Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Is Security An Unsolvable Problem?

Framing the Challenges in the Security Realm Properly is an Important First Step in Addressing Them

Framing the Challenges in the Security Realm Properly is an Important First Step in Addressing Them

As a child, I was taught that if a problem was frustrating me, I should approach it from a different angle.  Indeed, in adulthood, I have found that a fresh perspective can often make the unsolvable solvable. I am often asked the question: “Is security an unsolvable problem?”  In order for me to answer that question, I would have to understand it, and I don’t. Or, to put it another way, any problem presented that broadly, vaguely, and ambiguously is unsolvable.

Rather than try and solve something as broad, vague, and ambiguous as “security”, I think it’s more effective to look at the topic from a different angle.  To do so, let’s take a step back and think about what security is.  In essence, security is about managing risk.  Of course, whenever possible, we want to mitigate and reduce the amount of risk we accept.  However, as we know, risk can never be eliminated entirely, and as such, we shouldn’t aim to do so.  That is certainly an unsolvable problem.

Security QuestionsSo, what does this mean for the various challenges at hand in the information security realm?  I think a perspective shift from an overwhelming focus on prevention to a balance between prevention and risk management is where we as a community will begin to find answers.  We must absolutely try to prevent whenever and wherever possible, but we must also understand that our ultimate goal should be risk management. Framing the problem in this way allows us to make progress towards real solutions. 

Allow me to elaborate.

Risk management begins first and foremost by identifying the risk we intend to manage. In other words, in my business, what I am gravely concerned about?  What events or occurrences would put my business at great risk for damage?  Each organization should examine its business priorities and concerns, assess the threat landscape it faces, and enumerate a list of risks to the business. This should be done regularly, rather than once or intermittently, as risks and threats will evolve and change over time. Once a list of business risks has been identified, those risks can be further broken down into goals and priorities. These goals and priorities provide a tangible working roadmap to managing the identified risk to the organization.  In other words, they give us a path towards solving a specific problem that has been framed in workable, manageable terms. These goals and priorities can be addressed through people, process, and technology.  The length of this column does not permit me to go into great detail here, but this topic has been covered elsewhere, including on my personal blog here and here. Metrics for success and failure can also be developed to measure the degree to which the identified problem is being solved.

Let’s take a look at this concept through a working example involving a compromised system.  I often here people remark, “we spend billions of dollars on security, and systems are still being compromised”. While this is a true statement and a popular buzz line, it unfortunately does not have much meaning. Allow me to explain. When a system is compromised, what is our concern?  What are we really worried about?  What is the risk we are trying to manage?  There are many potential answers to these questions, but let’s work through the example of data exfiltration.

In the example of data exfiltration, attackers may be after intellectual property, payment card information, or a number of other targets.  Let’s examine the theft of payment card information as a working example – our risk that we would like to manage.  So, you see, when we frame the problem in this manner, the approach changes dramatically.  Instead of trying to prevent a system from being compromised, which is an extremely difficult undertaking, we are trying to detect, analyze, contain, and remediate an infected system before any payment card information has been taken.  That is not an easy task, but it is certainly not impossible, and it is most definitely solvable with the appropriate focus and prioritization.  Compromise in and of itself does not indicate failure, but rather, failing to detect, analyze, contain, and remediate before any damage has occurred does.

So, let’s walk through the exercise.  First, we identify the risk. In our example, that would be something like “theft of payment card information”. From there, we can identify the different vectors through which that could occur.  These will vary by organization, but some examples might include: access to a repository containing this information, access to systems processing this information, and social engineering this information out of a human being.  These vectors provide us with digestible problems we can work towards solving through a variety of different approaches – goals and priorities.  For example, tightening controls on critical assets containing repositories of payment card information and ensuring all data is encrypted at every stage, prioritizing monitoring efforts around indicators of compromise (IOCs) related to payment card stealing malicious code, and ensuring that human beings do not have access to more information than needed to perform their job functions.  There are many vectors we could list and approaches we could take to manage this particular risk. The sampling enumerated here is not intended to be a complete list, but rather, it is intended to illustrate the point.

Advertisement. Scroll to continue reading.

Of course, this is just one working example provided for illustrative purposes.  In an organization, the number of risks that will need to be enumerated can be quite large.  Further, the associated goals and priorities that each risk can be broken down into can be even larger.  Nonetheless, although framing the problem is not a trivial undertaking and can be quite challenging, it does provide an organization with concrete steps towards identifying concrete risks and framing them as solvable problems.

Although the alarmist statement “security is an unsolvable problem” makes for great press, it is tragically light on meaning. Succeeding in security begins by enumerating risks and concerns to the organization. From there, identifying concrete goals and priorities provides a roadmap to success. Measuring success and failure against true business concerns, rather than against conventional wisdom allows an organization to understand its rates of progress, maturity, and success in more realistic terms. In short, framing the challenges in the security realm properly is an important first step in addressing them.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Field CISO at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.