Security and Risk Management Strategies Blog

Blogger: Dan Blum

Bringing together a diverse, multinational group of IT experts Burton Group’s European Catalyst conference illuminated a number of global IT security issues. As my plane lifts off into the sky above the coast of Barcelona, many still reverberate, concerning compliance, security and authentication.

The Unlikely Complexity of Log Management

One of our most intense speakers – Jay Leeks of Nokia – spoke on log management. At first blush this does not seem to be a topic of great architectural and legal complexity, but as Jay leads you through his global log management project learnings, an intricate landscape is revealed. For in the global company logs are much more than the drainage pipes of IT; they are repositories of much significance to multi-jurisdictional privacy, evidentiary and management functionality.

In Finland where Nokia has its headquarters, sender IP addresses in the headers of emails are considered private information. Inside the envelope of a company email envelope, the employee still has some privacy rights in many jurisdictions, though generally not in the United States. Likewise there is variance in retention requirements, with some countries demanding certain information items be retained, but others demanding they be destroyed after a period of time. Scope of regulatory jurisdiction is often unclear; it may cover information that is stored in the country, information about citizens of that country wherever it may be stored, or both. Nokia’s global log architecture is decentralized to allow for flexibility in what is stored, and where and how it is managed; but information can still be aggregated or searched centrally for enterprise-wide reporting purposes.

Nokia’s lawyers have said the full brunt of regulatory duress falls only on the raw log data, not on the ephemeral and normalized representations constructed later by security event and information management (SEIM) systems. Yet raw log data cannot be arbitrarily disposed of like so much sewage, for we know that only well-preserved original logs collected during the normal course of business are admissible in court proceedings.

No Fees? No Worries.

Though the U.S. may still be one of the more benign environments for managing your logs, it has become a harsh and unforgiving environment for credit card processors – especially those who experience a breach (or just run afoul of their Payment Card Industry (PCI) auditor). Yet Europe remains relatively indifferent to the apparently urgent topic of PCI Data Security Standard (DSS) compliance.

To see why this is, one need only follow the money. After the TJX breach, the credit card companies began raising the fees of credit card processors who cannot satisfy their PCI auditors. A 1% increase in an organization’s credit card fees can cost millions or billions of dollars or euros – enough to justify many, many security countermeasures to avoid the fee. But the higher fees fall only on processors in the U.S. and generally not in Europe.

What is the difference? A Ponemon, White and Case survey found that 94% of European companies reported (confidentially) that they had experienced a breach in the past three years, compared with only 86% of U.S. companies. But whereas the U.S. has a free-wheeling market for instant consumer credit and makes heavy use of card-not-present transactions over the phone and over the Internet, use of credit is much more restrained in Europe. Also, European companies have tight use restrictions on personal data and perform much less data collection due to stronger privacy regulations in the EU.

Just as Windows used to be an environment (unintentionally) designed for computer viruses, the U.S. consumer market still seems to be an environment that could have been designed expressly for identity theft. How far will the country go? During the baseball playoffs, Visa was running commercial showing how easy and convenient credit cards are becoming and making cash transactions look like discordant anachronisms at the checkout line. It would be interesting to know if similar ads are running in Europe, and whether Europe will ever follow the lure of easy credit as far as the U.S. has. According to Ponemon, if they do so without adding more of the U.S.-style controls, they'll suffer an even worse outbreak of ID theft…

Even before that point, European complacency over PCI may not last, as the EU is mulling its own breach notification requirements. If these become law, we shall soon learn whether or not the Ponemon survey is accurate. For our part, Burton Group suspects security weaknesses are universal.

Blogger: Dan Blum

The theme for security at Burton Group’s Catalyst conference was this: successful security requires a proactive approach. We focused on many aspects of proactivity, but a few points jumped out pretty clearly:

Data and Risk cannot be governed, but the responsible persons can be – if we have the metrics. Could IT security artifacts be managed through market mechanisms similar to those that drive the business?

Creating open security management frameworks, or ecosystems, could be a win-win for security platform vendors and enterprise customers. Why is this, and what will it take to realize the promise?

My “successful security” presentation proposed the model for proactive security shown below. One of the notions in the model is that organizations should “get stronger sooner” by addressing risks earlier in the IT lifecycle by becoming involved in business planning and risk management.

We researched methodologies for risk management, but they either address low level security project blocking and tackling - or require that business executives meet IT security staff halfway by developing more understanding of the technology in order to set direction and take accountability for it. And unfortunately it can be rather difficult for even the senior managers in IT security to change the behavior of business executives and get them to do this.

