By Ron Temske, Vice President of Security Solutions, Logicalis US
In past articles, I’ve focused on specific enterprise security solutions, such as virtual private networks (VPN), next generation firewalls (NGFW), and Secure DNS, but I think it would be helpful to talk about a risk-centric or risk-based security strategy to provide some insight into how many companies are (or should be) looking at enterprise security and how they prioritize security projects. What we want to do for any enterprise security scenario is take a series of steps that form a risk-based security strategy. I’ll outline the process first, then go into more detail about each step. In summary, the process for establishing a risk-based or risk-focused security strategy is:
- Identify the assets you are trying to protect.
- Identify the source and nature of threats that might compromise your assets.
- Determine how likely the threats are to occur; the Probability of Compromise.
- Implement measures that will protect your assets against these threats in a cost-effective manner.
- Review the process regularly and make improvements as new weaknesses are found.
Step 1: Identify Assets
The first step in any security approach is identifying the assets to be protected. We’re generally talking about IT security (or more specifically cybersecurity), but really this process applies to all aspects of security – whether the resources are IT assets, people, facilities, or even less tangible assets such as brand or reputation. Before we can create any type of plan around security, we need a clear understanding of what we’re trying to protect. Sometimes this is accomplished via a formal process of asset identification and inventory, at other times it’s simply a higher-level view of assets. This process will frequently include assigning a value to the asset should be it stolen, damaged, or deleted.
Step 2: Determine Source and Nature of the Threats
Once the appropriate enterprise assets have been identified, we need to identify the source and nature of the threats against which we’re trying to protect. The source of the threat is typically the more difficult to determine. Often, we’re not sure who might be trying to launch an attack against us; It could be malicious hackers simply looking for a challenge, organized crime looking for a payday or even foreign agencies looking for company secrets.
More commonly, we’ll focus our energies on ensuring we know the nature of the threat. What I mean by that is that we’ll apply the CIA principle – Confidentiality, Integrity, and Availability – that I discussed in an earlier article. Put simply, for each asset we seek to protect, we want to understand whether we’re concerned about the Confidentiality, Integrity or Availability of that asset, and frequently, it’s some combination of all three. In general, all three principles typically apply, but what you will usually find is that one or two are of higher importance for a given asset.
Some real-world examples may be the best way to understand how this applies in practical terms:
- A proprietary drug formula is primarily safeguarded against Confidentiality and Integrity. We want to protect Confidentiality to safeguard the revenue stream of the Pharmaceutical company, and Integrity to safeguard patient safety. You can easily imagine the damage that would be caused if the chemical makeup of a drug were altered. Availability is a concern, but not as important as the others.
- An online stock trading portal would be most concerned about Integrity and Availability. Obviously, Confidentiality is a concern as well, but millions of dollars could be lost if the system were not available or had integrity issues.
- An online portal might be most concerned about availability. Can you imagine if the major search engines didn’t work? How would we solve any arguments?
Step 3: Determine the Probability of Compromise
The third step in the process is attempting to assign the probability of compromise. This is not easy and frequently involves making assumptions or, just as frequently, skipping this step. A simplistic formula, called Probabilistic Risk Assessment (PRA), involves multiplying the value of an asset by the probability that asset could be compromised. This can create some interesting scenarios.
While real risk assessments involve actuarial tables and more sophisticated methods of assigning value, here is one simple example that illustrates the concept:
If we have an asset worth $1,000,000 with a 0.5% chance of being compromised, it has a PRA of 5,000. Likewise, if we have an asset worth $75,000 with a 10% chance of being compromised, it has a PRA of 7,500. From a Risk Management perspective, we should go to greater lengths to protect the $75,000 asset than the much larger asset valued at $1,000,000. This may seem non-intuitive, but it is fundamental in any risk management strategy.
Step 4: Implement Protective Measures
Once we’ve identified what we’re trying to protect and what and who we’re trying to protect from we can begin the process of designing a solution to meet those requirements. This can take many forms – which we discuss in other articles.
Step 5: Review and Improve
After designing and implementing an enterprise security solution, we then begin a process of ongoing measurement and assessment to ensure that as new threats are found and our asset requirements change we’re continually providing the appropriate levels of security.
Read a two-part article exploring what an umbrella approach to security can look like in your enterprise – Part One: Potential DNS Vulnerabilities (http://ow.ly/Gd7Q307SBUE) and Part Two: A Secure DNS (http://ow.ly/kSuT307SCnY). Then, download an infographic displaying the benefits of Taking an Umbrella Approach to Security and one displaying the benefits of Transforming Internet Security with Big Data.