However, it is becoming clear that reliance on these security assessments is a failed approach. The number, size and cost of data breaches increase ever year. Verizon's Business RISK Team analyzed 500 breaches and concluded that 87 percent could have been avoided if reasonable security controls had been in place — exactly what security assessments should detect. Bob Carr, the CEO of Heartland Payment Systems, which suffered one of the largest breaches in history, was blunter: “The audits done by our QSAs were of no value whatsoever," he reportedly said.
There are several reasons why traditional security assessments are failing to live up to expectations:
- Today's IT environments are highly dynamic. Systems, software and configurations are constantly being modified, added and removed. Security assessments occur at a single point in time and are often out of date within days after they are completed.
- Today's IT environments are vast. Security assessments sample a small fraction of the environment and assume it is representative of the environment as a whole. Unfortunately, a single error anywhere can leave an organization completely vulnerable. An isolated error like this is unlikely to be found within the small sample of the infrastructure that is examined.
- Today's IT environments are highly complex. Security issues frequently involve subtle interactions between networks, hosts and software. These can easily be missed by the ordinary (or even extraordinary) humans performing the assessment.
The top experts in security recognize that security assessments have reached the limit of their capabilities and have started to recommend (and mandate) new approaches.
In the federal government, the National Institute of Standards and Technology (NIST) partnered with the Department of Defense, Director of National Intelligence and Committee on National Security Systems to re-examine how federal IT systems are accredited. In the newly published SP 800-37, NIST moved from traditional static assessments to promote “the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes.” This revised approach will be required throughout the federal government and its support contractors.
Similarly, the SANS Institute has advocated the use of Consensus Audit Guidelines and the rigorous deployment of 20 critical baseline controls. A core concept of this effort is that controls are “periodically or continuously measured using automated measurement techniques where feasible” to ensure that they are operating effectively. Many commercial and government organizations are moving to adopt these guidelines
Three basic requirements are repeatedly cited for the next generation of security assurance mechanisms:
- Continuous: Security must be re-evaluated as frequently as the IT environment changes. This means every day — not once or twice a year.
- Comprehensive: The entirety of the infrastructure must be examined. There's no such thing as 90 percent secure.
- Automated: The effort to accurately assess the security of a complex environment is huge. Cisco recently estimated that it would take four years for an expert working 24x7x365 to manually assess its network. Automation is simply an imperative for anything larger than the smallest, simplest IT infrastructures.
In many ways, these changes represent the promotion of security to a full-fledged IT management practice. Other aspects of management, such as fault and performance, have experienced similar evolutions. In their early days, they also relied on manual reviews of system status and reactive approaches to issues. When these techniques failed to yield the desired approach, IT departments deployed systems and tools that enabled more proactive, automated management. The changing requirements for security reflect recognition that robust protection is at least as important as high availability and acceptable performance in today's threat-filled world.
Steve Dauber is vice president of marketing for RedSeal Systems, a provider of security risk management software.