CISOs might feel overwhelmed, facing cyber threats from every direction and tight budgets. But a recent paper from a Microsoft Corp. security architect argues a data-driven security defence plan will help focus their efforts on the biggest and most likely threats.
The paper by Roger Grimes, released earlier this year and updated this month, says many of the problems infosec pros face are due to inaccurate risk ranking, poor communications, and uncoordinated, slow, ineffectual responses.
Instead, “using a computer security defense model driven by data, every employee would know the top root cause threats that are most successfully exploiting the organization’s security,” Grimes writes. “There would be no guessing; everyone could point to the top threats to the company’s computer systems. With a data-driven computer security defense, the IT team would actively collect threat intelligence and appropriately rank the risk to the company of the most likely and critical threats. It would then focus resources on the biggest threats with senior management involvement and approval, and use metrics to track success.
“The ultimate outcome is a lower number of exploitations and lower computer security risk to the organization. When a new threat emerges, the organization is on top of it from the start, measuring the company’s own rate of exploitation from the threat. It is a continuous, faster cycle of alertness, mitigation, and reduction.”
Briefly, the plan involves six steps:
- collecting better and localized threat intelligence;
- ranking risk appropriately;
- creating a communications plan that efficiently conveys the greatest risk threats to everyone in the organization
- defining and collecting metrics;
- defining and selecting defenses ranked by risk;
- and reviewing and improving the defense plan as needed.
The paper also provides advice that infosec pros may need to be reminded of as they gather internal and external threat data: A critical vulnerability is not necessarily a critical risk. The security team has to ask what is the likelihood of a vulnerability being successfully used to access valuable data.
“Criticality and risk is not something you should readily accept from someone else’s data and pronouncements. External parties do not understand what defenses and mitigations are already deployed in your environment that will offset particular vulnerabilities, even if they exist.”
Grimes also notes that in today’s threat environment, unpatched software and social engineering threats are among the two biggest threats to most organizations. Instead, most companies tend to focus on other defense activities—such as two-factor authentication, intrusion detection systems, and firewalls. “While good to implement, they do not directly address the biggest initial compromise root cause vectors. If the biggest problems are not corrected, then other defenses will most likely be inadequate at stopping the highest risk attacks.”
In data-driven computer defence the fact that unpatched software and social engineering are the biggest threats would be confirmed against the enterprise’s actual experience, the paper argues. If confirmed, this would be communicated to all stakeholders. Senior management would then (hopefully) assign the necessary resources to combat the top threats.
Grimes also advises CISOs to make sure they implement defences that will directly and immediately reduce the most critical and most likely threats. For example, he writes, stronger authentication and intrusion detection rarely stop an attacker that has gained a password hash. He also advises precedence be given to defenses that stop initial compromises, such as restricting administration privleges.
“The measure of success of a data- and relevancy-driven computer security defense is fewer high-risk compromises and faster responses to successful compromises,” he concludes.