http://blog.clearnetsec.com/articles/tag/riskequation en-us 40 <p>We found ourselves in a healthy debate recently over a question posed by a customer that went something like this:</p> <blockquote>What should be my top 5 things to do now to improve our security?</blockquote> <p>This was from a young startup that was about to receive their next stage of funding and desired to do &ldquo;things right&rdquo;.&nbsp; I started down the path of listing popular security tools:</p> <blockquote>Firewalls, IDS, Anti-Virus, Central Logging, Encryption, Patch Management, etc.</blockquote> <p>I was presuming we would be able to answer this question and have some agreement on which &ldquo;security&rdquo; tools would have a higher priority for deployment.&nbsp; I was wrong.</p> <p>There are many different ways to answer this question and enough premises to fuel debate that you soon feel like you&rsquo;re arguing in circles. As a group we haven&rsquo;t formulated a consensus yet, but I feel there is a logical way to get there, at least for particular tools.</p> <p>Let&rsquo;s hypothetically say we had to choose between &lsquo;patch management&rsquo; (i.e. keeping up on patches) and anti-virus.&nbsp; </p> <p>Now the context I was trying to retain to answer this question was that of a CTO asking you while taking an elevator ride (i.e. need to be quick).&nbsp; </p> <p>After some debate I ended up referencing my &ldquo;threat modeling&rdquo; docs.&nbsp; Unfortunately threat modeling must come before choosing anything &ndash; you need a threat profile before selecting solutions which mitigate threats.&nbsp; But that is not going to help us answer this question in 30 seconds.&nbsp; </p> <p>Can we use threat modeling to make some general propositions about all companies with respect to choosing a particular security solution over another?</p> <p>I think that should be possible.&nbsp; </p> <p>In threat modeling parlance, the entry point is where an adversary can interface to the system.&nbsp; To keep this somewhat simple, let&rsquo;s say we have two small networks with identical systems:&nbsp; same assets, same trust paradigm, and the same type environment you would typically see in a startup.&nbsp; So then, which security tools are better (or provide better value or reduce the risk the most, etc.)?</p> <p>Let&rsquo;s also presume for this exercise that we&rsquo;re dealing with what <em>most</em> networks see <em>most</em> frequently &ndash; this in the context that most systems on the internet are constantly being scanned for open and vulnerable services by potential attackers.&nbsp; If we roll up, so to speak, the threats associated with how viruses propagate or how vulnerable services are found and exploited, then I think we can agree that not only is this an accurate statement about reality but also that both anti-virus and patch management solutions focus on mitigating this same threat (or set of threats).&nbsp; That is to say they both are designed to prevent the masses from these threats and they both fail at exception cases (e.g. 0day).&nbsp; &nbsp;&nbsp;</p> <p>If the above holds true, then how can we use the risk equation to evaluate which is a better solution:&nbsp; patch management or anti-virus?</p> <blockquote>Risk = Threat x Vulnerability x Cost</blockquote> <p>In our scenario we have identical networks exposed to the same threats and have the same cost and vulnerability values.&nbsp; The real question is which solution lowers the <s>threat</s> vulnerability value.&nbsp; </p> <p>I would argue that patch management reduces the risk more than anti-virus.&nbsp; This based on generally that patch management:</p> <ul type="disc"> <li>Will reduce the number of attack vectors more than anti-virus </li> <li>Is subject to a higher frequency of attacks (i.e. vulnerable service scans and attacks happen more than virus propagation attacks). Also noting the observation that viruses typically proceed post vulnerability disclosure.</li> </ul> <p>If the above assumptions are correct then we can say the company which successfully deployed a patch management solution has greater security strength.&nbsp; More so that most startups of the type that posed this question to us would be better served security wise to first deploy patch management.&nbsp; </p> <p>Now the question is can we make some generalized statements that apply for most companies and create a list prioritizing security tools to deploy (within reason and allowing for variance).&nbsp; </p> <p>Thoughts?</p> Thu, 14 Sep 2006 14:55:00 -0600 urn:uuid:051ab5a0-b3fa-475b-99fc-7382bb15f9dd tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2006/09/14/is-it-possible-to-prioritize-the-deployment-of-common-security-tools-for-most-companies security ClearNet Security Tate Hansen risk equation security tools prioritize