At Catalyst, however, IBM’s Steve Adler gave us some exciting ideas in his “Six Questions to Ask About Data Governance” presentation. Among other things, this presentation discussed opportunities for using Utility Theory to derive a value for data, so that investments in managing, protecting or controlling data could be more properly calibrated. The corollary to valuing data is valuing risk – a tough problem. Here Adler referred us to Wikipedia’s coverage of Alternative Risk Transfer (ART).

We’ve written on how to measure Return on Security Investment (ROSI) in one of our reports. And I thought about the Basel II regulation, which requires that banks measure risk and set aside a capital reserve to fund recovery operations should risks materialize.

We’re still early in this line of research, but I find these ideas exciting because they could take risk away from being an externality and put it in terms any executive can understand. And while this may strike you as an overly theoretical point, isn’t the idea akin to pollution credits – which are very real today – and the notion of carbon debt, which may soon also start to impact business?

Thus, data and risk values could appear on a balance sheet that gets rolled up to top executives just like the monthly sales and expense forecasts. Executives wouldn’t have to understand the details of the technology creating the risk anymore than they have to understand every detail of the expense to research some of their rocket science products. But they can understand numbers, trends of numbers, and thresholds for how big those numbers should be. And by managing those numbers, could they give IT the guidance it needs for risk management tradeoffs?

Of course, the smart executive with time on his hands may drill down into any number at any time to spot check it or understand it. The valuation of risk has to be realistic and defensible. Where actuarial evidence is not available (as is so often the case) one might start this exercise with very conservative numbers, explain why they might be understated, and increase those numbers over time as incidents or losses provide more real-world evidence.

If your organization has been valuing data or risk successfully, or has studied the idea seriously, we’d like to talk to you. Please contact us or leave a comment.

And concerning the second major insight about security management frameworks, stay tuned: I’ll cover it in the next week or two. Keep coming back – this blog works!

Blogger: Phil Schacter

With its acquisition of Ironport, Cisco once again leads with the “self defending” network marketing message. But with Jericho Forum, Burton Group and others highlighting the changing role of the network in security, has the self defending network marketing message outlived its usefulness and merely serves to confuse the issues?

Marketing slogan aside, it’s a useful exercise to consider what it means for a network to be capable of defending itself. Self defense is a reasonable goal as long as what we’re talking about are the operational components of a network that are responsible for reliably moving bits around.

When we refer to the network fabric often what we’re talking about are the routers, switches, and other devices that play an active role in the primary job of the network, bit hauling. These network devices incorporate specialized hardware, run optimized real-time operating systems, implement support for various networking protocols, and are instrumented to enable common administrative and operational functions. Proper self defense should include attack resistant software, hardened operating systems, protocols that are secure by design, and controls that permit only authorized administrators and network operations personnel to access privileged functions. Even with this relatively narrow definition, there is an argument that the industry has a long way to go to deliver on the vision of a “self defending” network.

There is a great temptation, especially by vendors of network infrastructure equipment, to want to broaden the role of the network’s routers and switches to include additional security functions that impose restrictions on the traffic and usage of the network. These functions include authentication of devices and users based on 802.1X, enforcement of network access control (NAC) policies based on a system health assessment, and traffic filtering based on deep inspection of application protocols and packet content. Such vendors have positioned the “self defending” network as including this kind of security intelligence, the distorted goal being to protect the IT resources and users that are connected to the network. This is no longer the network devices defending themselves but extending their protective umbrella to every user and resource inside the enterprise managed network’s perimeter.

The notion of a bastion network with an impermeable perimeter around a global, distributed enterprise is almost never the reality. Networks need to be open and flexible to enable dynamic business relationships and business expansion. They typically involve use of public wired and wireless networks, leveraging the ubiquity and economics of the Internet. In these cases, it’s not practical for the network fabric to protect the rest of the IT infrastructure, and attempts to add this kind of intelligence introduce complexity, overhead, and set a false expectation of security. It’s time to shift the burden of defense back to the endpoint devices and the data centers that host business applications and information.

Burton Group will be exploring these issues at the Catalyst conference in its “Networks Without Borders” content track. Check out http://catalyst.burtongroup.com/NA07/CatLiveBlogs.htm over the next few days for real-time coverage of this and other exciting issues!

Blogger: Trent Henry

Software as a Service (SaaS) is quite the rage. Google, Microsoft, Salesforce.com.... The list of vendors providing such capabilities goes on, and it's becoming a who's who in the software industry. The value proposition is obvious: use the Internet to connect to software hosted and managed by someone else; don't buy equipment, don't staff personnel, and don't take on the headaches of running IT in-house. The desired result is cost savings. And it's definitely been borne out by customer testimonials. They say there are advantages in reduced capital expense, faster deployment, better focus on core business activities, and pay-as-you go capacity planning.

