Everybody talks about security in IT these days. Are we secure? I think it is better to ask what our risk is.
Risk assessment is not a simple checklist. It is a process based on the rigorous application of a variety of policy guidelines in combination with sources of information on asset value, vulnerability and threats. It is important to understand these variables. Risk is the probability that a loss will occur combined with the magnitude of that loss. In short, Risk is often expressed in terms of $$$. It is important to understand this simplification as well. Many would argue for qualitative measures as well but I suggest that this is ineffective.
Risk must be mitigated through the expenditure of budget and since budgets are not unlimited then all risk has a monetary evaluation. If an organization is unwilling or unable to come up with the budget to mitigate a risk then it is not prudent to operate and the operation must be changed to avoid the risk or it must cease to operate. If risk does not equal $$$ then how would any organization determine their budget for mitigating it or the budget for organizational change to avoid it?
Let’s use another example. If an organization has a known risk and spends $1M on the compensating capability, how would anyone know if the $1M budget is adequate if there wasn’t a commensurate value on the risk. If a vendor comes along and provides a way to perform the same risk reduction for half the cost then does not the organization gain a monetary advantage for opting for the cheaper solution? Again all risk = $$$$ and the expenditure of $$$$ should be commensurate with the risk.
Vulnerability is an important aspect because, in the absence of vulnerability, there can be no risk, regardless of the magnitude of the threat. Vulnerability is absolute. You are either vulnerable or not. Humans are vulnerable to bullets. You can mitigate the threat but the vulnerability remains. In the world of risk management, vulnerabilities are dealt with via compensating controls (armor, early warning devices and speed). Fortunately, in
the world of information systems, vulnerabilities can be eliminated through design or code changes but, just as with humans and bullets, threats are always evolving to exploit even the same vulnerability and the ability to define and respond to a vulnerability in broader terms provides an advantage.
Vulnerability is the area where greater security effort is applied in the information world. We obsess over patches and apply enormous resources to keeping track of new vulnerabilities and searching for patches. While it represents the largest cost of most efforts, it also provides the most opportunity for cost reduction. Automation of discovery, and tracking of vulnerabilities (and their impact on risk) with respect to a given system can provide an enormous advantage. Unfortunately, the risk visibility of vulnerabilities eludes most organizations and they end up over-spending on efforts to “patch everything” immediately (a futile endeavor). Imagine the value of being able to assess the impact of vulnerabilities on your risk equation at any given time.
Threats are the last component of the equation. Humans are vulnerable to bullets but if there were no bullets, would the vulnerability be unimportant? Unfortunately the vulnerability to bullets also translates into a vulnerability to other projectiles so the elimination of bullets would not reduce the risk equation unless there were no other projectiles capable of causing trauma. It would be more effective to define the vulnerability as one of weakness against projectiles of a given mass X velocity value. However, back to the threat part. If you are standing on a street corner in Fallujah., the threat of dangerous projectiles would likely be greater than if you were standing in an Amish Town where violent crime is almost non-existent.
How do we deal with threats? A threat is the opportunity and means to exploit a vulnerability. This is actually the most expensive aspect of the equation as it requires enormous effort in observation, intelligence gathering and, in the area of information systems, global visibility and it must be exercised in real time. Just as remediation of vulnerabilities reduces the risk equation, knowledge of threats and their alignment to a position of attack reduces
the risk equation.While mitigating threats is the most expensive, it is also the most flexible part of the equation. Because it deals with information in real time, it can accommodate much more targeted responses than is possible with
So what are our objectives in the area of threat mitigation? Imagine how much more effective the effort would be with the availability of real time correlated information pertaining to value, vulnerability and threat. It is tempting to deal with these issues on isolated terms but we do so at our peril.
To mitigate risk we must:
✦ Determine our operational goals
✦ Know our environment
✦ Understand the relative urgency of vulnerabilities
✦ Manage the combination of patches and
compensating controls to mitigate them,
✦ Maintain situational awareness of the threats that exist in our environment while being able to respond within our budget and maintain mission viability.
A Risk Assessment framework is a means of providing this fusion of capability with operation. As stated earlier, it is not a simple one and requires rigorous attention to detail and continuous management using ever escalating technological advantages to gain the upper hand with respect to both effectiveness and cost.
So what is Symantec's approach to this? Imagine a pyramid with the base tier being Asset Management. Any organization that cannot effectively mange its assets and their configurations cannot hope to secure them adequately to ensure continuity of operations. Symantec's Total Management Suite serves as the baseline capability in this effort.
Having solved the asset management issue, an organization has to have adequate means of protecting those assets. SEP and CSP are the Symantec cornerstones for this effort covering both client and server assets.
Now that we manage our assets and have protected them we still have to consider how we are going to operate on our network. Well protected assets that don't communicate effectively are not much value to an organization. Fortunately, Symantec incorporates Network Access Control (NAC) in to the endpoint protection solution (SEP). In combination with gateways and switching controls via 802.1x switching this NAC solution can provide the policy based controls to enable effective network operations.
We're feeling pretty good now. We manage our assets, we protect them and we even control their behavior on our network as well as other networks. What could go wrong? Well, we still need to protect the information that we use. Information, unlike assets, has to be shared to be usefull but the trick is to ensure that the right information is shared with the right people at the right time and that we avoid losing critical information. Again Symantec has solutions from backup & restore and archiving to Data Loss Prevention (DLP) & mail/web gateways to guard critical information.
For an organization to do all these things would be impressive and it would certainly be deserving of a good risk score but we aren't through yet. Symantec provides the Compliance solutions (CCS) that enable organizations to track, enforce and report on the state of the organization compliance with stated risk goals. On top of that our Security Incident Management (SIM) solution provides visibility to the effectiveness of our controls and identifies new vulnerabilities while reporting on the risk posture of the organization. The best part is that all of these can be integrated into a cohesive process via Symantec's WorkFlow engine.
No other company has the depth of solution that Symantec offers. This should be our unabashed message to all customers. What other company can do what we do over the entire spctrum of risk management?