In part 1 of "Deconstructing Defensible", I talked about how defensible isn't the same thing as secure... this is something we all need to understand. From the 'firewall guy' to the board room - the concept of defensible must stand as the primary directive of the organization and pull away from the old dogma of 'we must be secure' which is largely nonsense in a modern organization.
In part 2 today I want to talk about a problem we all have, regardless of organizational size, but like any other condition few admit to and even less talk about openly. Basically - in just about every organization (with little exception) there are more things to defend than there are resources to defend with. Period.
Remember playing the game of Risk, when you were a kid? Maybe you still have the game now... amazing how close to that board game your life in InfoSec is now, isn't it? Except here you're playing the opposite game - instead of trying to go for world domination you're only paying for defense. You're trying not to get overrun. What you have is assets all over the map, quite literally for many of you, and you don't have enough resources to allocate evenly to 'defend' all those assets.
For fear of being overly dramatic, let's look at this from a practical standpoint. There are two types of defenses - active and static. Static defenses are your automated systems that we tend to 'set and forget (about)' like anti-virus, an IPS, firewall, or some other piece of automation that's out there doing its job without human intervention to any large degree. Active defenses are dramatically different, and require constant human interaction to be worthwhile. Depending on the type of strategy you employ your IPS may actually be an active defense, but that depends on how much 'human resource' you attribute to it, and whether you actually act upon alerts, while constantly tuning and adjusting to intelligence-based information.
Static defenses are generally less costly, and can cover a wider range of assets. Anti-virus (as terrible of an example as this is) covers every endpoint in your enterprise, potentially, but does so rather poorly. However, given that every endpoint in your enterprise doesn't get classified as a critical asset (more on this in a moment) this is perfectly OK. There is a great argument to be made that in an enterprise no node can be neglected as it could be the entry point for an attack - and this is 101% valid, but when you've got a limited amount of resources on the defensive front you're forced to make tough choices.
Active defenses are almost always, in my experience, significantly more costly. Unlike their static counterpart, active defenses require [competent] humans to operate, monitor, and react. Active defenses, by their more costly nature, are more scarce and are more difficult to deploy in a 'shotgun' approach... have you ever tried to provide human analysis (even through a filtered dashboard) on a thousand endpoints? Active defenses are deployed strategically at critical points or where the most risk is... and now we're back to sound risk analysis. Active defenses are those like a fine-tuned, well-maintained SIEM which has a human (or team of humans) analyzing, updating, and constantly tuning the product to extract maximum signal while minimizing noise. SIEM is such a great example because many organizations I've worked with (sadly, most) across a vast variety of SIEM products generally put in their SIEM and then expect it to churn out magic all on its own. Not only is this silly - but it misses the whole point of such a tool. These types of situations arise when a critical piece of security infrastructure only gets half the funding necessary - the purchase - and neglects the other major expense (upkeep, maintenance).
Before I get into why risk analysis is so, so critical, let's talk about assets. Not every asset in your organization is equally valuable. No earth-shattering revelation there, I'm confident of that. What may be a little challenging is the notion that an attacker will always pick the weakest point of entry, but you can't know which point that is, and you have to adjust defense against that thinking. Even though we can be fairly confident that attackers today are exploiting the human factor because it's the easiest, once they're firmly implanted on an endpoint they will start internal reconnaissance to figure out where the things they may want are. This is precisely the reason why all assets are not created equal. While it is absolutely true that at any given point in time your corporate intellectual property may be on FaceBook, Google's GMail, or on an internal file server - if we truly understand what our critical assets are, and how they're consumed or manipulated, then we stand a much better chance of building intelligent defenses around them. The key here is, not every asset in your organization (laptop, web server, database) is equally important. Building and maintaining smart defenses means having to position your active security infrastructure around the really important things, with the assumption that the semi-important things which are being protected by static defenses may (likely) be compromised. Once this is accepted, and the shift in thinking follows, we start to attain truly smart security. Yes, this means understanding at a very deep level what your organization or business does. Oddly this is one of the key failings of information security professionals.
Now let's talk about that all-important asset risk analysis. At the heart of this business-level exercise is the identification and classification of assets within your organization, including categories or tiers. Create tiers of asset criticality, and start asking the question 'what is the risk if this were to corrupted/stolen, etc?" Keep in mind that even though the tendency is to place everything in the 'mission critical' class, only a small percentage of organizational assets are actually that critical. You need to determine where the bar is, or perhaps what percentage of the assets is allowed in the 'mission critical' and 'critical' classes. That number or percentage varies by organization, and risk appetite. It is absolutely vital that this exercise be performed by the information security organization (in conjunction with the rest of the business stakeholders) to first explain the above concept, and then classify and categorize the assets in your organization. Risk analysis gives us that proportionality perspective, where we can say we have X amount of active defense capability, and Y amount of assets we need to defend ... and then decide where the bar is set for things that get active vs. passive defense. Arguably this is an exercise that only some of the more mature security organizations will be able to pull off - but it's vital. The problem 'less mature' security organizations have is that because they can't (or won't) take the time to first assess their own landscape, they end up trying to wrap their arms around the entire organization and defend everything to an equal amount. That is to say, defend everything poorly.
There is no such thing as 'secure', and when we try and 'secure' (defend) everything equally we end up stretching our resources too thin, and fail entirely. The concept of proportional defense shouldn't be new, in fact the earliest good reference I can find dates back to 1974 in a publication called "A proportional defense model" [ Shumate, K. C. and Howard, G. T. (1974), A proportional defense model. Naval Research Logistics, 21:... ]. While it's not 'new' per-se, I feel it is one that warrants discussion broadly, since there aren't enough organizations (again, from personal experience) who are getting this right.
So there we go. You have more assets than you can reasonably defend well. How are you going to adjust to that (or have you done so already?) and re-align your defensive strategy to accommodate for this line of thinking?
I'm so confident that this is a big need in enterprise that as part of my new venture (Strategic Security Services) I have built out a program offering that addresses specifically this. If you're reading this and thinking to yourself - I need to do this... contact me, I'll be happy to take you through an overview of the Strategic Program Review exercise. Take the time to do this right, up-front, before you spend any more money on shiny, blinky, and 'best of breed' security solutions that alone aren't going to add to your defensive capabilities, and only burden you more with security 'busywork'.