“Possibility, Probability, or Risk”. Make better security progress

“Possibility, Probability, or Risk”. Make better security progress

2020-07-28 0 By SecureSteve

Relative to the businesses they support, cyber security programs have never been as well funded as they are today. According to SecurityMagazine.com, 70% of organizations are planning to increase their Cyber Security spending due to COVID-19 concerns (work from home, increased threats, etc.) For the record, I simply did a Google search for “Cyber Security budget trends”, and picked an article that seemed to support my opening sentence.

Organizations, especially executives and board members, “get it”. In the trenches of the day-to-day security team, it may not seem like it. However, I doubt there is an enterprise organization today that hasn’t had A LOT of conversations about security, and has dedicated annual budget to solving security needs. It is no longer a new concept.

Jack Jones, Chairman of the FAIR (Factor Analysis of Information Risk) Institute, says it best: “In all of my years as a CISO I never encountered an executive who didn’t care about or appropriately support infosec when I could convey it to them in terms they understood.  From where I sit, the onus is on our profession to take an honest look at how we understand, measure, and communicate the challenges within our problem space.

Security spend cannot increase indefinitely

Today, organizations are starting to take a hard look at their cyber security spend. They are beginning to look closely at the outcomes they are getting, compared to the cost. In standard business parlance, this is known as ROI (return on investment). Executive teams have recognized that security spend cannot go up indefinitely. Additionally, they understand they cannot spend more on security than the assets they are protecting (it doesn’t make ANY sense to spend 10 million dollars on security to protect 1 million dollars of assets). At all levels of business understanding, most people realize that a business must make money. (Except, of course the hundreds of cyber security vendors that haven’t made a dime, and have no chance of doing so in the near future)

Photo by  Daniele Bisazza  on  Scopio

So, we’ve been aware of viruses and hacks and breaches and stuff, for years now. The Cyber Security industry has certainly grown at an exponential rate, with new vendors and products popping up all over the place. Organizations have been spending lots of money, and awareness has never been higher. So what’s the problem?

It doesn’t make ANY sense to spend 10 million dollars on security to protect 1 millon dollars of assets

SecureSteve

It is easy to point fingers all over the place as to why organizations are still getting breached. Even within a security team, one could point to visibility problems, or product gaps, or person-power shortages, etc. These types of conversations can go on forever, and lead nowhere. (If you’d like to see an awesome example, take a look at this excellent LinkedIn post, and then look at the comments. While entertaining, it also showcases some of the issues within the cyber security community).

To quote Tom Hanks quoting Jim Lovell in Apollo 13: “All right, look, we’re not doing this, gentlemen, we’re not gonna do this. We’re not gonna go bouncing off the walls for the next 10 minutes, because we’re just gonna end up right back here with the same problems!

Why aren’t organizations making more (or better) progress?

There’s a small part of me that would like to establish some credibility into the statements I’m going to make below. However, if you’d like to understand my back story, please visit my ABOUT page. After working with organizations of all sizes and shapes (massively large to microscopically small) over the last 20 years, here are the solvable (in my opinion) security problems that many organizations encounter.

Lack of business alignment, or enablement

At the end of the day, every single employee’s job within an organization is to help that organization make money. CR, LF (carriage return, line feed). How they help an organization be profitable may vary based on job role, but IT and cyber security are just as much responsible for business alignment as the front-line sales team. This concept must be re-iterated.

Two example problems come to mind. First, think about the “move to the cloud”. Ultimately, this is the future for most organizations. Yet, IT and security are often roadblocks, not enablers. The “shift left” mantra sounds good (and indeed application developers should embrace security), yet often times legacy IT security gets in the way. Even worse, developers simply ignore IT security and do what they want, because it’s just easier to do. Executives, did you know that there are tools out there to validate vulnerabilities and misconfigurations in code prior to it being pushed and published? How about simply incorporating that into the workflow?

Img Src: https://imgflip.com/i/22wp1j

Secondly, as a broader example, consider how many organizations resisted working from home. Many organizations simply said it wasn’t feasible, or was a couple years away. Fast forward to COVID-19, and a TON of organizations made it happen seemingly overnight. Of course, some additional risk was involved, but when the business REALLY wanted (needed) to make it happen, surprisingly IT and security were able to make it happen. That’s called business alignment.

Foundational items are still a gap

It’s easy to look at the complexity of threat actors, and the crazy malware variants utilized, and wonder if anyone will ever “really” be on top of their security posture. Yet, if one were to look closely at the WannaCry ransomware attack, the Equifax breach, or the CapitalOne breach, some common themes appear. For the first two respectively, proper patching would have largely prevented those issues. For the last one, configuration controls with proper auditing would have largely prevented that issue. These are foundational items that many organizations STILL lack.

Photo by  Jeff Lorrenz Recorte  on  Scopio

Recently, while working with a client on vulnerabilities within their organization, they asked if there was a way to make the number of (properly validated and vetted) vulnerabilities appear to be less in the reports, as their previous tool didn’t “show as many.” I recommended they work to resolve those issues. To be fair, resolving all “vulnerabilities” in an organization is not trivial. Yet, for this client, updating just three non-Microsoft products would have resolved close to 70% of the outstanding vulnerabilities listed. For the record, those products were installed on less than one third of the machines in the organization.

