Is it possible to prioritize the deployment of common security tools for most companies?

We found ourselves in a healthy debate recently over a question posed by a customer that went something like this:

What should be my top 5 things to do now to improve our security?

This was from a young startup that was about to receive their next stage of funding and desired to do “things right”.  I started down the path of listing popular security tools:

Firewalls, IDS, Anti-Virus, Central Logging, Encryption, Patch Management, etc.

I was presuming we would be able to answer this question and have some agreement on which “security” tools would have a higher priority for deployment.  I was wrong.

There are many different ways to answer this question and enough premises to fuel debate that you soon feel like you’re arguing in circles. As a group we haven’t formulated a consensus yet, but I feel there is a logical way to get there, at least for particular tools.

Let’s hypothetically say we had to choose between ‘patch management’ (i.e. keeping up on patches) and anti-virus. 

Now the context I was trying to retain to answer this question was that of a CTO asking you while taking an elevator ride (i.e. need to be quick). 

After some debate I ended up referencing my “threat modeling” docs.  Unfortunately threat modeling must come before choosing anything – you need a threat profile before selecting solutions which mitigate threats.  But that is not going to help us answer this question in 30 seconds. 

Can we use threat modeling to make some general propositions about all companies with respect to choosing a particular security solution over another?

I think that should be possible. 

In threat modeling parlance, the entry point is where an adversary can interface to the system.  To keep this somewhat simple, let’s say we have two small networks with identical systems:  same assets, same trust paradigm, and the same type environment you would typically see in a startup.  So then, which security tools are better (or provide better value or reduce the risk the most, etc.)?

Let’s also presume for this exercise that we’re dealing with what most networks see most frequently – this in the context that most systems on the internet are constantly being scanned for open and vulnerable services by potential attackers.  If we roll up, so to speak, the threats associated with how viruses propagate or how vulnerable services are found and exploited, then I think we can agree that not only is this an accurate statement about reality but also that both anti-virus and patch management solutions focus on mitigating this same threat (or set of threats).  That is to say they both are designed to prevent the masses from these threats and they both fail at exception cases (e.g. 0day).    

If the above holds true, then how can we use the risk equation to evaluate which is a better solution:  patch management or anti-virus?

Risk = Threat x Vulnerability x Cost

In our scenario we have identical networks exposed to the same threats and have the same cost and vulnerability values.  The real question is which solution lowers the threat vulnerability value. 

I would argue that patch management reduces the risk more than anti-virus.  This based on generally that patch management:

  • Will reduce the number of attack vectors more than anti-virus
  • Is subject to a higher frequency of attacks (i.e. vulnerable service scans and attacks happen more than virus propagation attacks). Also noting the observation that viruses typically proceed post vulnerability disclosure.

If the above assumptions are correct then we can say the company which successfully deployed a patch management solution has greater security strength.  More so that most startups of the type that posed this question to us would be better served security wise to first deploy patch management. 

Now the question is can we make some generalized statements that apply for most companies and create a list prioritizing security tools to deploy (within reason and allowing for variance). 

Thoughts?

Posted by tate 14/09/2006 at 14h55

Read full article 7 comments


Comments

  1. Frank Andrews 15/09/2006 at 08h50

    Are the employees likely to click on attachments or run programs from the internet?

    We use a different equation for risk here, Risk = (Cost of event) * (Percentage of event happening)

  2. LonerVamp 15/09/2006 at 13h54

    That is a fun question, small start-up and a quick “what are the top 5 things I can do to do things right?” That’s a “Yay!” and a “Yikes!” in one! I would assume that back-ups are already done and out of scope of this discussion, otherwise I would make back-ups # 1


    AV vs Patch Management (PM) is a tough one. With PM you have really three major benefits: 1) you get new features, such as upgrading XP’s wireless capabilities from the older versions, 2) patching of the OS for local network attacks, and 3) upgrades to applications on the OS like IE and Office. Typically speaking, I would consider #3 more important, as most companies have a controlled local nework (i.e. behind a firewall) and likey are not going to notice not having the most up-to-date tools right away in the OS. Granted, this is leaving a soft chewy middle, but when push comes to shove, this is who I see PM: A way to protect apps like IE and Office from user mistakes, which will happen.

    AV allows the detection, stopping, and possible cleaning of malware to varying degrees. This can stop the propogation of worms as well as IM/Email-borne malware. My bet is email malware will be much more prolific for the company on a weekly basis, and it would totally suck to have a user run one of those apps.

    The bad part of all of this, is that both options go back to the user. How many users will visit a bad IE site and not tell anyone? Or click the “yeah, please run whatever you want on this page” button and not tell anyone? Or run an attachment on accident when they thought they were deleting it and not tell anyone? Sadly, a lot.

