Network Security Security Bloggers Network 
SBN

Trading Risk Paralysis for Actionable Intelligence

by Nicole Pauls on April 2, 2011

Recently, we announced our partnership with Rapid7, a company that philosophically has a lot in common with TriGeo. In the world of 140-character thoughts, the short version is: don’t get caught in risk paralysis, focus on actionable intelligence.

There’s a place for signature-based anti-virus, even if it’s just cleanup. There’s a place for Patch Tuesdays (or Mondays, or…). There’s a place for traditional vulnerability scans. There’s a place for PCI, HIPAA, and other compliance measures. All of those things exist to assist in the straightforward process of reducing your attack profile. If I only have anti-virus, I’m more likely to catch something; if I patch, I’m less likely to catch a virus that is more than a year old; if I scan, if I’m compliant, I meet a pre-existing standard.

So, you’ve patched, you’ve scanned, you’re PCI compliant, and you still get breached…

Unfortunately, this is the world we live in, where attacks rely on social engineering and data exfiltration, or use zero-day attacks that have no signature/patch. And frankly, 100% patch coverage is incredibly difficult.

So, where could you have made an improvement? One word…visibility.

A lot of Vulnerability Assessment tools will be happy to tell you something like, “you are running an insecure version of OpenSSH.” What they don’t tell you is, “but you don’t have that option enabled in your sshd_config so it doesn’t matter” – or, in English, “but that can’t be exploited, so I’m going to make it less important.” Even thinking about a typical patch scan, you might learn that you’re missing 10 patches, but what does that mean to your actual exposure, does it really increase the likelihood of a breach? It’s up to you to prioritize, investigate, collect your evidence, and, frankly, argue with your auditor or internal staff/management. I suppose one could argue that’s “actionable intelligence” – however, it’s your job to do the “action” and gather the other 90% of the “intelligence.”

There are a ton of really cool security tools out there and lots of innovation that have real use cases in real networks – tools like DLP (Data Leak Prevention), DAM (Database Activity Monitoring), WAF (Web Application Firewall), and even IAM (Identity/Access Management) and PIM (Privilege Identity Management). List of TLAs aside, navigating this landscape is horribly difficult unless you know where your issues are in the first place. This whole problem leads to a “risk paralysis” where we get stuck in this never-ending loop of, “I don’t know how to know if that technology solves enough of the problem to justify my time/dollars, so I’m going to table it and come back.” One of those technologies really could have saved your bacon, some would have just been throwing mud at the wall and hoping it sticks.

How do you know?

*** This is a Security Bloggers Network syndicated blog from TriGeoSphere authored by Nicole Pauls. Read the original post at: http://blog.trigeo.com/2011/risk-paralysis/

Nicole Pauls , , , , ,