Any other answer that might imply we can achieve 100% security would simply lead me to the conclusion that we should just give up now, go home, and find a different occupation…There is no 100% security, it is too expensive, too complex, too agonizing, takes too long, too dynamic. It is all about risk management, define your risk threshold and make sure you have the right controls to meet your goal.
Last week I’ve presented at a CISO event discussing the same topic (i.e. security and risk management), and I thought it might be a good opportunity to share my take on the topic.
One of the fundamental debates we have in the security community is whether to take the “All or Nothing”/”let’s boil the ocean” approach, OR focus on contained problems we can actually solve…
Large vendors tend to promote the first approach with their deep stacks (and services organizations), while pure players/smaller vendors tend to focus on their core competency.
As I believe security=risk management, it will not come as a shocker to anyone that I vote for focusing on the highest risk first (i.e. a contained problem).
Kind of trivial, but where/how should we begin?Everyone seems to have their quadrant, so here is Shlomi’s quadrant. It provides a good high level view where we should (and should not) invest, that is if you are out to solve the security challenge.
While “All or Nothing” calls for similar controls for all types of operations, the reality is real damage comes from operations associated with the 4th quadrant (powerful actor + powerful target). The advanced audience can add the context of the operation as a 3rd dimension, for the sake of simplicity I left it out.
Ok, so powerful actor + powerful target is the way to go, but how can we better evaluate the cost, time, agony and success of using the described two methods with relation to the risk addressed (i.e. coverage of your risk)?
Since I’m in a “graphy” mood today, let’s observe the following:
“All or Nothing” approach to security calls for controls across the board, which is very expensive, very long to implement, extremely painful and have questionable success rates. It is somewhat linear with regards to the risk we actually address. Take any of the big security projects (e.g. DLP or IM), after all the investment you end up with partial coverage at best.
The “high risk first” focus on the 4th quadrant, no resources spent on low risk activities, achieving a sharp up warding slope up front of risk coverage.
Now for the interesting part comes ($$$) – when placing both on the same graph:
Using the “all or nothing” approach to achieve a given risk threshold (left side) will be more expensive, take longer, more painful, and higher likelihood to fail. While using a given a budget/time frame/pain/likelihood to fail (right side) will provide coverage for a lower addressable risk.
Which approach to choose? Your decision…
But the existing security controls address this mumbo-jumbo, right? Not exactly…
The top 3 reasons why most security stacks/controls are missing the point are:
1. Focus on known identities and personal accounts rather than high risk (privileged) accounts.
Personal accounts/known users = limited access = low risk
Privileged accounts and users = limitless access = high risk
2. TMI (Too Much Information)
Collecting all events (of high or low risk) is a waste of time. It takes too long to make sense out of it, and slows down production systems… I just want to see the important information.
3. One trick pony
Most solutions address verticals – data, events, access, identity, sessions (of high or low risk), rather than a horizontal (i.e. high risk across the elements)
So when you are out there looking for ways to address your security risk think of tools that manage to carve out the high risk stuff, take a holistic (horizontal) view AND do not impact performance of your existing environment/personnel.