Number-driven risk metrics 'fundamentally broken'

By Michael S. Mimoso, Editor, Information Security magazine 12 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

BOSTON -- The traditional models used by organizations to calculate risk are fundamentally broken, said a former national cybersecurity czar today at the SOURCE Boston conference.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Amit Yoran, CEO of consultancy NetWitness Corp. and former National Cyber Security Division director, said security resources are often misaligned and misallocated because organizations are driven to present number-driven metrics based on some combination of threats, vulnerabilities and asset value to management—and that doesn't work.

"When you try to boil down complex network traffic into a traffic light or some number to present to management--which understands only traffic lights--you're driving organizations toward bad metrics versus the task at hand," Yoran said. "We're struggling to present number-driven metrics to people who struggle to understand all this complexity."

Amit Yoran podcast: Amit Yoran on DHS, federal cybersecurity: In this podcast recorded Dec. 5, 2008, Amit Yoran, former cybersecurity czar at DHS and a veteran security pro, discusses the Obama admin's security priorities and why information sharing hasn't worked.

Instead, Yoran suggests rather than trying to quantify threats, they should be assumed as fact. For example, he said there is tremendous variance among vulnerability scanners, and scanning the same system with three scanners will render three different sets of results. Also, these tools rely largely on known vulnerabilities and exploits. Therefore, it becomes difficult to present an accurate number that reflects threats to an organization.

"The vulnerabilities and exploits that matter are [zero-days]. That's what nation states and advanced hackers are after. They use their rootkits that quietly keep them in systems," Yoran said. "They shy away from known exploits and target unpublished vulnerabilities."

Yoran would like organizations to refocus their energy, and determine the impact of loss of data, rather than concentrate on system or infrastructure security. For too long, he said, security has focused on availability of service rather than focusing on the value of data and keeping it confidential.

Now he stresses that organizations need to understand how data flows in and out of their organization, where it's stored, who has access to it and subsequently classify it. Only then is a company able to understand the impact of data, whether it's personally identifiable data, intellectual property or other business critical data.

SearchSecurity radio:

Yoran recognizes this can be monumentally challenging, but said vigilance around three areas will minimize exposure:

• The first approach is to monitor connections to third parties, especially VPN tunnels to service providers, developers, business processing outsourcers and even resellers, and determine whether these avenues are open or restrictive via some authentication.
• Another avenue to watch are exploits for mobile platforms, especially as more phones come equipped with always-on Internet capabilities and application functionality.
• The third option he suggests are targeted Google searches where organizations define sensitive data and perform searches against a random sample of endpoints where information may be stored and accessible online. If there is an exposure, organizations may learn whether this is due to a configuration error or attack.

  Yoran also points out that this is an opportunity to engage business leaders, i.e., data owners in the process, and offload risk responsibility. Not only does this filter security deeper into an organizational culture, but it forces business and data owners to consider their actions, else it will be them presenting to management and not security.

  "Don't just measure because you think things will correlate well to risk; measure everything," Yoran said. "This way, you'll be able to produce pretty pie charts and traffic lights that mean something to management."
  
  

  Tags: Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Enterprise Risk Management: Metrics and Assessments Perspectives: Pet information security risks Cloud computing in 2010: Be ready for risk management challenges Security risk factors: Business partner security and pandemic planning GRC customers point to better efficiency, convergence and consistency Schneier-Ranum face-off part 5: Security metrics How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Enterprise Risk Management: Metrics and Assessments Research

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary