IT security in today's dangerous world begins with intelligence. Without knowledge of our own defenses, we can't hope to successfully protect our business. When we think of risk assessment or analysis, we think of a report or a dashboard that presents vulnerability and threat data from various sources and computes a summary view or score.

What is still missing is an understanding of how presently installed solutions might already be addressing risks. The current risk assessment approach operates under the assumption that every security control is working as intended, so our current risk status is accurate. But it's not that simple. If a web application firewall (WAF) has only half the settings turned on to deal with information exposure through directory listing, there is no clear picture of current vulnerabilities and software weaknesses in the environment. Or worse, we think our WAF is correctly configured, but it's not. Because there's no linkage, we aren't able to ask questions like: “How might I already be addressing this risk?”

Evolving risk management with countermeasure awareness

In the evolution of our risk management strategy, we should develop context-specific relationships between risk and countermeasure, as different security measures will come into play in different situations. A network access risk will require different countermeasures from a data corruption issue. By understanding the threat protection characteristics of countermeasures and the threat impact characteristics of risks, you can intersect the two. One element facilitating this process is the standards work being done by the Mitre Group. Several security standards have been introduced, including CVE, CWE, CPE, CYBOX, CAPEC and MAEC. These begin to give organizations common ground for expressing higher-level threat taxonomies, facilitating greater interaction among security technologies.


Yet even with these standards in place, it is difficult to map specific threats to appropriate countermeasures. Vendors must look to close these gaps with more intelligent solutions that link vulnerability information with protection functionality in today's complex data centers. It's important to coordinate the ever-increasing data we are generating as point security tools continue to proliferate. In addition, the most relevant intelligence is not always available to the person with the ownership of the affected area. If the security team discovers a risk that could be addressed with a change to the corporate firewall, but the network team is in charge of maintaining it, communication challenges can delay or prevent the appropriate response – which can cost a company millions of dollars.