But what about SaaS for security?

I'm not talking about the security practices of SaaS vendors themselves, although that is a tantalizing question. Rather, does information security SaaS itself make sense? Firewalls are software, right? E-mail filters are software. Arguably, all the major protection mechanisms from the perimeter layer on down could become services. It might not be fun to think about back-hauling all Internet traffic to the firewall service provider for filtering, but, hey, it's certainly possible (and, frankly, we're often already doing the equivalent with branch sites). Probably the question isn't "can" but rather "should" security become SaaS?

It's a good question to ask because vendors are lining up to offer solutions, and we better have our stories straight before management makes the decision for us. The latest company to enter this fray is Symantec, with a recent announcement about the Symantec Protection Network. This is an evolving platform for delivering security SaaS. It's not the managed security service (MSS), mind you, with simple remote monitoring of your premises infrastructure, but the first step toward intended "security in the cloud." Clearly we've seen elements of this before. Iron Mountain Digital and Sungard provide remote network backup. Postini and MXLogic (among others) provide e-mail filtering offsite. These features are two that Symantec plans to roll out, accompanied by others (no doubt reflective of Symantec's enterprise security suite features) over time.

Is it a good idea? For companies with limited staff and expertise, the phrase "stick to core competencies" certainly resonates. Perhaps SaaS-provided security is better than no security (or bad security). But for a large enterprise, it's not so clear. The goal of information protection is to reduce risk by adding controls for confidentiality, integrity, availability, use control, and accountability. Risk reduction and cost savings don't have to be antithetical, but short-changing risk at the, er, expense of cost-reduction would be a bitter pill to swallow. And this might be what SaaS security offers in the near term: less cost, but more risk.

It's an issue that's soon going to be critical for CISOs and team to tackle. We're discussing it at the end of the month at Burton Group's Catalyst conference. Eric Maiwald's talk, "SaaS for Collaboration and Content: A Smart Move or an Invitation to Disaster?" will be a key element. Join in the conversation.

Blogger: Dan Blum

Bob Blakley and I recently sequestered ourselves for an entire day to work on revisions of two Burton Group security framework documents which had aged into the archive:

• A Systematic, Comprehensive Approach to Information Security
• Risk Management Concepts and Frameworks

The systematic, comprehensive security framework comprises business risk management, security objectives, security posture, business processes, security technology, lifecycles and contexts. We use it to remind ourselves that security projects must always be holistic endeavors; it is the framework that guides us.

Afterwards, I visited a number of large organizations and talked with them about various subjects Burton Group covers, including security programs. It struck me, as it always does, that defining security architecture or strategy is always a lot easier than actually making it happen!

One of the people we visited was a security manager at a large financial institution. He says that his CISO organization has created a new security strategy and identity management architecture to cover various business units and outsource partners throughout their global environment. “This is a new initiative for us,” he said, “The first strategy is being approved, and others will be brought in to cover additional domains.”

The security manager went on to say that the challenge was not only to create architecture but to communicate and enforce it. He calls this “the politics of architecture” and notes it is particularly difficult in a global, outsourced environment where multiple technical architectures must be received and reviewed from sub-contractors. Internally to the organization, it will be critical to manage expectations, set up success metrics, and show some real progress by the end of the year. The security manager struck me as a very intelligent, buoyant and optimistic person – someone who thrives on chaos.

Continuing to make the rounds of companies that are interested in Burton Group, I later visited the Head of Information Security at another large global organization. He radiates an air of crisp competence and organization. He is living the life of the CISO as we describe in our report Security Governance for the Enterprise. The subsidiaries and business units share a corporate culture of independence and autonomy, but they track to a baseline set of controls chosen from ISO 270001, as does the IT services organization. Reports are rolled up into a dashboard for management consumption. Clearly, the company understands about accountability and metrics, things that we’ve emphasized in other documents. One weakness, he admitted, was that the reports are self-assessments and only lightly spot checked by internal audit.

Whether we are talking about the politics of architecture on the grand scale of the information security program for a Global 2000 company or on the smaller scale of an identity management project, the challenge is clear: how to traverse from theory to practice? Burton Group has a lot of good ideas already published, but we’ll be mindful of this issue as we plan more coverage and work to prepare for our Catalyst conference Successful Security: Getting Proactive track. Hope to see you there!