Is it possible to prioritize the deployment of common security tools for most companies?
Posted by Tate Hansen Thu, 14 Sep 2006 20:55:00 GMT
We found ourselves in a healthy debate recently over a question posed by a customer that went something like this:
What should be my top 5 things to do now to improve our security?
This was from a young startup that was about to receive their next stage of funding and desired to do “things right”. I started down the path of listing popular security tools:
Firewalls, IDS, Anti-Virus, Central Logging, Encryption, Patch Management, etc.
I was presuming we would be able to answer this question and have some agreement on which “security” tools would have a higher priority for deployment. I was wrong.
There are many different ways to answer this question and enough premises to fuel debate that you soon feel like you’re arguing in circles. As a group we haven’t formulated a consensus yet, but I feel there is a logical way to get there, at least for particular tools.
Let’s hypothetically say we had to choose between ‘patch management’ (i.e. keeping up on patches) and anti-virus.
Now the context I was trying to retain to answer this question was that of a CTO asking you while taking an elevator ride (i.e. need to be quick).
After some debate I ended up referencing my “threat modeling” docs. Unfortunately threat modeling must come before choosing anything – you need a threat profile before selecting solutions which mitigate threats. But that is not going to help us answer this question in 30 seconds.
Can we use threat modeling to make some general propositions about all companies with respect to choosing a particular security solution over another?
I think that should be possible.
In threat modeling parlance, the entry point is where an adversary can interface to the system. To keep this somewhat simple, let’s say we have two small networks with identical systems: same assets, same trust paradigm, and the same type environment you would typically see in a startup. So then, which security tools are better (or provide better value or reduce the risk the most, etc.)?
Let’s also presume for this exercise that we’re dealing with what most networks see most frequently – this in the context that most systems on the internet are constantly being scanned for open and vulnerable services by potential attackers. If we roll up, so to speak, the threats associated with how viruses propagate or how vulnerable services are found and exploited, then I think we can agree that not only is this an accurate statement about reality but also that both anti-virus and patch management solutions focus on mitigating this same threat (or set of threats). That is to say they both are designed to prevent the masses from these threats and they both fail at exception cases (e.g. 0day).
If the above holds true, then how can we use the risk equation to evaluate which is a better solution: patch management or anti-virus?
Risk = Threat x Vulnerability x Cost
In our scenario we have identical networks exposed to the same threats and have the same cost and vulnerability values. The real question is which solution lowers the threat vulnerability value.
I would argue that patch management reduces the risk more than anti-virus. This based on generally that patch management:
- Will reduce the number of attack vectors more than anti-virus
- Is subject to a higher frequency of attacks (i.e. vulnerable service scans and attacks happen more than virus propagation attacks). Also noting the observation that viruses typically proceed post vulnerability disclosure.
If the above assumptions are correct then we can say the company which successfully deployed a patch management solution has greater security strength. More so that most startups of the type that posed this question to us would be better served security wise to first deploy patch management.
Now the question is can we make some generalized statements that apply for most companies and create a list prioritizing security tools to deploy (within reason and allowing for variance).
Thoughts?
