San Francisco -- Wide adoption of an open source threat model could lead enterprise security teams to make better security decisions with less work, says a key proponent of the Critical Security Controls framework.
The Critical Security Controls are a set of actions for cyberdefense that provide specific and actionable ways to protect against the most pervasive attacks. It was developed by the Council on Cybersecurity, a consortium founded by the SANS Technology Institute, Tripwire Inc, and Qualys Inc.
In a talk at the 2015 RSA Conference, James Tarala, principal consultant for Venice, Fla.-based security assessment firm Enclave Security LLC, said that enterprises shouldn't have to do risk assessment on an individual basis, but should have an open source, community-driven threat model that can support security decisions for everyone.
"We want to categorize threats; we want to have a hierarchy of threats," Tarala said, "and we want to come up with that inventory, or taxonomy, to be able to look at the threats we have and have documentation to promote that language."
Tarala noted that the first step is to make sure there is a common understanding of what constitutes a threat. These distinctions can reduce confusion when talking about the four components of a threat: agents, actions, targets and consequences.
"The whole idea of how we decide controls for defense is based on what we perceive to be a threat," Tarala said. " If we believe the threat is constantly changing and constantly unique for our industry, then all the controls are constantly changing for our industry, and I don't know necessarily that that's true."
Tarala said there is a misconception that industries face very different threats, but in reality industries are only "a little unique." This misconception, Tarala said, leads to prioritizing security controls over mitigating risk. If a business decision were made to shift security resources away from cross-site scripting (XSS) attacks because the likelihood of an attack decreases, Tarala noted, that only increases the risk associated with that type of attack.
Rather than focusing on the likelihood of an attack which is constantly changing, Tarala advocated focusing on a taxonomy of threats, because there is more overlap in threat actions and threat targets than is often thought.
In their current form, the Critical Security Controls comprise five high-level threat categories (physical, natural, supplier, personnel, and technical) as well as nine threat agents, including nation-states, well-intentioned insiders, and mother nature.
Each threat category is then divided into sub-categories. For example, physical threats include theft and destruction of property; natural threats include weather and environmental elements; supplier threats include service disruption and logistics failures; personnel threats include skills shortages and employee errors; and, technical is by far the largest category, covering access management, privilege abuse, system manipulation, malicious code, and much more.
The technical category gets the most attention, Tarala said, so most defenses focus on those threats and even control guides tend to focus on this category to the exclusion of other categories of threat.
"I know the technical stuff is sexy," Tarala said, "but if we can walk into your data center and walk away with a server, it doesn't really matter [what] the technical controls around that server are."
Tarala said once this taxonomy is created and controls are defined properly, security controls will be mapped to the various categories and sub-categories of threats in order to find gaps in control models, and then a practical risk assessment methodology will be created in order to refine the categories.
The next version of the Critical Security Controls should be finalized this summer with updates to the taxonomy and methodology planned every three to six months. Tarala said there is a need for IT professionals to help finalize categories of threat agents and threat consequences, create likelihoods for each threat, and refine the list of threat actions.
Learn more about adding the age of networking devices into a security risk assessment.