Framing the Challenges in the Security Realm Properly is an Important First Step in Addressing Them
As a child, I was taught that if a problem was frustrating me, I should approach it from a different angle. Indeed, in adulthood, I have found that a fresh perspective can often make the unsolvable solvable. I am often asked the question: “Is security an unsolvable problem?” In order for me to answer that question, I would have to understand it, and I don’t. Or, to put it another way, any problem presented that broadly, vaguely, and ambiguously is unsolvable.
Rather than try and solve something as broad, vague, and ambiguous as “security”, I think it’s more effective to look at the topic from a different angle. To do so, let’s take a step back and think about what security is. In essence, security is about managing risk. Of course, whenever possible, we want to mitigate and reduce the amount of risk we accept. However, as we know, risk can never be eliminated entirely, and as such, we shouldn’t aim to do so. That is certainly an unsolvable problem.
Allow me to elaborate.
Risk management begins first and foremost by identifying the risk we intend to manage. In other words, in my business, what I am gravely concerned about? What events or occurrences would put my business at great risk for damage? Each organization should examine its business priorities and concerns, assess the threat landscape it faces, and enumerate a list of risks to the business. This should be done regularly, rather than once or intermittently, as risks and threats will evolve and change over time. Once a list of business risks has been identified, those risks can be further broken down into goals and priorities. These goals and priorities provide a tangible working roadmap to managing the identified risk to the organization. In other words, they give us a path towards solving a specific problem that has been framed in workable, manageable terms. These goals and priorities can be addressed through people, process, and technology. The length of this column does not permit me to go into great detail here, but this topic has been covered elsewhere, including on my personal blog here and here. Metrics for success and failure can also be developed to measure the degree to which the identified problem is being solved.
Let’s take a look at this concept through a working example involving a compromised system. I often here people remark, “we spend billions of dollars on security, and systems are still being compromised”. While this is a true statement and a popular buzz line, it unfortunately does not have much meaning. Allow me to explain. When a system is compromised, what is our concern? What are we really worried about? What is the risk we are trying to manage? There are many potential answers to these questions, but let’s work through the example of data exfiltration.
In the example of data exfiltration, attackers may be after intellectual property, payment card information, or a number of other targets. Let’s examine the theft of payment card information as a working example – our risk that we would like to manage. So, you see, when we frame the problem in this manner, the approach changes dramatically. Instead of trying to prevent a system from being compromised, which is an extremely difficult undertaking, we are trying to detect, analyze, contain, and remediate an infected system before any payment card information has been taken. That is not an easy task, but it is certainly not impossible, and it is most definitely solvable with the appropriate focus and prioritization. Compromise in and of itself does not indicate failure, but rather, failing to detect, analyze, contain, and remediate before any damage has occurred does.
So, let’s walk through the exercise. First, we identify the risk. In our example, that would be something like “theft of payment card information”. From there, we can identify the different vectors through which that could occur. These will vary by organization, but some examples might include: access to a repository containing this information, access to systems processing this information, and social engineering this information out of a human being. These vectors provide us with digestible problems we can work towards solving through a variety of different approaches – goals and priorities. For example, tightening controls on critical assets containing repositories of payment card information and ensuring all data is encrypted at every stage, prioritizing monitoring efforts around indicators of compromise (IOCs) related to payment card stealing malicious code, and ensuring that human beings do not have access to more information than needed to perform their job functions. There are many vectors we could list and approaches we could take to manage this particular risk. The sampling enumerated here is not intended to be a complete list, but rather, it is intended to illustrate the point.
Of course, this is just one working example provided for illustrative purposes. In an organization, the number of risks that will need to be enumerated can be quite large. Further, the associated goals and priorities that each risk can be broken down into can be even larger. Nonetheless, although framing the problem is not a trivial undertaking and can be quite challenging, it does provide an organization with concrete steps towards identifying concrete risks and framing them as solvable problems.
Although the alarmist statement “security is an unsolvable problem” makes for great press, it is tragically light on meaning. Succeeding in security begins by enumerating risks and concerns to the organization. From there, identifying concrete goals and priorities provides a roadmap to success. Measuring success and failure against true business concerns, rather than against conventional wisdom allows an organization to understand its rates of progress, maturity, and success in more realistic terms. In short, framing the challenges in the security realm properly is an important first step in addressing them.