Security threats morph and grow more sophisticated all the time and many users simply can’t keep up with the changes. There hasn’t been enough user education about Web threats.
2. The industry hasn’t done a good job of bridging this gap. Some vendors insist that exploits are the same thing as malicious code threats. They aren’t and this type of rhetoric confuses the market. Others simply position Web threat management as the next security point tool du jour. This doesn’t really help users understand the context here.

Independent product testing would help educate users and illustrate the types of threats we face. NSS Labs is poised to test a number of products, but since this space is somewhat immature, many vendors are hesitant to step up to the plate. This is unfortunate as it places business concerns over security protection.

To address Web threats, users have to demand help from their vendors. This help should come in the form of education services, product testing, and a contextual framework of where Web threat management fits within overall information security. This needs to happen now, not when products mature and a high percentage of PCs are already infected.

Read more of Jon’s blog entries at Insecure About Security.

This model was adequate in the past, but it is no longer good enough. Why? Malware volume stresses the system and all too common zero-day attacks have free and clear access to sitting duck systems.

Coping with the new threat landscape means embracing a new security model. First, we have to assume that an unknown file, URL, or IP address is malicious. That said, we can’t simply deny access; rather, we need to analyze the suspicious content in real-time and then make the appropriate access decision (i.e., allow access, deny access, quarantine, send content to a honeypot, etc.).

This new model depends upon a community of users and security devices/software acting as a neighborhood watch and sharing information with security vendors in real-time. Some people call this a “hybrid cloud” model to capitalize on the buzz around cloud computing.

Hybrid clouds are fine for now, but I foresee a future evolution to a peer-to-peer security model. With hybrid clouds, security devices/software still engage in a conversation with only one entity: the security vendor’s cloud infrastructure. In peer-to-peer security, security devices/software will engage in conversations with other security devices/software from multiple entities: security vendors, ISACs, government sources, academic institutions, etc. These conversations will issue warnings, blacklist threats, analyze content, compare notes, exchange data, etc.

Several vendors–including Blue Coat, Cisco, and Trend Micro–already have hybrid cloud offerings that could serve as the foundation for my peer-to-peer model. A bit of vendor cooperation, government incentives, or user demand could lead to further developments in APIs, secure protocols, data standards, etc.

Cybercriminals constantly exploit our security weaknesses and lack of coordination. This has been a winning formula thus far to the tune of billions of dollars in identity theft and data breaches. To overcome these tactics, we need to use our technology assets more effectively. This is precisely what peer-to-peer security can do.

The Network Effect (or Metcalf’s Law) states that the value of a network is proportional to the number of connections. In my opinion, peer-to-peer security leverages the power of the Network Effect for the good guys.

Read more of Jon’s blog entries at Insecure About Security.

Dell is doing the right thing by alerting potentially impacted customers, but questions remain:

1. How did the malware get there?
2. Were the motherboards assembled in a certain place or by a specific manufacturer?
3. What processes does Dell (and other server vendors) have in place to ensure that this doesn’t happen?

I could go on and on.

To me, the Dell incident demonstrates an important but relatively unknown concept called cyber supply chain assurance. Servers, software, and other IT equipment are made up of millions of lines of code, a potpourri of components, and hundreds or even thousands of specialized electronic gear. If any one of these elements is compromised, the whole enchilada could be a ticking time bomb. Malware on a server motherboard is just the beginning.

A bit of a tangent: back in 2004, the U.S. federal government issued a report stating that only 21% of semiconductor manufacturing remained in the United States while the bulk of capacity was migrating to China. This caused great concern in the Department of Defense as most our weapons systems, communications, and logistics all depend upon IT. This led to the creation of the Trusted Foundry program, a DOD/industry initiative to ensure microprocessor domestic microprocessor design and manufacturing capabilities.

I bring up this example to illustrate a point. DOD realized that it was dependent upon technology and thus vulnerable to a breach of the cyber supply chain. Outside of the defense community, however, cyber supply chain risk management is nearly invisible. While the Dell incident is minor and seems contained, it is a further warning about the risk we all face. Let’s hope it wakes up some security professionals outside of the Pentagon.

