IT security in today's dangerous world begins with intelligence. Without knowledge of our own defenses, we can't hope to successfully protect our business. When we think of risk assessment or analysis, we think of a report or a dashboard that presents vulnerability and threat data from various sources and computes a summary view or score.
What is still missing is an understanding of how presently installed solutions might already be addressing risks. The current risk assessment approach operates under the assumption that every security control is working as intended, so our current risk status is accurate. But it's not that simple. If a web application firewall (WAF) has only half the settings turned on to deal with information exposure through directory listing, there is no clear picture of current vulnerabilities and software weaknesses in the environment. Or worse, we think our WAF is correctly configured, but it's not. Because there's no linkage, we aren't able to ask questions like: “How might I already be addressing this risk?”
Evolving risk management with countermeasure awareness
In the evolution of our risk management strategy, we should develop context-specific relationships between risk and countermeasure, as different security measures will come into play in different situations. A network access risk will require different countermeasures from a data corruption issue. By understanding the threat protection characteristics of countermeasures and the threat impact characteristics of risks, you can intersect the two. One element facilitating this process is the standards work being done by the Mitre Group. Several security standards have been introduced, including CVE, CWE, CPE, CYBOX, CAPEC and MAEC. These begin to give organizations common ground for expressing higher-level threat taxonomies, facilitating greater interaction among security technologies.
Yet even with these standards in place, it is difficult to map specific threats to appropriate countermeasures. Vendors must look to close these gaps with more intelligent solutions that link vulnerability information with protection functionality in today's complex data centers. It's important to coordinate the ever-increasing data we are generating as point security tools continue to proliferate. In addition, the most relevant intelligence is not always available to the person with the ownership of the affected area. If the security team discovers a risk that could be addressed with a change to the corporate firewall, but the network team is in charge of maintaining it, communication challenges can delay or prevent the appropriate response – which can cost a company millions of dollars.
The road ahead
In light of these difficulties, it's more important than ever before to look for technical solutions to improve security efficiency. With the right technology, we can streamline the identification of risks and automatically initiate the most effective countermeasures.
With the development of security information and event management (SIEM) solutions, we've developed the ability to pull together information from discrete sources and present a correlated view of an enterprise's risk posture. Yet we still find true actionable intelligence elusive. In order to effectively deal with increasingly complex threats, vendors should address several additional needs in their security solutions:
- The ability to not only present a ranking of all applicable countermeasures, but also to include optimal mitigation instructions, and the availability of each of the countermeasures within the customer's overall security architecture.
- Concrete recommendations to ensure the best defensive strategy based on a complete picture of risks at all applicable levels.
- The ability to show the complete effect that changing a configuration on a countermeasure will have on the overall risk posture, to prevent a cascading effect of changes needed.
- Clear illustration of how new applicable countermeasures can reduce the risk profile.
- Highlights of best practices for the organization to follow, so the enterprise can improve over time to further improve security measures.
- Advanced usability options, allowing users to filter data based on the effectiveness and costs of applied countermeasures.
- The flexibility to prioritize resources on critical issues quickly and efficiently with a more agile mitigation decision framework.
- The ability to map risks with available countermeasures, and the ability to enable the automated initiation of countermeasures based on predetermined events and conditions.
Security has come a long way from the days of simple anti-virus software. But today's vastly expanded protection capabilities can create data overload when siloes of security tools present risk analysis information in an isolated way. A healthier, more complete risk management process must give us a higher-level view of our vulnerabilities. Effective risk management begins with intelligence, formed when information from separate sources is unified and easily available to businesses to combat today's advanced threats.