How do you measure security?

A perennial type of question that comes up is how to know if you are secure or measure your security.  I have spent some time answering the question here, here, here, here, here, and here.  As you can tell by the multiple ways of asking the same question and the huge differences in opinion expressed in people’s answers, the one underlying trend is that Information Security, as a profession, isn’t in agreement in what we are doing and why we exist.

If you look at my answers, I consistently attempt to define the terms I use and shift the topic onto what I call risk management.  The basic points I make are:

  1. Information Security is misnamed because if fosters the impression that we can somehow be “secure.”
  2. There isn’t any one list of products that you can buy to make you secure.
  3. Any framework that works off the assumption of “security” to generate metrics that measure how “secure” you are is doomed to failure.
  4. A better view is the concept of risk management where risk is objectively measured and managed to acceptable levels.

The reason I consider a risk management framework superior to an Information Security framework boils down to the scientific concept of risk.  The reason I consider this a fundamental requirement in any risk management framework is because it allows for an apples to apples comparison of information risk with other types of business risk.  Since financial and business risk frameworks already use the basic formula of risk as (probability of loss) times (magnitude of loss) annualized. E.g. probable loss aggregated to $10,000/year.  This meaningful metric allows for the ability to make a sound business decision when implementing a new business process.  If the expected profits in the new opportunity are $1 million and the expected annualized loss from all threat vectors – information, financial, opportunity loss, etc. – is $10,000 then it makes sense to proceed with plans in place to absorb the loss.  If the business is comfortable absorbing the loss or can shift the loss to an insurance instrument then I am remiss in recommending a solution that is as “secure” as possible for only $500,000 a year.

I have been fortunate to be exposed to a risk management framework that understands the requirement to objectively measure risk using the basic high level risk metric used by other disciplines.  The framework is called Factored Analysis of Information Risk (FAIR) from a company called Risk Management Insight.

How do you feel Mr. IDS ?

I recently answered this question where the person wanted to get people's opinion on Gartner’s take on Intrusion Detection Systems (IDS).

Gartner says that intrusion detection systems are a costly and ineffective investment that does not add an additional layer of security as promised by vendors. The company recommends that enterprises redirect their security expenditures to firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product … Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled … Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities.

In my response I pointed out that if your ONLY security solution is a list of products from vendors then of course they cannot live up to your expectations.  Here was my response in full:

I guess its time to repeat my mantra "Security is not a product." You cannot buy security because you cannot be secure. All you can do is effectively assess and manage risk.

  1. What does an IDS provide if you don't understand the value and location of your business assets both from the business's perspective and the criminals perspective? Hint: Just because you don't see the value doesn't mean your competitor or the scam artist doesn't.
  2. What does an IDS provide if you don't know all the paths to those assets and the strength of the controls in place to protect them? The door is locked but the window is open syndrome.
  3. What does the IDS provide if no one knows what is normal and what isn't. I am still amazed when server owners want me to review their logs for "Bad stuff" If the owner doesn't know what is normal how do you expect me to?
  4. What does the IDS provide if no one is looking at it? The IDS is a tool. Tools are used by professionals. Why get one without the other?
  5. What does the IDS provide if its in the wrong place? This comes back to understanding ALL the paths to your assets.
  6. What does the IDS provide if your security initiatives are a list of products? Unless dedicated professionals are there helping to identify, assess, and help manage your risks then all your IDS will tell you is how much money is walking out the door in lost opportunities.

Close Source or Open Source?

This is my answer to this question.

Open source is definitely a factor to consider as part of a comprehensive needs assessment. What are you/your client attempting to achieve?
What does their environment already contain?
What impact from a user/maintenance standpoint?
Is there in house expertise to support it?
Does the product meet all the business requirements?
What are the support costs?
Etc.

Any mature implementation plan will treat the licensing requirements - closed or open – as one part of the selection criteria. Once we step back from the closed/open debate and look at licensing in general then the specific clauses in each license matter? Not all closed source licenses are the same, not all open source licenses are the same. Each specific license has requirements and limitations imposed on you – it is these limitations and impositions that must be weighed. Not the Closed/Open label.