How can companies be free of security vulnerabilities? They could ferret out all the flaws in their computer products and patch them. They could prevent flaws from being exploited by shutting down systems. Of course, neither is good for business or the budget.
That's the view of Peyton Engel, a technical architect who heads the security assessment team at CDW Corp., at the recent Fusion 2009 CEO-CIO Symposium in Madison, Wis.
Instead, companies need to spend less time reacting willy-nilly to security vulnerabilities and more time asking whether threats are likely to affect them, Engel said. He recommends companies identify the point of diminishing returns of patch management by weighing the probability and severity of the security vulnerability, rather than the severity alone.
"We have a myth right now that we need to patch vulnerabilities. I am not here to tell you you should stop patching critical vulnerabilities -- that would be foolish. But right now, there is this kind of consciousness in the industry that when you have a vulnerability, by golly, the first thing you do is patch it," said Engel, who gave a talk at Fusion 2009 on getting your money's worth from security.
Security vulnerabilities are always with us, Engel said. A new vulnerability usually means an existing weakness that is now just being discovered. Incidents, not vulnerabilities, are the problem -- actors causing mischief, or worse, intent on committing a crime. And even these threats don't cause trouble until they meet up with a vulnerability, be it a missing patch or a weak password or a lax system administrator.
The pertinent question is whether the vulnerability is bad for you. And, if so, is patching the right fix for it? Or might it be wiser to go on the offensive?
Indeed, the patching approach of many security pros is not unlike that of the World War II engineers who studied the distribution of bullets holes on returning planes to determine where best to apply aircraft armor. "Everybody sees the mistake, right?" Engel asked. "These are the planes that made it back." Statistical analyses based on those planes, of course, factored out the aircraft that crashed and burned.
"Taking data at face value is risky," he said.
Calculated hype from security vendors
But calculating risk is itself a risky business. One formula, for example, calls for thinking about risk in terms of annualized loss expectancy. To determine this, you multiply the single loss expectancy, or the cost of a single incident, by the annual rate of occurrence (ARO), or how many incidents per year, to get a dollar figure per year. If the solution the security guy is trying to sell you is less than dollars per year, then it is a no-brainer and you should buy it.
"Well, I wasn't issued the crystal ball that tells me how many incidents you're going to have or how much they cost you. So I am skeptical of really quantitative analysis like this," Engel conceded. "However, I think we can at least agree that there are incidents, they do have costs and happen at some frequency, and if we can reduce incidents -- that is a good thing."
Here are three strategies for getting your money's worth out of security spending, which Engel illustrated with some CDW customer scenarios:
1. Pay attention to ARO but focus on minimizing loss expectancy.
A school district in Indiana supported 314 computers, in the middle of which was the shared user account, the generic system administrator. An incident on any one of the computers was a good way to have an incident on all of them, Engel said. Just by disabling the administrator account, or by not sharing passwords from one system to the next, the district went from worrying about 314 systems to about 20, according to a CDW analysis.
Almost nobody is thinking about buying security to minimize loss expectancy.
Peyton Engel, technical architect, CDW Corp.
Beware of the fallacies baked into the formula, Engel said.
Many security products today are targeting the ARO marker. A company worried about a certain type of incident might be urged to buy the countermeasure for it, concluding (wrongly) that the worrisome incident will never happen and all is safe.
"Almost nobody is thinking about buying security to minimize loss expectancy," Engel said, but that is the critical measure.
The Indiana school district is "not trying to prevent incidents on all these stupid workstations out in the school district. We're going to admit that some day they are going to get hacked. What we want to make sure is that a hack [on one workstation] doesn't translate into loss of all its student records, HR data and so on," Engel said.
2. Drive down redundant spending, especially now.
A health care provider in Michigan had three IT initiatives:
- A scheduling system for its doctors, with the goal of keeping the docs as busy (and billable) as possible and, of course, protecting sensitive medical records;
- An application to allow physicians from other facilities to schedule tests in its labs, because that brought in more money too; and
- Self-service for patients with sudden complaints who could look for openings due to last-minute cancellations -- another way to boost revenue.
The point of the story is not an indictment of health care run amuck, but that the provider could build three separate applications, and many companies would. But, if the health care provider builds one layer of abstraction atop the database that effectively implements its security rules -- authentication, authorization and accounting -- it spends once for security but gets to use it multiple times.
3. Start thinking about security spending close to the beginning of any project.
In the 1970s, an IBM study looking at the ROI of secure software development found that the cost of fixing security vulnerabilities rose dramatically the later they were discovered in the development cycle. If a fix came once the software was in production, costs could be astronomical.
"If we start thinking about security in terms of overall project plans, if we push our security spending closer to the start of the project, we get to spend less and be more effective," Engel said.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer