News Stay informed about the latest enterprise technology news and product updates.

Number-driven risk metrics 'fundamentally broken'

A former national cybersecurity czar says risk models used by security organizations often lead to a faulty understanding of threats and flaws, and a misallocation of resources.

BOSTON -- The traditional models used by organizations to calculate risk are fundamentally broken, said a former national cybersecurity czar today at the SOURCE Boston conference.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

Amit Yoran, CEO of consultancy NetWitness Corp. and former National Cyber Security Division director, said security resources are often misaligned and misallocated because organizations are driven to present number-driven metrics based on some combination of threats, vulnerabilities and asset value to management—and that doesn't work.

"When you try to boil down complex network traffic into a traffic light or some number to present to management--which understands only traffic lights--you're driving organizations toward bad metrics versus the task at hand," Yoran said. "We're struggling to present number-driven metrics to people who struggle to understand all this complexity."

Amit Yoran podcast:

Amit Yoran on DHS, federal cybersecurity: In this podcast recorded Dec. 5, 2008, Amit Yoran, former cybersecurity czar at DHS and a veteran security pro, discusses the Obama admin's security priorities and why information sharing hasn't worked.

Instead, Yoran suggests rather than trying to quantify threats, they should be assumed as fact. For example, he said there is tremendous variance among vulnerability scanners, and scanning the same system with three scanners will render three different sets of results. Also, these tools rely largely on known vulnerabilities and exploits. Therefore, it becomes difficult to present an accurate number that reflects threats to an organization.

"The vulnerabilities and exploits that matter are [zero-days]. That's what nation states and advanced hackers are after. They use their rootkits that quietly keep them in systems," Yoran said. "They shy away from known exploits and target unpublished vulnerabilities."

Yoran would like organizations to refocus their energy, and determine the impact of loss of data, rather than concentrate on system or infrastructure security. For too long, he said, security has focused on availability of service rather than focusing on the value of data and keeping it confidential.

Now he stresses that organizations need to understand how data flows in and out of their organization, where it's stored, who has access to it and subsequently classify it. Only then is a company able to understand the impact of data, whether it's personally identifiable data, intellectual property or other business critical data.

Yoran recognizes this can be monumentally challenging, but said vigilance around three areas will minimize exposure:

  • The first approach is to monitor connections to third parties, especially VPN tunnels to service providers, developers, business processing outsourcers and even resellers, and determine whether these avenues are open or restrictive via some authentication.
  • Another avenue to watch are exploits for mobile platforms, especially as more phones come equipped with always-on Internet capabilities and application functionality.
  • The third option he suggests are targeted Google searches where organizations define sensitive data and perform searches against a random sample of endpoints where information may be stored and accessible online. If there is an exposure, organizations may learn whether this is due to a configuration error or attack.

    Yoran also points out that this is an opportunity to engage business leaders, i.e., data owners in the process, and offload risk responsibility. Not only does this filter security deeper into an organizational culture, but it forces business and data owners to consider their actions, else it will be them presenting to management and not security.

    "Don't just measure because you think things will correlate well to risk; measure everything," Yoran said. "This way, you'll be able to produce pretty pie charts and traffic lights that mean something to management."

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.