Information security sometimes appears to be stuck, still suffering from the same basic problems: weak passwords, unpatched vulnerabilities, and too much (or too little) data to make sense of what is really happening. While it is fascinating to talk about the latest threats and newest attacker techniques, we cannot lose sight of the basics. I have recently seen enterprises with 11-year-old vulnerabilities, servers that cannot be patched because of lost admin passwords, and we still find loads of easily guessable passwords on default or service accounts.
You are not a ’90 lb (41 kg) weakling
Sometimes the data we gather can become so overwhelming that it is difficult to imagine a way forward, especially if we continue to think the same way. If, like more than one company I’ve spoken with, you have hundreds of thousands of high and medium risk vulnerabilities, the task may seem insurmountable. Or, if you are a smaller firm, you may look at all the recent breaches in “household name” companies with their hundreds of expert staff, and think that if they cannot secure their systems, what chance do you have?
A good analogy for measuring progress is to think of how someone exercising keeps track of their progress, with metrics like how much weight they can lift, how many reps they do, how fast they can go. If you do not measure or keep track, you will not know if you are improving. Also, when you start on a new program, you evaluate yourself to get your starting point, and experts often recommend having a workout buddy or posting to Facebook to get your objective out in the open, which helps with motivation and compels continued progress.
Building a fitness plan
Applying the same concepts to security helps with improving your security posture. Start with an assessment of your current fitness level. The sheer number of vulnerabilities is not a great metric, as it provides little context. It is like looking at how much you can lift without considering your experience, time in the gym, or maturity. Expecting to start by deadlifting 800 lbs is unrealistic. You also cannot just grab a standard set of metrics, even one tailored for your industry. Your metrics framework will be unique to your asset pool and risk tolerance.
For example, start with your list of raw vulnerabilities, but look for other data points such as: affected application, data type, platform, and department, and look for patterns and outliers. Is the majority of your data represented by a few applications? Is the same group or department a consistent target of attackers or always non-compliant? Are there obsolete applications or platforms on your list? These and other data points help define root cause for your current fitness level so you can derive a holistic solution.
“A good analogy for measuring progress is to think of how someone exercising keeps track of their progress, with metrics like how much weight they can lift, how many reps they do, how fast they can go. If you do not measure or keep track, you will not know if you are improving”
You may also consider a modular approach to defining current and target maturity in the same way you might do body-part splits. Monday–chest, Tuesday–legs, Thursday– shoulders. You don’t do squats for bigger biceps. For an information security program, you might consider something like Strategy, Infrastructure, Applications, Incident Response capability. What is the current maturity of each, and where do you want it to be? Then apply the relevant metrics to each component of your program.
Time is an important metric
It is also important to look at your times. In fitness, this is represented by how many reps you can do in a minute, how high your heart rate gets, or how long it takes to return to your resting rate. These are numbers that you can compare to benchmarks for your age and weight to get an idea of your relative fitness. In information security, similar metrics are how long it takes to patch vulnerabilities, how long it takes to detect, correct, and recover from an attack, and how often is the response automated. These can also be compared to benchmarks for your industry and company size, giving you an idea of the relative strength of your security posture. It is not always easy to decide what to measure, or to collect the data necessary to track your progress. However, if you do not measure it, it will not improve!
Do not skip leg day
For some reason, it is common in weight training to focus on the upper body and neglect the lower body, leading to the popular phrase “don’t skip leg day”. The same is true for information security. It is easy to get so focused on high-risk vulnerabilities, the latest threats, key applications, or new technologies, that you neglect other important areas. You need to keep scanning for old vulnerabilities, building and rebuilding user awareness, refining your gateway policies, and even testing and changing your passwords. The basics still matter! If you have a very secure infrastructure and have mastered patch management, but fail to build incident response or application security muscle, you will still fail.
Behavioral modelling and awareness
Fitness plans are most effective when they are customized for the individual, based on normal behavior, diet, and environmental factors. What is normal for one person may be completely foreign to another. You can then appropriately react to an abnormal event. Is your heart rate much higher today? This could be caused by a poor night’s sleep, something you ate or drank, or an underlying health issue. Similarly, identifying normal behavior of your environment is important to managing and understanding that flood of security data. Are multiple logins by this user id normal or access to this IP address by your point-of-sale devices?
Awareness is equally important. If someone expects you to go to the gym or improve your fitness level, it is easier to stay motivated. If your department and company are aware of the issues, risks, metrics, and areas for improvement, then you are more likely to work to improve the situation.
Holistic approach to building maturity
There is no single solution for either fitness or security that will act as a silver bullet to solve your problems. Instead, building fitness or security takes time and dedication, with gradual improvement, reinforced and supported by watching your form (to avoid injury), and measuring the positive impact you are having. This is a concept somewhat lost in the scramble to get more secure. Too many security programs are that guy who eats donuts and bacon for breakfast, cheeseburgers for lunch, deep-dish pizza for dinner, buys every supplement and gadget, then is stunned when he has a heart attack! You cannot expect to buy tech, deploy it with no real plan, measure none of it, and then be surprised when you are breached.
As with a workout, when some security task becomes easy or is automated or a milestone is achieved, you add a new one. When you suffer a breach or other security incident, you look into what controls failed, what metrics would have caught it, and adjust accordingly. Whether you want to protect a few servers and workstations or several massive datacenters, metrics are the only way of measuring and managing your progress. Start measuring the right and realistic things today, and you will be running a little farther or lifting a little more weight next month.