Read more of Jon’s blog entries at Insecure About Security.

Overview

What’s driving information security at large organizations?  In spite of all of the headlines, data breaches, and malicious code exploits, information security remains largely driven by government and industry regulations like FISMA, HIPAA, GLBA, and PCI DSS (see Figure 1).[1]

Linking information security to regulatory compliance isn’t necessarily a bad thing.  After all, regulations like PCI DSS are meant to establish a comprehensive security baseline for organizations handling credit cards and personally identifiable information (PII) and address potential risks to this data.  Regulatory compliance is far from a panacea, however.  When organizations build an information security plan based upon government or industry regulations alone, the objective is often passing compliance audits rather than addressing the real threats, vulnerabilities, and risks associated with an attack.  This “check box” mentality can actually be counter to the real goal of securing people, assets, and data; organizations that pass regulatory compliance audits often unknowingly face pervasive and insidious risks across the enterprise.

What’s Needed?

IT Risk Management

Many large organizations can’t see the forest for the trees—the objective of regulatory compliance is reducing risks, not meeting artificial metrics. ESG believes that CIOs and CISOs must become change agents and lead their organizations to an information security based upon risk management.  Just what is risk management?  The International Standards Organization (ISO) defines risk management as:

The effect of uncertainty on objectives, (whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

From an information security perspective, risk management is a process of assessing security threats across the organization, determining the vulnerabilities that open the organization to each threat, and then determining how the organization should respond.  Potential responses include accepting some risk for unlikely threats (e.g., a physical attack by armed commandos) or addressing the risk with some type of control.

The following definitions are often applied to IT risk management:

• Threat: A natural or man-made event that could have a negative consequence to the organization.
• Vulnerability: A flaw, loophole, oversight, or error that can be exploited to violate system security policy.
• Control: Mechanisms used to restrain, regulate, or reduce vulnerabilities. Controls can be corrective, detective, preventive, or deterrent.

In total, risk management is based on real data, metrics, and measured responses.  In this way, risk visibility based upon up-to-the-minute data act as the foundation of risk management processes and potential responses.

How does risk management align with regulatory compliance?  Done correctly, risk management actually supports and supplements regulatory compliance.  How?  By measuring threats and identifying vulnerabilities that may be outside of the scope of compliance mandates or unique to a particular organization.  Furthermore, risk management can do something that compliance cannot: help organizations actually identify and respond to measurable risks and truly improve information security protection.  Recognizing the compliance “check box” shortcomings, the U.S. Federal Government is in the process of revising the Federal Information Security Management Act of 2002 (FISMA).  The plan is to replace the old “report card” system with one focused on addressing real risks.

Are We There Yet?

Few CISOs would argue that a comprehensive enterprise-wide risk management strategy could not help any organization improve information security and streamline regulatory compliance.  Given this, one would think that enterprises are well along the way toward establishing IT risk management as a standard.  Unfortunately, this is not the case.  Why?  As stated earlier, risk management depends upon end-to-end knowledge of threats and vulnerabilities.  Many organizations simply have limited awareness of one or both of these.  Without real-time information, it is simply impossible to build adequate controls.

These limitations are illustrated in a recent market research study by Evalueserve.  More than 40% of respondents believe that their organization is either unaware of risks or unprotected against them.  Awareness without controls represents a real risk.  Lack of awareness or controls represents a substantial risk (see Figure 2).

The Evalueserve data points to other troubling trends. Note that the majority of organizations responded that they were aware of and protected against security risks.  Unfortunately, other data from the survey contradicts these assertions.  For example, only 3% of respondents claim that their organization has IT risk visibility into its IT environment.  Alarmingly, more than half say that their organization has visibility into less than 75% of its IT environment (see Figure 3).  To paraphrase an old management saying, “you can’t secure what you can’t measure.”

