"To crush your enemies -- See them driven before you, and to hear the lamentation of their women!" - Conan the Barbarian
Maybe not.
Vulnerabilities
Recently I asked if
vulnerabilities were the most important aspect of infosec. Most people said 'no', and the most common answer instead was
risk. Risk is
likelihood and consequence (impact). (Or
here for a more infosec'y reference.) And as
FAIR points out, likelihood is threat and vulnerability. (Incidentally, this is a good time to point out,
when we say 'vulnerability', we aren't always saying the same thing.) While in reality, as
@SpireSec points out,
threat is probably more important, I suspect
most orgs make it a constant 'TRUE' in which case 'likelihood' simply becomes 'vulnerability' in disguise. I doubt many appreciate the
economic relationship between vulnerability and threat. As many people pointed out,
the impact of the risk is also important. Yet as with 'threat', I suspect it is rarely factored into risk in more than
a subjective manner. There were other aspects of risk such as
vulnerable configurations,
asset management and
user vulnerability. And there were other opinions such as
communication,
education and
law.
Risk
The first big take-away is that, while we agree conceptually that risk is complex and that all its parts are important, practically we reduce 'risk' down to 'vulnerability' by not dynamically managing 'threat' or 'impact'. While most organizations may
say they're managing risk, very likely they're really just managing vulnerabilities. At best, when we say 'managing', we probably mean 'patching'. At worst, it's buying and blindly trusting a tool of some kind. Because, without understanding how those vulnerabilities fit into the greater attack-surface of our organization, all we can do is patch and buy. Which leads to the second take-away...
Attack Surface
The second take-away
"I think we need to change the discussion from vulns to attack surface." Without understanding its attack surface, an organization can never move beyond swatting flies. If an organization is a city and they want to block attackers coming in,
what we do is like blocking one lane of every road in.
Sure, you shut down a lot of little roads, but the interstates still have three lanes open. And what about the airport, busses, and beaches?
Our Challenges
Unfortunately, if we can't move from vulns to full risk, our chances of moving beyond simple risk to attack surface
are slim. At least in
FAIR, we have the methodology to manage based on full risk, if not attack surface. However, while vulnerabilities are the data is not easy to collect. It's not easy to combine and clean. And it's not easy to analyze and act upon. (All the things vulnerability data is.) We don't even have national strategic initiatives for threat and impact, let alone attack surface the way we do for vulnerabilities, (for example
bug bounties, and
I Am The Cavalry).
In Conclusion
Yet we continue to spend our money and patch vulnerabilities with little understanding of the risk it addressed, let alone how that risk fits into our overall attack surface. But for those willing to put in the work,
the tools do exist. And eventually we will make assessing attack surface as easy as a vulnerability assessment. Until then though, we will continue to waste our our infosec resources, wandering blindly in the dark.
P.S.
The third and final take-away is that the whole discussion
completely ignores operations, (the DFIR type vs the installing-patches type). In reality, it may be a strategic decision, but the trade-offs between risk and operations based security are better left for another
day blog.
No comments:
Post a Comment