Perspective: How To Get Better Results With Threat Data

Welcome to InfoSec 101!  Open your textbooks and turn to chapter one.

Not far into your first lecture, just past the introduction to confidentiality, integrity, and availability, you are likely to encounter the topic of risk management.  To fully understand risk management, the author points out; you must first understand risk itself.    


Introducing the Risk Formula:

RISK = THREAT x VULNERABILITY


While the definition looks simple, the hidden truths within are the keys to a successful information security program.  

UNLOCKING HIDDEN PRINCIPLES

By adding narrative to the risk formula, you learn that risk is the possibility of a threat acting upon a vulnerability that results in the unauthorized disclosure, alteration, or destruction of information or an information technology asset.

Principle #1:  An individual risk is calculated for a particular threat/vulnerability pair.

Recall from algebra that anything multiplied by zero equals zero (a x 0 = 0).  Therefore, for there to be an actual risk (that requires managing), there must be both a vulnerability AND a threat.  Stated differently, a risk is the probability for loss.  If there is no threat or vulnerability, there is no risk.

Principle #2:  Rewrite the formula - let threats drive the risk calculation.

By rewriting the formula as THREAT x VULNERABILITY = RISK (using the symmetric property this time - yay algebra) it allows for the proper prioritization of threat analysis as the first step in the risk management methodology.

Why is this necessary?  Glad you asked!  Given the lack of unlimited resources and budgets, an effective and efficient information security program must be able to prioritize which threats or vulnerabilities to mitigate.  More on this later...trust me it will be worth the wait.

Principle #3: Determine a specific threat, then let vulnerabilities drive risk reduction.

As previously noted, the absence of a vulnerability means there is no risk.  As a result, the best practice is to identify a given threat and then focus your effort on eliminating weaknesses in order of the greatest potential impact.

DO WHAT I SAY, NOT WHAT I DO

The great thing about principles is that they can be very useful in developing successful strategies and tactics.  The only problem is that they have to actually be applied for their true genius to be realized.  

Perhaps the following "best practice approach" sounds familiar?

Step 1 - Pick a risk management framework (i.e. NIST 800-53, ISO 27001, etc.).

Step 2 - Perform a gap analysis of your current program vs. the selected framework.

Step 3 - Develop a plan of action and milestones to resolve all of the identified gaps.

Or, perhaps the following statements can be found on your security strategic plan?

Goal 1 - Implement an enterprise vulnerability management program.

Goal 2 - Engage a third-party provider to perform a comprehensive penetration test.

Goal 3 - Engage with vendors to identify and invest in the latest NexGen widget.

If any of these resonate, chances are you have observed first hand the reality that many organizations fail to apply the principles previously established.  

BOILING THE OCEAN

----- 1,682 -----

1,682 is the number of unique security control elements outlined in NIST SP800-53r4.  Those unique elements are grouped into a "more manageable" 240 controls.  Still seem overwhelming?  You are not alone!

"Good news!"  To help you overcome that sinking feeling, NIST graciously provides a recommended prioritization of controls.  So, instead of worrying about the 240...just focus on those listed as a "P1" (priority one).  That leaves you with ONLY 122 #1 priorities.  Sounds reasonable, right?

Risk management frameworks, when used in the proper context, are tremendously beneficial. They help to provide a thorough and thoughtful approach to achieving information security program maturity.  However, as illustrated above, they require significant tailoring to an individual organization's unique situation; otherwise, you are likely attempting to boil the ocean. 

I suggest ending with the risk management framework versus starting there.  Further details below.

ONE STEP FORWARD, TWO STEPS BACK

While some organizations get trapped in the "boil the ocean" approach, others are snared by vulnerability management.  Principle #3 (above) outlines that the "absence of a vulnerability means there is no risk."  So, to not have any risk all we have to do is have zero vulnerabilities. Easy enough!  We'll buy an enterprise vulnerability management tool, perform some penetration testing, get everything patched, and call it a day.  No easy button required.

Not so fast!  The Verizon 2016 Data Breach Investigations Report (see pages 13-16) points out that, despite years of banging the drum for vulnerability management, unpatched systems are among the leading sources of incident and data breach.  This is likely due to the following realities:

  1. The time between a vulnerability being announced and exploit code being available is ever shrinking - the 2016 median time was ~30 days.
  2. The pace at which new vulnerabilities are being discovered is growing exponentially.
  3. Not everything in your organization can be patched (remember that old mainframe).
  4. The business can't afford the number of maintenance windows needed.
  5. <Insert your reason here> (see BYOD, distributed responsibility, lack of tools, etc. for additional hints).

A BETTER WAY!

Start with principle #2 - "Rewrite the formula - let threats drive the risk calculation."

Your methodology should start with threat data (incidents handled by your Incident Response team). Then merge your information with threat data collected from other organizations in your specific industry (the threats in one industry are likely very different than another). Combined, you have an accurate picture of the top threats you are currently facing or that you are most likely to face.  

Next, principle #3 - Determine a specific threat, then let vulnerabilities drive risk reduction.

Evaluate vulnerabilities that a particular threat may exploit.  Remediate where possible.

Finally, end with an eye towards a risk management framework.

Consult your designated risk management framework to select additional safeguards based on effectiveness, cost, and productivity impact.  Leverage the framework to perform routine (annually?) maturity assessments to understand your gaps and plan for round two.