In essence, risk management is a formula of inputs (threats and vulnerabilities) that determine outputs (controls).  When done correctly, risk management makes the application of controls fairly obvious—unacceptable levels of risk should be addressed with controls as countermeasures.  This formula seems somewhat lost on the Evalueserve respondents, as only 52% of respondents believe it is “very important” to know precisely where to deploy a security product to protect information assets (see Figure 4).  Given this, it appears that other organizations are unclear about one of the primary underpinnings of risk management.

The Bigger Truth

Information security strategy is a complex struggle between good guys and bad guys.  Unfortunately, it is no game; organizations experiencing a security attack can suffer data losses, regulatory compliance breaches, or denial of service attacks.  This can result in millions of dollars in losses, loss of goodwill or worse—ESG fully expects to see more devastating consequences like months of business interruption or bankruptcy as a result of sophisticated security attacks in the future.

The Evalueserve data carries some good and bad news.  The good news is that most organizations have the right mindset with strong risk management concerns.  The bad news is that the majority of firms lack the necessary knowledge about the threats they face, their existing IT vulnerabilities, or the appropriate places to implement security controls.  Risk management efforts are commendable, but without a comprehensive program, they are doomed to fail.

So what happens now?  ESG believes that organizations must go back to basics.  This means establishing processes and implementing tools that provide visibility, data, and metrics on all threats and vulnerabilities.  Only then can they apply controls with confidence in their effectiveness and ROI to ultimately establish a meaningful balance between business productivity and the right amount of security.

On the plus side, the feds have a lot of good work going. There is a lot of government brainpower focused on scoping problems, evaluating funding priorities, changing cultural barriers, and defining security solutions. Kudos are well deserved.

With all of this effort, however, it is time to discuss a fundamental problem between the public and private sector: communications. The feds have a language all of their own, one chock full of agency-specific acronyms and a military flavor. Information security is called “cybersecurity” and there are lots of references to missions, objectives, command-and-control, etc. The word “assurance” is used constantly: software assurance, information assurance, cyber supply chain assurance, and so on. This is just the tip of the federal language iceberg.

In his famous May 2009 cybersecurity speech, the President proclaimed that:

1. Cybersecurity would be a top priority in his administration.
2. 80% of the critical infrastructure is controlled by the private sector.
3. We needed a stronger public/private partnership.

For these things to happen, the federal government must realize that it needs to drop the inside-the-Beltway lingo and speak to the rest of us in common language. We don’t care which agency owns which initiative with acronym ABC. We don’t speak to each other about missions and battlefields and assurance. Many experienced IT and security professionals have no idea what NIST is or what it is doing. Like it, understand it or not, this is the truth.

The information security challenges we face are real and could be extremely damaging to the country, the economy, our way of life, and confidence in the government. We NEED the feds to step up, but we shouldn’t have to learn a new language or culture to make this happen. I already see the influence of this communications gap as most of the private sector has no clue about all the work going on in Washington–this is wasteful and a shame.

In his new book, Cyberwar, Richard Clarke does a great job of translating Washingtonese to common language. Good effort by Clarke, but the fact that he had to do this should be a red flag for all of us. If we can’t understand each other, we are doomed from the start.

Read more of Jon’s blog entries at Insecure About Security.

I’ve probably read as much about this subject as Washington insiders and in my opinion, Clarke’s book immediately leapfrogs numerous other overly technical or Washington-wonky volumes. As such, it is a must read for security professionals, legislators, and business executives–especially in the 18 industries designated by Washington as “critical infrastructure.” Heck, anyone interested in cybersecurity should read this book to understand the current threats, possible cyber war scenarios, and where our tax dollars are and aren’t going.

When reading this book, get ready to self-translate several subculture languages including security technology, military acronyms, and Washingtonese. That said, Clarke does a great job explaining these terms in simple English and even includes a glossary to help newbies along.

