A lean model for security and security practices
By Dave Elliman
Another day, another new cyber attack. Recently, it’s ransomware — where attackers encrypt company data, crippling their targets unless a ransom is paid — that has dominated the headlines. Victims include the UK’s NHS, shipping company Maersk, and consumer goods firm Reckitt Benckiser. But ransomware won’t be the last word in cyber attacks: there’s always some innovative and pernicious threat emerging.
As anyone that follows this space knows, cyber security can seem like an endless game of whack-a-mole. New threats emerge, defenses improve and the attackers adopt new tactics, targeting hitherto unknown weakness. This creates the impression that hackers can penetrate targets at will — whether that’s governments, enterprises or critical national systems.
And the attackers are increasingly sophisticated. We can no longer dismiss the hackers as the clever, bored and socially awkward teenagers so often portrayed in the media. Today, hacking is big business. The perpetrators aren’t out to wipe hard drives, they’re conducting industrial espionage on a massive scale or making political interventions.
The problem looks like it will get worse as the attack surface mushrooms. The rise of digital and the Internet of Things will see 8.4 billion devices being connected this year. And as digital technologies become an even more critical component of business strategy, the impact of a systems breach become more severe.
We cannot go on like this.
So, what can be done to turn back the tide of attacks? Historically, organizations have relied on defense. Build the strongest digital walls and make it harder for criminals to climb. But climb they do, and easily in many cases, breaching the perimeter established by a chain of expensive products and policies.
Back to the question: what can be done, because clearly what we’ve all been doing isn’t enough?
The idea of a perimeter defense isn’t necessarily wrong, it’s just not enough.
A cultural change is required, to create and facilitate a governance model, one that focuses on transparent continuous detection and response. This would enable organizations to ensure that their security investment is targeted to where it’s needed most, it also enables decision makers to see where the budget is going.
As ever, grabbing the low hanging fruit is a good starting point. For instance, patching your systems with security fixes, as and when they are available, will close one of the major routes for security breaches.
A robust patching regime helps embed the message that all organizations have vulnerabilities, with both people and systems — after all, everyone can see that systems are being constantly updated to defend against newly discovered flaws. This change in mindset, where it’s recognized that vulnerabilities exist, make it easier to convey the message that security is everyone’s responsibility. And that makes it’s easier to plan your response to attacks and how you intend to recover.
Building a flexible and transparent governance model enables you to express a continuous relationship between prevention, detection, recovery, and response. Effort needs to be applied in all four areas and presented as a continuous loop. For each area, metrics need to be used so that the business can answer questions such as:
- Are we doing the right things?
- Are we doing them the right way?
- Are we getting them done well?
- Are we getting the benefits?
This enables you to track performance over time so that rather than security being viewed as merely a cost, it’s an integral part of your technology strategy.
As we change our way of thinking about security, we can start thinking about what a new adaptive, and crucially, evolutionary enterprise architecture would look like. How should security manifest itself in all the software we write, test and deploy at every level?
This approach leads to what is known as defense in depth. Here, secure coding, threat modeling, and penetration testing are used constantly throughout the creation or procurement of software assets. Many of these ideas are discussed in depth by my colleagues here. These issues reiterate that security is the responsibility of everyone within the organization.
When reviewing these four principles, we can consider them in terms of a cycle. It helps to look at each quadrant, in turn, breaking down cause and effect, so you understand what’s happening and monitor for change and progress.
Prevention: What are your policies, standards, programs, processes, and procedures that you have in place? Do they help your people make good decisions with regards to information security while still allowing them to work at the pace required by the business?. Do you need to change any of them in light of what you learn from your information security risk profile?
Detection: What do you know? How much of your information are you covering? How good are you at discovering vulnerabilities? How many do you have? What is the rate of change? How do you classify them based on risk? Which ones should you be worried about?
Recovery: What is our mean time to recovery? What percentage of events are dealt with in a timely and acceptable manner? How long does it take us to respond to vulnerabilities once we know about them? Do we have a way to limit the damage for the things that we are finding?
Response: How long does it take us to identify root causes of known vulnerabilities and fix them? Take patching for example. Applying critical patches ad hoc as they are released is a short-term response to known vulnerabilities. The long term resolution may be to implement an automated patch management process that gathers patches and applies them in a systematic, repeatable and testable manner. Resolutions are generally more reflective, planned and deliberate than responses.
For each of the quadrants, measures and metrics can be drawn that move you towards a rolling view of attack demographics, response and recovery times, as well as which products and services need to have expert resources allocated to them.
While this might sound like a great idea, retrofitting it to an organization is no easy feat. We should all be wary of any miracle cure for security.
We would recommend picking a slice of business functionality and look at this from an end-to-end perspective, then trace it through your organization. This approach enables you to construct the governance model — including its constituent KPIs and resulting reporting scorecard — as an iterative exercise that uses the lean ‘test and learn’ cycle.
You may want to start with what you perceive as the highest risk now, and use this model to validate that premise. When you’ve gained enough detail and confidence in the approach, you can start to identify other slices in a similar manner and build out over time. You will soon gain a better knowledge of your most valuable assets and how to protect them.
Todays’ markets wait for no-one and to have any chances of limiting damage and serving your consumers will require an iterative, evolving adaptive approach to your entire estate. If you haven’t yet got past the idea that this is only the security department’s problem, you may already be too late.
Originally published at www.thoughtworks.com on August 30, 2017.