Question No. 1 – Does your organization have a formalized risk analysis process? … 90 percent of the respondents, said that their organizations have such a formalized risk analysis process.

Question No 2 – Does your organization have an executive with a mandate to manage enterprise risk ? … only about 40 percent of the respondents had an executive with such a mandate.

Enterprise Security Risk Management Benchmarking Survey - April 2010

“That’s hard to believe, given that extreme events and risk management are making headlines almost every other day.”

In order  to understand why large enterprises invest in risk analysis process but not in risk management we need to take a closer look at Western (US and EU for the sake of argument) corporate value systems.

For a manager of a company on the verge of bankruptcy, equity compensation is a one-sided bet with upside only. For example, say the CEO  bets on a bridge loan at usurious terms in order to buy time to close an acquisition deal. If the bet pays off, his equity compensation pays off, but if he loses the bet (and the company goes bankrupt or is sold for a pittance), his personal compensation exposure is zero, but the stockholders, bond holders, customers and business partners will be left holding the bag.  Since it’s a one-sided bet with no downside, executives may also be tempted to adopt borderline business practice in order to proactively optimize their compensation.

Risk analysis provides invaluable input to improve business practice and reduce security breach exposure but you have to execute on the implementation of the security countermeasures and be prepared to hold them up to scrutiny of your peers on a regular basis.  That requires a strong work ethic, transparency and accountability.

Since executives are generally not held personally accountable for security breaches  - it is not surprising at all that most enterprises have  formal risk analysis processes but few firms have managers with  the personal responsibility to execute on security risk management.

Let’s return to our original question – ‘Is IT equipped to deal with clear and present danger?’

We now see that IT and their information security colleagues may indeed have the formal risk analysis processes and even the latest in data security technology countermeasures to reduce the impact of security breaches but they don’t function inside a corporate value system that rewards them for cost-effective security.

And that my friends – is already an ethical question, not a process management nor a compensation question.

• Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, imagine layering another 100MB of software, another 20MB of data security rules and loads of network traffic for management just for the luxury of getting a good deal from Symantec on a piece of integrated software that IT doesn’t know how to manage anyhow.
• Software vulnerabilities – if you have issues with the anti-virus – you don’t want them affecting your data flows via the DLP agent. Imagine a user uninstalling  the anti-virus and impacting the DLP agent.
• Diversity – the strong anti-virus products have weak DLP agents – which means that the advantage of a single management platform is spurious. Having strong anti-virus software on your Windows PCs from a vendor like McAfee complements having strong data loss prevention from a company like Verdasys.
• Not a good fit for the organization – IT manage the Anti-virus,   Security manage the data security and never the twain shall meet.

There are 3 general classes of internal attacks that are never going to be mitigated by access controls:

Trusted insider theft

A trivial example is a director of new technology development at a small high-tech startup who would have access to the entire company’s IP, the competitive analyses, patent applications and minutes of conversations with all the people who ever stopped in to talk about the startup’s technology. That same person has access by definition but when he takes his data and sucks it out the network using a back-door, a proxy, an HTTP GET or just a plain USB or Gmail account – there is no way an Active Directory access control will be able to detect that as “anomalous behavior”.

Social engineering

Collusion between insiders, gaming the system, taking advantage of friends and DHL messengers who go in and out of the office all the time with their bags.

Side channel attacks

Detecting data at a distance with acoustic or Tempest attacks – for example. or watching parking lot traffic patterns….

This is certainly true at a national security level where trusted insiders that committed espionage have caused considerable damage.  MITRE Corporation – Detecting Insider Threat Behavior

There are three core and interrelated problem in modern data security:

You may say – fine, let’s spend more time observing employee behavior and educate supervisors for tell-tale signs of change that may indicate impending involvement in a crime.

However – malicious outsiders (criminals, competitors, terrorists…) that may exploit employees in order to obtain confidential data is just another vulnerability in a whole line of business vulnerabilities.  Any vulnerability must be considered within the context of a threat model – the organization has assets that are damaged by threats that exploit vulnerabilities that are mitigated by countermeasures.   The organization needs to think literally  outside the box and at least attempt to identify new threats and vulnerabilities.

The issue is not that employees can be bought or manipulated, the issue is that government and other hierarchical organizations use a fixed system of security controls.  In reducing the organization’s security to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow.  It is a fair assumption that an organization that doesn’t change data security procedures frequently – will provide an insider with  enough means, opportunity and social connectivity to game the system and once he or she has motivation – you have a crime.

Learning about change and changing your security systems must be at the heart of day-to-day security management.

Mark Brewer wrote a thoughtful post on Risk in IT – I liked his use of the  term “resilient organizations”, although I have been using the term “robust organizations”.   The semantic difference between robustness and resilience may be related to the difference between IT and security management world-views.

