25 October, 2006

Layering Controls –100% compliance - 3

Part 3

Part 1 here

Part 2 here

So if you can’t get 100% with a single control how do you get 100% or close to it?

I’ll use worms as the example because it is easy not because I think they are the most likely current threat.

If you can stop 80% of the worms with your companies external firewall.

Then stop 80% of the remaining worms with segmentation to your PCN.

Then stop 80% with a NIPS device

Then stop 80% of the remaining with a Host based firewall

Then 80% with patching

Then 80% with HIPS

Then 80% with Memory Based Protection

Etc…

If you can get an 80% reduction with each layer then you have reached your .001% likelihood layer with 6 controls even if you had a 100% certainty of the threat event occurring to begin with.

So the trick is identifying the applicable controls, determining how they (and how much they) reduce the likelihood, and if they can be layered with outer controls.

This is why I have been so interested lately with the risk conversations at RiskAnalys and Episteme.

If we can identify a relationship with the units of risk to controls that would be very valuable.

Final Section Here

No comments: