Is it possible to prioritize the deployment of common security tools for most companies?
Posted by Tate Hansen Thu, 14 Sep 2006 20:55:00 GMT
We found ourselves in a healthy debate recently over a question posed by a customer that went something like this:
What should be my top 5 things to do now to improve our security?
This was from a young startup that was about to receive their next stage of funding and desired to do “things right”. I started down the path of listing popular security tools:
Firewalls, IDS, Anti-Virus, Central Logging, Encryption, Patch Management, etc.
I was presuming we would be able to answer this question and have some agreement on which “security” tools would have a higher priority for deployment. I was wrong.
There are many different ways to answer this question and enough premises to fuel debate that you soon feel like you’re arguing in circles. As a group we haven’t formulated a consensus yet, but I feel there is a logical way to get there, at least for particular tools.
Let’s hypothetically say we had to choose between ‘patch management’ (i.e. keeping up on patches) and anti-virus.
Now the context I was trying to retain to answer this question was that of a CTO asking you while taking an elevator ride (i.e. need to be quick).
After some debate I ended up referencing my “threat modeling” docs. Unfortunately threat modeling must come before choosing anything – you need a threat profile before selecting solutions which mitigate threats. But that is not going to help us answer this question in 30 seconds.
Can we use threat modeling to make some general propositions about all companies with respect to choosing a particular security solution over another?
I think that should be possible.
In threat modeling parlance, the entry point is where an adversary can interface to the system. To keep this somewhat simple, let’s say we have two small networks with identical systems: same assets, same trust paradigm, and the same type environment you would typically see in a startup. So then, which security tools are better (or provide better value or reduce the risk the most, etc.)?
Let’s also presume for this exercise that we’re dealing with what most networks see most frequently – this in the context that most systems on the internet are constantly being scanned for open and vulnerable services by potential attackers. If we roll up, so to speak, the threats associated with how viruses propagate or how vulnerable services are found and exploited, then I think we can agree that not only is this an accurate statement about reality but also that both anti-virus and patch management solutions focus on mitigating this same threat (or set of threats). That is to say they both are designed to prevent the masses from these threats and they both fail at exception cases (e.g. 0day).
If the above holds true, then how can we use the risk equation to evaluate which is a better solution: patch management or anti-virus?
Risk = Threat x Vulnerability x Cost
In our scenario we have identical networks exposed to the same threats and have the same cost and vulnerability values. The real question is which solution lowers the threat vulnerability value.
I would argue that patch management reduces the risk more than anti-virus. This based on generally that patch management:
- Will reduce the number of attack vectors more than anti-virus
- Is subject to a higher frequency of attacks (i.e. vulnerable service scans and attacks happen more than virus propagation attacks). Also noting the observation that viruses typically proceed post vulnerability disclosure.
If the above assumptions are correct then we can say the company which successfully deployed a patch management solution has greater security strength. More so that most startups of the type that posed this question to us would be better served security wise to first deploy patch management.
Now the question is can we make some generalized statements that apply for most companies and create a list prioritizing security tools to deploy (within reason and allowing for variance).
Thoughts?
Are the employees likely to click on attachments or run programs from the internet?
We use a different equation for risk here, Risk = (Cost of event) * (Percentage of event happening)
That is a fun question, small start-up and a quick “what are the top 5 things I can do to do things right?” That’s a “Yay!” and a “Yikes!” in one! I would assume that back-ups are already done and out of scope of this discussion, otherwise I would make back-ups # 1
AV vs Patch Management (PM) is a tough one. With PM you have really three major benefits: 1) you get new features, such as upgrading XP’s wireless capabilities from the older versions, 2) patching of the OS for local network attacks, and 3) upgrades to applications on the OS like IE and Office. Typically speaking, I would consider #3 more important, as most companies have a controlled local nework (i.e. behind a firewall) and likey are not going to notice not having the most up-to-date tools right away in the OS. Granted, this is leaving a soft chewy middle, but when push comes to shove, this is who I see PM: A way to protect apps like IE and Office from user mistakes, which will happen.
