The CVSS v3 Scoring System What is the CVSS Scoring...
An Information Security War
I will not belabor a point that most reading this article likely know: we are in an information security war – a persistent war that will likely rage as long as our species uses electronic information systems – against cyber criminals and nation-state actors. As we have accepted the persistent nature of this new environment, we have adopted language and high-level doctrine that originated with our military. As a relative newcomer to the civilian world, I am amazed at how language with origins in western military philosophy has been adopted into the mainstream infosec lexicon. “Kill chain,” “Rules of Engagement, “Key Terrain” – these are all military terms that have been adopted by industry. These terms were not adopted because they sound cool, but rather because they accurately describe an element of the conflict at hand.
This “porting” of terms and logical structures for defining conflict has been good for our community. I believe we are stronger as a community due to tools such as the MITRE ATT&CK matrix, which helps organizations refine both the tactics and strategy of their defensive efforts. We have a wealth of vendors who are continuously bringing us new tools to address tactical problems. Standardization of control frameworks and the introduction of innovative new tools for measuring risk are helping mature the industry with regards to our ability to adopt and maintain strategy. Once again, this is all good news.
But as the opening quote highlights, there are aspects to conflict outside of strategy and tactics. As our industry continues to professionalize and normalize information security as an enduring business function, we need to broaden our approach to address the logistics of information security. Put simply, logistics is the management of the delivery of resources from suppliers to customers. Logistics is how we gain maximum efficiency in the use of our precious resources, with processes designed to eliminate waste and mis-prioritization. Logistics processes must thus be inherently dynamic, with the ability to rapidly reflow resources in light of changing priorities. This is a relatively easy concept to grasp with regards to armed conflict: We must rapidly get “beans and bullets” to where they are needed when they are needed.
But how does the concept of logistics apply to information security? It is helpful to “peel the onion” by starting with a definition of information security itself: Information security is the management of risk to the confidentiality, integrity and availability of information through the application of technical, administrative and physical controls. There are two separate functions inherent in this definition; we must identify and prioritize our risks, and then we must apply controls to manage these risks.
Logistics is the linkage between these two functions. Recurring vulnerability management processes in conjunction with internal and external assessments help us identify and prioritize the risk in our environment. It is then up to our analysts and IT professionals to apply the remediating controls to mitigate these risks, applying their efforts in a coordinated manner to obtain the greatest risk reduction for their efforts. Unfortunately, the management of the application of our resources (the analysts) to the problems (the risks) is an underdeveloped and immature area in information security.
In enterprise environments, we have ticketing systems such as Jira that allow us to assign tasks and track progress. We can take the findings from an assessment or penetration test, and task those to an analyst. But these general-use systems, by themselves, lack the specificity necessary to manage information security risk as a business function. Tasks get completed – but were those the right tasks that we needed done now? How has the completion of those tasks impacted our overall security posture? Do these ticketing systems provide the visibility that senior leaders need to assess the state of our infosec program? Are we remediating our critical vulnerabilities faster than we are discovering new ones? In short, are we winning or losing?
Many small-to-medium sized businesses (SMBs) lack even these ticketing systems to manage their infosec workflow. Assessment and test reports are delivered in pretty PDF pages that are often hundreds of pages long. Management reads the executive summary and gains risk insight at the macro level. But then the report is handed to the IT staff with instructions to “fix this stuff.” The staff may jump on a few critical items, but soon “the tyranny of the now” interrupts their efforts, and that beautiful (and expensive) report grows stale. Management insight into remediation efforts are limited to staff-meeting updates, and they lack the visibility to understand and evaluate the prioritization and use of resources.
Information security is expensive, and the growing shortage of analysts will only exacerbate this problem. We need to find efficiencies that enable us to obtain maximum value from our precious investments. In other words, we need better logistics solutions for our information security programs.
I have been a provider of risk assessments. I have taken pride in helping my clients identify problems and guiding them to solutions that are appropriate for their resource budget and risk appetite. I helped my clients identify where to apply their limited resources (the labor of their front-line defenders and their investment capital), and that has been very fulfilling. But that satisfaction has too often been overshadowed by frustration. Checking back in on my clients in the months following an engagement, I have too often been disheartened to find that my work was collecting dust in the bottom of a drawer. Resources were being applied to problems – but not in a prioritized and systematic fashion that provided the greatest ROI for risk reduction. In short, I have been witnessing failures in logistics.
I don’t claim to have a magic-bullet solution, but it doesn’t take a lot of analytical skill to realize that we lack tools to manage our information security logistics. We have tools like QuickBooks for accounting, SalesForce for customer relations management (CRM) and numerous solutions for materials requirements planning (MRP). These tools help us prioritize, assign tasks and provide the high-level visibility that senior leaders need to identify trends and re-prioritize efforts. They help us institutionalize the recurring processes that their respective business functions require to realize efficiencies. Companies buy these solutions because they understand that they bring a high degree of ROI; it is almost inconceivable to operate a modern business without them.
Until recently, businesses have had few (if any) options for similar solutions for their information security functions. But as Dylan said, “Times are a changin’.”
Today, I’m excited to join the amazing team at PlexTrac (www.plextrac.com) who are delivering infosec logistics tools today while rapidly developing new solutions for even greater workflow efficiencies. Logistics may not be sexy and having solid tools will not guarantee success in our enduring conflict with cyber adversaries. But without tools that link the identification of risk with remediation efforts, our chances of failure are surely much higher.
If you are interested in learning more about my new passion, feel free to PM me or simply go to www.plextrac.com and click on “Request a Demo.”
The CVSS v3 Scoring System What is the CVSS Scoring...
Top 3 Password Management Tools For the foreseeable future, usernames...
Change Your DNS Resolver | DO THIS NOW! Welcome back...
How to Recover from a Facebook Hack NOTE: If you...