Q&A: Taking a Risk-Based Approach to Security
Security is more than just determining which users have access to applications and data. Compliance also isn't enough. What's needed is a risk-based approach to security -- a pro-active, prevention-oriented line of attack to keep your enterprise safe. To learn more about the advantages of a risk-based approach, we spoke to Torsten George, vice president of worldwide marketing and products for Agiliance, an integrated risk-management vendor. His recent presentation at the ISACA Fall Conference in San Francisco explored the relationship between IT security, risk management, and regulatory compliance.
Enterprise Strategies: Given tight budgets, more creative and aggressive hacking, the myriad of regulations, complex technologies (such as the cloud), and an increase in the number of large break-ins reporting in the popular press, it's clear security administrators are under pressure. What practices are the most important, and are those practices being followed?
Torsten George: Compliance with government standards and industry regulations is at the top of a lengthy list of IT security tasks, but with more than 855 security incidents reported in 2011 affecting more than 174 million records (Verizon 2012 Data Breach Investigations Report), it's time to rethink the way organizations approach security and compliance. To help maximize the efficiency of an organization's IT security operations and provide visibility into risk and compliance posture, progressive enterprises are pursuing a pro-active, risk-based approach to security, which provides them with a near-real-time view into their compliance and risk posture.
Unfortunately, the majority of organizations are still using a check box mentality as part of a compliance-driven approach to security. This method achieves point-in-time compliance certification rather than improving the company's security posture.
Emerging legislation such as NIST SP 800-137, FISMA, FedRAMP, SEC Cyber Guidance, and the pending Cyber Security Act of 2012, as well as stricter enforcement of existing regulations by the Office of the Comptroller of the Currency Regulation Enforcement and the FCC case against the Wyndham Hotel Group are forcing organizations to rethink the check-box approach.
In your presentation, you mention that compliance lacks correlation to risk. Isn't the whole point of compliance to lessen risk? Why is there no correlation?
To gain insight into their risk posture, organizations must go beyond assessing compliance, but also take threats and vulnerabilities as well as business impact into account. Only a combination of these three factors assures a holistic view of risk. Compliance posture is not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents to an organization, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.
Lately I've heard of enterprises having trouble when they do suffer a breach because notification laws vary by industry and even by state. What are the biggest problems enterprises have in handling notifications, and what are the risks if they don't perform notifications properly?
Risk has become a focal point in today's highly regulated business environment. For example, the financial services enforcement agency, the Office of the Comptroller of the Currency, maintains that without the knowledge of enterprise risk it becomes increasingly difficult to operate the business. This extends beyond the core risk assessment and nowadays includes incident response management, which can be described as the oft-neglected flipside of the security coin.
When done right, incident response management becomes another weapon in an organization's prevention arsenal -- by limiting material or reputational damages caused by data breaches. LinkedIn is a good example. Their response was swift, offered sufficient information about the scope of the breach, as well as measures that it had been taken to minimize the impact on its user community. Thus, the company's valuation did not suffer as illustrated by its steadily climbing stock price.
This all sounds straightforward and should be simple to implement -- at least on paper. However, this process typically breaks down when an incident occurs and a response is required. For example, will members of the incident response team remember their duties and fellow stakeholders when they receive a call on a Saturday at 4:00 a.m.? The answer most likely is no, so what makes incident response management in the field so difficult?
Policies and stakeholder information are often contained in multiple and dispersed documents, which makes it challenging to quickly access that information when a security breach occurs. This results in a delayed response. Furthermore, a manual incident-response process requires human interaction to share information and alert stakeholders, which leads to further response-time delays. The basic lack of alerting and escalation functions often leaves an organization vulnerable.
Another major pain point is prioritizing the remediation response. It is particularly important for organizations to determine the order in which the incident needs to be remediated. This should be done based on the risk and business impact. With no automation solution in place, this calculation is simply not possible. Once the organization has determined its incident remediation strategy, the next step is to track how long the remediation will take, who is responsible, and who will take action. Without interconnectivity into remediation systems and a centralized repository of this data, it becomes almost impossible to determine how effective the remediation actions have been.
Ultimately, the biggest challenge associated with incident response management is documenting the entire process. In many instances, once the incident is identified by one group, the remediation actions are executed by a different group. Typically, there is no audit trail to track the remediation efforts or a process designed to centralize all related documents in one repository.
What are the different approaches an enterprise can take to tackle security? Are these approaches mutually exclusive or complementary?
In general, there are four different approaches enterprises can use to tackle security. The first concept was prevalent in the nineties and can be best described as a "reactive" approach, whereby security was seen as necessary evil. In this approach, silo-based point products are leveraged to monitor the company's security posture. However, the usage of these tools was primarily of reactive and tactical nature. The objective of this approach was to defend against threats.
Once the frequency of data breaches increased and consumer interests were threatened, industry standards and government regulations were introduced and forced a "compliance-driven" approach to security. Here the objective is to achieve point-in-time compliance certification, whereby the tactical "reactive" approach is supplemented with layered security controls. Because many regulations and industry standards lack the notion of continuous monitoring, many enterprises adopted a check-box mentality and implemented minimum requirements to pass the annual certification audits.
The rising tide of insider and advanced persistent threats, mounting regulatory pressure, and the impact of big security data on an organization's operational efficiency have led many progressive organizations to either adopt a "risk-based" or "business-oriented" approach to security.
A "risk-based" approach to security assumes a prevention mentality, taking a pro-active approach by interconnecting otherwise silo-based security and IT tools and continuously monitoring and assessing the data. In turn, the organization can achieve a closed-loop, automated remediation process that is based on risk.
A "business-oriented" approach extends the "risk-based" approach by connecting into enterprise risk processes, taking input across financial, operational, and IT risks. The ultimate goal is increased operational efficiency and effective business decision-making.
In your presentation, you note that "You can schedule an audit, but you cannot schedule a cyber-attack. In turn, you have to move to a more pro-active, risk-based approach to security." What are the elements of a risk-based approach?
In general, you can define three major elements of a "risk-based" approach to security: continuous compliance, continuous (security) monitoring, and closed-loop, risk-based remediation.
Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. When conducting continuous compliance, organizations can reduce overlap by leveraging a common control framework, increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.
Applying continuous (security) monitoring, implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as SIEM, asset management, threat feeds, and vulnerability scanners. In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.
Finally, closed-loop, risk-based remediation leverages subject matter experts within business units to define a risks catalog and risk tolerance. At the same time, a closed-loop, risk-based remediation process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, as well as closed-loop tracking and measurement. This process results in dramatically increased operational efficiency, improved collaboration between business, security, and IT operations, and enables organizations to measure security efforts and make them tangible.
What are the benefits a risk-based approach offers that is currently lacking in the way IT currently manages security?
The benefits are reduced risk, reduced costs, improved response readiness, and increased risk posture visibility.
Don't continuous compliance and monitoring end up being more time-consuming or resource intensive than current practices?
Initially, it appears that way. However, to achieve continuous compliance and monitoring, organizations are forced to automate many otherwise manual, labor-intensive tasks. This, in turn, results in tremendous time and costs savings, increased accuracy, and overall improved operational efficiency.
To illustrate the scope of cost savings and operational efficiency improvements organizations can achieve from continuous compliance and monitoring, consider this government agency example. Prior to implementing continuous monitoring best practices, this agency employed 60 full-time employees who had to work 24 x 7 for one month to manually create 180,000 remediation tickets. Leveraging a continuous monitoring approach, the agency was able to reduce the head count required to oversee ticket creation by more than 80 percent and shrink the processing time from one month to a couple of days.