"Take back your security infrastructure"
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFAWRITTEN: 2004
:Security is a rapidly changing field of human endeavor. Threats we face literally changeevery day; moreover, many security professionals consider the rate of change to beaccelerating. On top of that, to be able to stay in touch with such ever-changing reality,one has to evolve with the space as well. Thus, even though I hope that this document willbe useful for to my readers, please keep in mind that is was possibly written years ago.Also, keep in mind that some of the URL might have gone 404, please Google around.
This paper discusses the question of optimizing security decisions in an organization, based on theinformation provided by the technical security infrastructure.Imagine you work for one of those companies where information security is taken seriously, senior management support is for granted, the appropriate IT defenses are deployed and users are educated onthe security policy (a security utopia, no less). Firewalls are humming along, intrusion detection systems areinstalled and incident response team is trained and ready for action. This goes a long way towards creatinga more secure enterprise computing environment.In this context, lets look at it from the prevention-detection-response model. Prevention is mostly likelyhandled by the combination of organization’s firewalls, intrusion prevention devices, vulnerability scanningas well as hardened hosts and applications. Apparently, intrusion detection systems seek to providedetection, while a team of experts armed with forensic and other investigative tools provides response.Admittedly, the above picture is a grand simplification, but the separation between prevention, detection andresponse is still artificial to a large degree. Firewalls greatly help in detection by providing logs of allowedand denied connections, IDS can be configured to respond to incidents automatically and securityprofessionals are at the core of all three components.The above complex interplay between prevention detection and response is further complicated by thecontinuous decision making process: 'what to respond to?', 'how to prevent catastrophic loss?', ‘do I careabout this thing I just detected’, etc. Such decisions are based on the information provided by the securityinfrastructure components. Paradoxically, the more technical security defenses one deploys, the morefirewalls are blocking messages, the more detection systems are sending alerts, the harder it is to make theright decisions about how to react. Volume and obscurity of the information emanated by the securityinfrastructure contribute to such difficulties. And at some moment, the question of trying to predict what firewill flare next (or, “being proactive” in marketspeak) will come up.What are the common options for optimizing the security decisions made by the company security decision-makers? The security information flow needs to be converted into a decision. The attempts to create a fullyautomated solution for making such a decision, some even based on artificial intelligence, have not yetreached a commercially viable stage. The problem is thus to create a system to reduce the informationdeluge sufficiently and then to provide some guidance to the system's human operators in order to make theright security decision. Notice, that does not preclude a certain degree of automation.In addition to facilitating decision-making in case of a security event (defined as a single communicationinstance from a security device) or an incident (defined as a confirmed attempted intrusion or other attack or discovered abuse), reducing the information flow is required for implementing security benchmarks andmetrics. Assessing the effectiveness of deployed security controls is an extremely valuable part of anorganization security program. Such an assessment can be used to calculate a security Return OnInvestment (ROI or ROSI) and to enable other methods for marrying security and business needs.