    If I had to rate these in an order, I think I would put AV just a little bit ahead of PM only because AV can catch some PM-related malware before it strikes. However, I think both would be in my top 5 list, especially if you just do Windows Auto Updates on each desktop machine.

    If we are talking about servers, on the other hand, run by even halfway competent admins, I would flip these two items and say PM is just a hair better than AV.

    A slightly different measure will be the management. If they are talking casually with colleagues in other start-ups, will they be ridiculed for deploying AV before PM? Chances are, a lot of people will raise their eyebrows and think someone an idiot for doing AV before PM, because, let’s face it, every CIO article about security mentions AV a bit before PM, and most companies do AV before robust PM anyway. The perception is important enough to act in tie-break situations and such. But if you suggest PM over AV, and 10 out of 10 other friends, family, and colleagues think that’s foolish, that manager may think you foolish and also not like that you made them look foolish to others. shrug Reality…

    As far as further prioritization, I think they shift depending on the size of the start-up, whether this is for servers or desktops and how many of each they have, their user base, their critical systems (an IT/web shop will be different than a think tank),network layout, and their IT-knowledgable staff. Central logging, while excellent and a cornerstone of proper security, reporting, and auditing, I’m not sure it would make my short life of top 5 things to do for a small start-up.

  3. LonerVamp 15/09/2006 at 13h57

    Holy lack of line breaks, batman! Sorry about that…they were there! O_o

  4. Tate Hansen 16/09/2006 at 00h38

    Thanks for the comments! LonerVamp, I added some line breaks. I had to update the Typo db table – I added a few html attributes to give it space. I guess the default Typo app doesn’t pick up on it.

    AV vs. Patch Management is one of the tougher choices we debated. I am still hoping to find some really

    good sites with statistics on the frequency of certain events. Information like:

    http://www.securitystats.com/infosec.html

    That would help a lot to support the argument that there is a way to use threat modeling and the risk

    equation to make general statements about the priority of deploying particular security solutions for

    most companies.

    This is from CERT/CC (August 17, 2000):

    “Carnegie Mellon University estimates that 99% of all reported intrusions “result through exploitation of

    known vulnerabilities or configuration errors, [for which] countermeasures were available.” This directly

    shows how truly important it is to regularly patch systems, as well as keep current with network and

    system countermeasures.”

    The quote above doesn’t say anything about if AV is better than Patch Management or not. I did create a

    contrived and incomplete example comparing the two against the threat vectors associated with network

    based delivery. An employee opening an attachment is a good example of another threat vector that needs

    to be considered along with probably dozens of others.

    I think it would be interesting to work backwards with respect to threat modeling and identify the threats

    that particular security point solutions attempt to mitigate (keeping in mind at the same time these

    security solutions are likely addressing some sort of vulnerability or vulnerabilities). This shouldn’t

    be an impossible task and I’m guessing information would come from it which may help in making better

    choices.

    Although after debating more today it seems the lack of good statistics and the subjectivity of specifying

    values for the risk equation makes it hard to develop strong cases either way.

  5. Tate Hansen 16/09/2006 at 01h14

    Actually now that I think about it more, I may have mis-used the equation for the contrived example in my original post. Probably the correct thing to do in this contrived example is to pick which solution reduces the “vulnerabilities” the most. Because I had narrowed the threat for the example to be “associated with how viruses propagate or how vulnerable services are found and exploited” then I’m guessing the Threat and Cost would be the same. What is different is which countermeasure is more effective for the general case. AV and Patch Management is not removing the threat, it is reducing exposure.

  6. Tate Hansen 16/09/2006 at 01h29

    I updated my original post to reflect what I hope is the proper usage.

  7. Søren Maigaard 21/09/2006 at 05h05

    Great post, Tate.

    I saw a web cast from CORE last night where Gartner and SANS talked about various security issues. Gartner told us that today we see about 1% of vulnerabilities exploited before a patch is released and that this is expected to rise to 20% by 2008. If this is correct, Patch Management will go have lower priority than technologies that will prevent the exploits before a patch is relased. This does not, however, have to be AV. It could be IPS (think TippingPoints “virtual patching” thing).

    For us (a 25,000 person company), AV systems often save us before patching does. This is simply because a patch process takes days (because systems are being altered and need to be tested, QA approved etc) while an AV update takes seconds (no QA validation required). We also get better tracking. If a system is exploited or unsuccessfully attacked, we will get notified by the AV software. If an unpatched system is attacked, we don’t know right away…

    Just my $0,02. I can also tell you that uptime and backup rates higher in the heads of VP’s than anything else. But of course, not patching can become an uptime issue…

    • s0ren