If an organization patches their environment, requires passwords to be changed, limits local admin rights, and blocks most executable downloads, they (unsurprisingly) solve 90% of the cyber problems. Then, your limited cyber security staff can focus on the critical ones that do require expertise.

Lack of automation

For the CEO’s and CFO’s in the audience, I’d like you to take the following litmus test. Ask your infrastructure team to provision you two servers, one on premise, and one in the cloud. Don’t provide a use case, but just ask for them to be properly patched, and have the standard security posture applied. Tell the team it is urgent, and then see how long it takes. Most likely, you’ll have your two servers in under a day.

Photo by  Brandon Castle  on  Scopio

Next, for comparison, ask for three hundred servers on premise, and three hundred severs in the cloud, with the same requirements. Ask for an estimate on delivery date. If it is still longer than a day, then you should have some serious concerns around lack of automation from the team.

If an organization patches their environment, requires passwords to be changed, limits local admin rights, and blocks most executable downloads, they (unsurprisingly) solve 90% of the cyber problems

SecureSteve

Now, some common push back might be “networking requirements”, or virtual machine space, or any number of “road-blocks”. Simply put, in 2020, those should rarely be a concern if automation is put in place. Also, most of the automation that enables this is FREE. Google “Chef cookbook IT” if you’d like to validate this claim.

Security teams are measuring the wrong things

It is human nature to want to show “all of the things we’re doing” in our day to day job. In fact, this is frequently the way security teams work to “justify” the spend associated with their team. That leads to security teams trying to show value in terms of “number of bad things blocked”. Ironically, the COVID-19 pandemic has exposed the weakness of this type of metric. Measuring your antivirus solution based on ‘catch rates’ today is like measuring your car based on it having four wheels.

By Simon A. Eugster – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7892806

For example, if I have two computers in my organization, and I install antivirus software on only one of them, I’ll get some data. Later, if I install antivirus software on the second machine, and I get “double” the amount of data, does this mean that I’ve doubled the amount of viruses in my organization? No, of course not. Rather, I’m now more “aware” of more viruses in my organization.

Unfortunately, these types of metrics are what security teams are reporting, and why boards and executives are struggling to filter through the noise. It’s easy to identify problems. So, what are some key metrics that “could be” useful?

Useful Measurement Metrics

  • average length of time to deliver a properly secured asset (IaaS, PaaS, onboarded SaaS)
  • hours per week/month to maintain existing security posture across each user/workload base
  • hours per month spent towards improving security posture
  • average and median length of time to investigate an alert
  • amount of time spent proactively hunting for threats
  • hours per week/month spent remediating existing issues
  • hours spent per month in training and enablement of security team

Here are 6 Unique InfoSec metrics that CISOs should track in 2020, based on DarkReading.com:

  • Security Team Proficiency
  • Security Team Satisfaction
  • Support of the Business Mission
  • Perceived Privileged Users versus Actual Privileged Users
  • Potential Cost of Security Incident
  • Return on Investment

Possibility, Probability, and Risk

In working with a client, one of the things their security director used to say, was “There is a difference between possibility, probability, and real risk. I have to choose where I can spend my time and resources, and there is a difference between things that might (albeit unlikely) happen, versus real things that are common and painful.

Photo by  Jubert Valmores  on  Scopio

We had a client that had performed a red team exercise. As part of that exercise, they spread around 100 or so USB devices throughout the conference rooms, offices, etc. Those USB devices were labeled with stuff like “HR docs”, “payment summaries”, etc.

There is a difference between possibility, probability, and real risk. I have to choose where I can spend my time and resources, and there is a difference between things that might (albeit unlikely) happen, versus real things that are common and painful.

SecureSteve

Can you guess the number of those USB devices that were actually plugged in to company assets? Zero. Literally zero devices. Almost half of them were actually turned into IT security. Now, the point of this story isn’t that “no one” plugs in rogue USB devices anymore. Rather, things that might seem like a common occurrence may not be in actual practice. You can certainly spend your time on things that ‘might happen’. However, it’s up to security teams to have the maturity to partner with executive teams to sort through reality from “possibility”.

Finally – Pregnancy Pain management

I recall going through baby training class with my wife, in preparation for the birth of our first child. Overall, the class was very useful. However, when the instructor (a midwife) began to discuss pain management, I felt she went a little out of bounds.

She basically spent a large chunk of time describing how “you don’t get the full experience of pregnancy” if you’re on some sort of pain management. (Keep in mind, pain management can be things like epidurals, or laughing gas, etc.). She indicated that some of the experience would be lost when using some sort of pain management.

After she was nearly done with that segment, I asked her this question: “Of the births you’ve involved with, what percentage of people don’t use any pain management?” Her answer was about 10%. 10% percent of pregnancies she was involved with had no pain management, which I interpreted to mean that 90% of pregnancies DID have pain management. So, while it is fine to discuss all options, it would’ve been valuable to discuss the things that impacted 90% of the people in the class, instead of just 10% (or less).

For security organizations, the 90% of risks they must deal with day to day should be top priority, even if many of those things aren’t sexy (patching, password management, least privilege access, etc). If you can get those things handled, your security team can effectively use their resources to solve for the 10% (or 1%) of things that will cause major damage.

#StayVigilant
#StaySafe
#LookOutForEachOther

CategoryCorporate Security
Tagsceo cyber security problems with security security security posture

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.