AV allows the detection, stopping, and possible cleaning of malware to varying degrees. This can stop the propogation of worms as well as IM/Email-borne malware. My bet is email malware will be much more prolific for the company on a weekly basis, and it would totally suck to have a user run one of those apps. The bad part of all of this, is that both options go back to the user. How many users will visit a bad IE site and not tell anyone? Or click the “yeah, please run whatever you want on this page” button and not tell anyone? Or run an attachment on accident when they thought they were deleting it and not tell anyone? Sadly, a lot. If I had to rate these in an order, I think I would put AV just a little bit ahead of PM only because AV can catch some PM-related malware before it strikes. However, I think both would be in my top 5 list, especially if you just do Windows Auto Updates on each desktop machine. If we are talking about servers, on the other hand, run by even halfway competent admins, I would flip these two items and say PM is just a hair better than AV. A slightly different measure will be the management. If they are talking casually with colleagues in other start-ups, will they be ridiculed for deploying AV before PM? Chances are, a lot of people will raise their eyebrows and think someone an idiot for doing AV before PM, because, let’s face it, every CIO article about security mentions AV a bit before PM, and most companies do AV before robust PM anyway. The perception is important enough to act in tie-break situations and such. But if you suggest PM over AV, and 10 out of 10 other friends, family, and colleagues think that’s foolish, that manager may think you foolish and also not like that you made them look foolish to others. shrug Reality… As far as further prioritization, I think they shift depending on the size of the start-up, whether this is for servers or desktops and how many of each they have, their user base, their critical systems (an IT/web shop will be different than a think tank),network layout, and their IT-knowledgable staff. Central logging, while excellent and a cornerstone of proper security, reporting, and auditing, I’m not sure it would make my short life of top 5 things to do for a small start-up.Holy lack of line breaks, batman! Sorry about that…they were there! O_o
Thanks for the comments! LonerVamp, I added some line breaks. I had to update the Typo db table – I added a few html attributes to give it space. I guess the default Typo app doesn’t pick up on it.
AV vs. Patch Management is one of the tougher choices we debated. I am still hoping to find some reallygood sites with statistics on the frequency of certain events. Information like:
http://www.securitystats.com/infosec.html That would help a lot to support the argument that there is a way to use threat modeling and the riskequation to make general statements about the priority of deploying particular security solutions for
most companies.
This is from CERT/CC (August 17, 2000): The quote above doesn’t say anything about if AV is better than Patch Management or not. I did create acontrived and incomplete example comparing the two against the threat vectors associated with network
based delivery. An employee opening an attachment is a good example of another threat vector that needs
to be considered along with probably dozens of others.
I think it would be interesting to work backwards with respect to threat modeling and identify the threatsthat particular security point solutions attempt to mitigate (keeping in mind at the same time these
security solutions are likely addressing some sort of vulnerability or vulnerabilities). This shouldn’t
be an impossible task and I’m guessing information would come from it which may help in making better
choices.
Although after debating more today it seems the lack of good statistics and the subjectivity of specifyingvalues for the risk equation makes it hard to develop strong cases either way.
Actually now that I think about it more, I may have mis-used the equation for the contrived example in my original post. Probably the correct thing to do in this contrived example is to pick which solution reduces the “vulnerabilities” the most. Because I had narrowed the threat for the example to be “associated with how viruses propagate or how vulnerable services are found and exploited” then I’m guessing the Threat and Cost would be the same. What is different is which countermeasure is more effective for the general case. AV and Patch Management is not removing the threat, it is reducing exposure.
I updated my original post to reflect what I hope is the proper usage.
Great post, Tate.
I saw a web cast from CORE last night where Gartner and SANS talked about various security issues. Gartner told us that today we see about 1% of vulnerabilities exploited before a patch is released and that this is expected to rise to 20% by 2008. If this is correct, Patch Management will go have lower priority than technologies that will prevent the exploits before a patch is relased. This does not, however, have to be AV. It could be IPS (think TippingPoints “virtual patching” thing).
For us (a 25,000 person company), AV systems often save us before patching does. This is simply because a patch process takes days (because systems are being altered and need to be tested, QA approved etc) while an AV update takes seconds (no QA validation required). We also get better tracking. If a system is exploited or unsuccessfully attacked, we will get notified by the AV software. If an unpatched system is attacked, we don’t know right away…
Just my $0,02. I can also tell you that uptime and backup rates higher in the heads of VP’s than anything else. But of course, not patching can become an uptime issue…