Thursday, April 10, 2014

Questioning Information Security - You are only as good as your questions

Your security is only as good as the questions you ask. It is the questions that drive the search for answers. And the answer drives informed action or inaction. Anything else is a random, uninformed walk.  So, as you shape your security strategy to support the innovations of the business, it is in asking good questions and creating correct answers through which effective security is achieved. No one else but the enemy will tell you the questions you should have asked and the answers you should have come up with. But by then it is too late. Because they told you by running all over your systems.

Before we jump in to the information security side of this, let's take a look at the historical implications of leaders who didn't ask effective questions about their own security.

Wars and Empires Lost 

Wars and Empires have been lost because those charged with defending their country did not ask the questions needed to correctly determine the defenses necessary to defeat their enemy. Darius III ruled Persia from 380 - 350 BC. At its height, the Persian Empire reached in to three continents, spanning over 8 million square kilometers. Alexander, King of Macedonia, had eyes on creating a vast empire. To do that required conquering Persia.

Darius knew that Alexander had designs on his empire. Unfortunately, Darius' spies failed to provide him good intelligence about the weaponry of Alexander's army. They didn't ask the question, 'is my military weaponry sufficient to defend against an attack by Alexander?' As it turned out - no. His spears were just a bit too short.

And what happens when your spear is too short? You lose. And Alexander, instead of being 'Alexander the So-So' became Alexander the Great. And who talks about Darius III?

Questioning Information Security 

Enterprises have sustained massive losses because they didn't ask the right questions. The breaches of the NSA, Target, Neiman Marcus, TJ Maxx, 7-11, Heartland Payment Systems, RBS WorldPay and others are rooted in not asking good questions and properly analyzing them and acting on the answers. 

Here is a framework from which we'll discuss this idea of 'Question Security'. It is really simple. Ask questions, answer the questions through data collection and analytics, and act on the answers.

Lame Questions
Think about your own enterprise within this framework. How good are you? Honestly. Most companies are doing something like this (below) where they are only collecting some limited, silo-ed data and acting on it. 

And what are the questions being asked? Pretty weak ones and, frankly, ones that aren't terribly useful on their own. What vulnerabilities does this scanner tell me that I have? What vulnerabilities does this security consultant (who is likely running the same scanner) tell me that I have

Lame Answers
The type of answers you get of questions like this - what vulnerabilities does this scanner tell me that I have - aren't too useful for protecting an enterprise. Nothing against scanners, but really, how useful is this?

On top of that, the frequency at which the data is collected in many cases is not frequent enough. For example, many organizations only scan their perimeter once a quarter. A lot can change in a quarter. That is the equivalent of only doing security event monitoring once a quarter. 'Any attacks? No. I looked at traffic for a few days a couple of months ago. Didn't see anything. Who would do that? Well...

So, not only are the questions being asked and answered weak, but the questions aren't being answered very frequently so the information is STALE!

Good Questions Lead to Good Answers
Answers all start with a question. And good questions lead to good answers. So what questions are you asking?

Here are some examples of good questions:
  • How did my Internet footprint change between yesterday and today?
  • Who is using unauthorized systems on the network?
  • Which of my users has the worst security behavior?
  • Which of my users exposes the organization to the greatest risk?
  • What is the security profile of my customer care business unit across all people, applications, and infrastructure?
With some good questions staged, we'll dive in to the data stuff required to answer these good questions here.