“Risk in IT”  derives from a fundamental dissonance between information technology and security -

IT management is about planning and executing predictable business processes. Security is about planning for the the unpredictable.

This fundamental dissonance often causes a cultural schism between IT/CIO and Security/CSO. In many organizations the dissonance is amplified by two additional factors – a) splitting of physical and information security into two separate operations silos and b) external regulatory compliance.

Compliance as it pertains to security, finance and IT is often conveniently boxed into politically safe silos. OP (organizational politics) is not a bad thing, but multiple risk silos results in multiple and usually redundant costs. In addition, compliance results in the management board adopting policies that are not organically their own – which is dangerous in its own right.

The short answer to these issues is that security needs to build into (not bolt onto) the business strategy and business process itself.

We were group of 5 programmers – we had some nice accounts – like Intel, and National Semiconductor, Hadassah Hospital and Amdocs, but I always felt intimidated by the big IT integrators. One day – my DEC account manager told me that we should hold our heads high – he figured that our largest competitor didn’t have more than 1 or 2 experts at our level.

Are data security specialists like programmers – where the rock stars have 3 orders of magnitude better productivity than the average guy or gal?

And should we try to have one of these folks on the staff and make sure they are happy?

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

Talking with clients we stress threat modeling and analysis and doing quantitative risk analysis but I believe that psychology may be more important than the technology. This is for several reasons:

• Preventing data breach events is an admission of weakness. Data loss is caused by an attack launched from inside the company (whether by a trusted insider, business partner or malicious hacker). attacks that exploit internal vulnerabilities like the new Sharepoint server that the marketing team installed last week without consulting with the IT security team.  Who wants to spend  money on something when the first step is admitting that you’re vulnerable and that your existing security systems, policies and procedures do not meet business requirements?
• The need for instant gratification. Need to keep food fresh? – buy a fridge, Want music, voice, SMS, Web and mail? – buy an iPhone, Want IT security – buy a UTM appliance from Checkpoint or Cisco, want a CRM system – get salesforce.com, need a new enterprise software system – outsource to India. This is related to two other needs I think:
• The need to keep things simple and
• The need to walk on the safe side, not on the wild side.   Who wants to spend 6 figures on a DLP solution that requires a risk assessment from someone who isn’t your accountant,  a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?

I will talk about how to sell DLP through the psychology and not the technology in an upcoming post. Stay tuned.

However, in my experience,  the same companies with well-managed firewall/IPS don’t have the foggiest notion of what’s leaving their network or what’s happening inside the network.

There is nothing like collecting data and validating the effectiveness of your security countermeasures.

This is why we need network surveillance.

internal network surveillance is a capability for monitoring transactions inside the network between servers and clients) at 3 layers – network sessions, applications, and data contained inside client/server application transactions (Oracle, DB2, MSSQL, MySQL, HTTP, FTP RPC etc…). Internal Network surveillance has a series of additional benefts (as described in RIchard Bejtlich‘s excellent book – Extrusion Detection):

• Creating defensible networks with pervasive awareness  (most firms don’t even know what’s going on in their network – a client of ours was surprised to discover that almost 40 percent of their outgoing network traffic was Google mail – more than the corporate Microsoft Exchange traffic)
• Defending against malicious sites, browser exploits, Trojans and worms. In many cases, AUP (acceptable usage violations) such as employees browsing kiddy porn sites, file sharing sites with Web access like Rapid Share,  indicate hightened levels of vulnerability to Trojans and password theft.  Many people tend to use their corporate password on private sites
• Help implement effective L3 network access  control
• Respond to internal attacks – without relying upon preconceived notions of where the attacker is coming from
• Detect variances with user access polices i.e. users who have elevated privileges or use of generic usernames with group privileges

How should you collect data?

We do data collection in a Business Threat Modeling task with human intelligence (individual or group interviews with TOP Mapping ) and electronic intelligence gathering (network surveillance).  We like Fidelis XPS for network surveillance.   XPS is an extrusion prevention appliance that attaches to the network on a tap or a span port. XPS detects internal security violations at all 3 levels – network session, application and data content.

How do you take the data and validate the effectiveness of your security countermeasures?

The results of the data collected in the human interrogation and network surveillance are plugged directly into a Business Threat modeling calculative risk model (based on the popular PTA – Practical Threat analysis tool). A customer can quickly the impact of threats on the board:

1. What  are the data types (Word, PDF, Autocad…) and volume of extrusion on the network ?
2. Who is sending sensitive information out of the company?
3. What network protocols have the most extrusion events?
4. What US/EU privacy regulations are being violated?
5. What is the economic value of assets at risk ?
6. What is the implementation and operational cost of security countermeasures (people, process and technology) to detect data loss and internal security violations (such as a DBA abusing privileges to access entire contents of company employee directory and send to her private gmail account)