In-Depth

Q&A: Using Business Rules to Tackle Vulnerabilities

Identifying business assets to aid threat mitigation

• By Mathew Schwartz
• 10/20/2004

Every network is vulnerable to some type of attack. Just knowing which ones, however, won’t ultimately help direct the best security efforts. Instead, what’s needed is a list of top vulnerabilities coupled with a rigorous knowledge of business assets, weighted by value and cross-indexed with the most dangerous and imminent threats. Such knowledge in hand, CSOs can talk not only remediation efforts, but the results of security money spent (or not) upon business processes.

So says Tom Rowley, CEO of Preventsys and the former head of managed security services giant Counterpane. Security Strategies spoke with Rowley about re-interpreting today’s top vulnerabilities in light of business process rules.

What sorts of problems do CSOs face today when trying to get ahead of vulnerabilities?

After joining Preventsys, I met with CSOs [and asked that] … One of the CSOs says, “You know, I’d just like to not look like a blithering idiot … I spent a million dollars on software and gadgets, then I have to go and explain why I just spent another million dollars on IT overtime because we just got hit again.” One of the things I discovered is that there’s almost a sense of fatalism with CSOs these days, in their ability to get their arms around security problems.

Companies are going to keep getting hit, but how could CSOs do better?

Through a workflow—a closed loop, corrective-action system … just like Siebel and CRM [customer relationship management], for example. So we looked into that—how would you assemble that?

First, you measure the business rules in the enterprise, which most organizations are already doing. Second, you measure assets versus risk—which assets do risks impinge upon? Third, you ask how imminent is the threat? How likely is it that it’s actually go happen?

That’s what we’ve done with our enterprise security management system, which has two modules: business policy modeling capability and preemptive defense … So this [system] adds … a real-time analysis of all the vulnerabilities in your network, and all the misconfigurations in your network. [Then it] prioritizes them, generates an output to your IT managers, or your patch management system, and reports … [how] if you don’t do this, here’s what could happen to you. So this is a prioritization of … real-time threats in your network.

Are you seeing any early traction for your approach?

Yes, from companies who make their living primarily on the Internet—click and mortar, the Dells of the world. They’re very process-oriented, and when we go to them with a process solution to the problem, [they take notice].

Have you seen any organic or in-house attempts to do what you’re proposing?

In the financial services organizations, if you go look at the more forward-looking people, the Goldman Sachs of the world, they already have intelligence feeds, and have put in time to figure out their business process information. But … Goldman Sachs has more security people than probably the bottom 500 of the Fortune 1000. So for the really savvy people, they’re doing what Preventsys does, but it’s ad hoc and designed in house.

Best intentions aside, isn’t it difficult to keep pace with the flood of vulnerabilities?

One of the biggest problems is that the output from all the scanners often doesn’t have a common vocabulary, and often contradicts each other. So a big part of Preventsys is the knowledge database [to reconcile competing versions of “the truth”]. We call this process correlation … [which] is another one of those words that’s gotten destroyed in the security market. Everyone talks about correlation but … we look at [something] from three dimensions: assets at risk, imminence, and business rules. We call it semantic correlation because we’re correlating meaning, not ports.

And we listen to a dozen or so different kinds of scanners … We’re completely agnostic. We take whatever’s out there. We discovered that almost everyone has bought a scanner of some kind or another … Preventsys’s view is scanners are commodities. Pick whichever one you want.

On the intelligence side, we have a very close relationship with an organization called iDefense … but also built into the product is the ability to work with other intelligence feeds, including ISAC and SecurityFocus, and we could elevate and cross-correlate them.

Business process integration aside, are CIOs having difficulty getting funds for less-reactive endeavors?

With attacks [such as MyDoom and Blaster] … giving them these stupid, cutesy names sort of minimizes their impact. I think something more threatening would be a good thing. There’s a certain callousness that has developed, because security gets so much press.

But as in manufacturing, there are thousands of things that can go wrong … So how do you fix it? You fix one thing at a time, and you get better. It’s not the gadgets, it’s the process.

I did this pitch to a collection of CSOs, and I said the right way to think about this is the Atkins diet. If you ask your doctor [about Atkins], the doctor will look up at you and say two words: diet and exercise. No silver bullets. Just two words, you just have to do them. For security, it just requires an ongoing, closed loop, corrective process. The effect … of that is to demonstrate that a management process will work. Now … if you’re scurrying around to recover from things, that’s very likely to fail.

The workflow system [by contrast] allows you to have an ongoing, continuous view of what you’re doing: where we were, where we are, what we thought we did, where we need to go. This … starts to show the kind of trend, improvement, and … that actually makes a business process out of security, rather than just another collection of vulnerabilities.

So you marry asset scans with intelligence to denote the worst threats?

The fact that you can characterize [an organization] by assets isn’t enough. Which assets do I most care about, and in what order? In most organizations there’s usually a book floating around. It’s in a big binder and it’s in English. One of the tools Preventsys has is to convert that binder [of business processes] from English to technical rules … then see if you actually do it or not. We do a comprehensive business asset rules and discovery process.

But you know who ought to do this job? Symantec. Take Enterprise Resource Manager—it’s a configuration discovery product [able to say] here’s how your firewalls are configured, here’s the generally accepted way to do them, here’s the delta. Now Symantec [also] has an intelligence organization, but it doesn’t feed to this product … They have lots of bits and pieces, but they don’t have their act together in terms of stitching it all together.

Is vulnerability information alone, divorced from business realities, often just discounted by management?

I was talking to the CIO of Lands' End and he said, "The devil himself could be wandering through my networks the week before Christmas, and I don’t care." That’s sort of egregious, but there are many rules that don’t fit into [a standard vulnerability mitigation approach]. So instead of just patching vulnerabilities, [you need to ask] is this asset at risk? Did I protect this asset?