I can’t possibly provide a synopsis of Clarke’s book in a blog, but the primary take-aways are:

1. Cyber warfare is common practice. The U.S. Military has launched its share of cyber operations, as have China, Israel, North Korea, and Russia, amongst others. Clarke’s is the only book I know of that describes all of these incidents.
2. The U.S. is extremely vulnerable. Our offensive capabilities are strong, but our defensive safeguards are way behind where they should be. In military terms, we are at an asymmetric disadvantage. For all of our military might, this could tip the scales against us.
3. Washington is doing next to nothing. Every U.S. citizen should be very pissed off about this. We’ve spent billions of dollars and waved our hands around, but we haven’t secured our networks or passed any serious legislation. We need real action, not lobbying and empty promises.
4. There really is no organized plan. If we suffer a cyber attack, there is really no chain-of-command, protocol, or international agreement on what happens next. Yikes!

Clarke lays out a plan to get us started in the right direction. I don’t agree with all of his suggestions, but they are certainly a good start.

Whether we like to admit it or not, we all may wake up one day with the power cut off and the banking system in total disarray. Naysayers dismiss this threat, but it has happened on a limited scale around the world and will happen in a much bigger way if the U.S. continues to manage cybersecurity with its head in the sand.

Clarke clearly articulates the threats, vulnerabilities, and real risks we face in any type of sophisticated cyber warfare. He also balances his wake up call with some sound and cogent advice on what we should do. I suggest that anyone with an interest or stake in this topic read the book and join Dick Clarke to get the federal government to listen and act as soon as possible. As someone who has been preaching this same message, I can tell you that it is a lonely crusade–we need all the help we can get.

Read more of Jon’s blog entries at Insecure About Security.

Yes, several incidents: 11%
Yes, one incident: 23%
No: 63%
Don’t know: 3%

My analysis:

1. In total, 34% of these enterprise organizations suffered at least one breach. This is consistent with other ESG Research surveys over the past 5 years, indicating that the data breach problem is not getting any better.
2. Curiously, organizations that must comply with more than three government or industry regulations suffered more breaches (19% of those organizations surveyed suffered more than one breach) than those that must comply with less than three government or industry regulations (6% of those surveyed suffered more than one breach). The obvious explanation is that the definition of a data breach is driven by regulatory compliance, thus the more compliance mandates, the more potential data breach incidents. This makes logical sense, but there is also an underlying cause for concern. Those organizations mandated to comply with lots of government and industry regulations tend to be the biggest organizations with matching IT and security budgets. If this is true, than the data indicates that large security budgets and resources do not necessarily equate to fewer data breaches.
3. Thirty percent of federal, state, and local government organizations suffered more than one data breach over the past year. This is significantly higher than the cumulative average of 11%.

Read more of Jon’s blog entries at Insecure About Security.

via Database Security Suffers From Leadership Gap – DarkReading.

Yes, all of these technologies are important components of a defense-in-depth security architecture, but they are also quite mature. Why the network security renaissance? Because of:

1. Equipment consolidation. I see lots of organizations replacing individual firewall appliances with big network security gateway products running virtual firewall instances. This simplifies the network and cuts down on software licensing costs. Good news for Check Point, Crossbeam Systems, and Juniper Networks.
2. Network upgrades. There is plenty of 10GbE activity in the data center and in network backbone upgrades. Fast network throughput demands new security equipment. Advantage IBM/ISS, McAfee, Sourcefire, and TippingPoint (HP).
3. Integrated security. Most enterprises are replacing standalone security devices with more integrated threat management solutions.
4. New threats. The bad guys are way more sophisticated than an IPS device circa 2007. Large organizations need better threat detection, prevention, and mitigation. Furthermore, network security must work as a team with desktop, server, messaging, and other security defenses.

With all of this activity, many networking vendors stand to benefit. Cisco and Juniper have great network security offerings that interoperate with their core networking products. HP will pick up TippingPoint with 3Com, but it needs to build an architecture story quickly. Brocade is working with partners and must continue to make this a core part of its value. Other networking vendors need to make similar moves.

Security gets more complex each day, so state-of-the-art devices may have a short shelf life. Expect continuous investment in network security moving forward. Networking vendors that recognize this will put themselves in the best position.

Read more of Jon’s blog entries at Insecure About Security.