20 December, 2006

Measurable Layers

Prediction #9 seems to have gotten at least some attention. I have had three separate requests (one in two parts so I am certain the author is interested) for expansion, and clarification.

I guess this is good. I obviously tapped into a healthy meme seed but I do have a bit of a dilemma.

I am not really sure what I meant.

Well I am sure what I meant but I am not really sure how to articulate it. (wow doesn't that leave me an easy out in 08)

Every attempt I have made turns out to just be a small part of the whole. It is like trying to draw a hypercube on a piece of paper. All I wind up with is a bunch of weird looking triangles, rectangles and squares.

The way I used to look at security was as a sort of modified OSI model. (way back when)

Control Physical Access
Locked TC and DC doors, Building Access, Wireless Access Controls

Control Switching/Electrical Access
More Wireless access controls, Mac Filtering, NAC (if it ever works), VLAN’s

Control Routed Access
ACL’s, Good Subnetting (Yes I know a subnet doesn’t stop anything by itself, but if you don’t get the routing right everything else is harder), Proper DMZ/Extranet/Segmentation

Control of Application Connectivity
Firewalls, Tunnels, Some Proxy Functions,

Control of Sessions and early SoD
Session Segregation, Basic SoD, Identity Controls

Control of Data access and Presentation
Db Controls, Site/share/page access, More Identity Controls, Middle SoD

Application Controls and Control of data manipulation and metadata
Business SoD, Application Design, Business use of Application, More Identity Controls

This approach actually still works in many cases but it lacks a lot of essentials. It is almost purely tactical and has no self awareness. It also focuses too much on access control/preventative controls and not enough on mitigation and prioritization.

A lot of people who talked about the OSI model used to jokingly add a few more layers.

Politics, Religion, and Money

I am not so sure that is a bad idea but I would probably add a few more layers and call them:

Process, Policy, Governance, Compliance, and Money

in that order.

If you do that combined with the other layers it looks a bit like ISO 17799 domains doesn’t it? Well perhaps with some CoBiT Control Objectives thrown in.

There are a few differences though. Instead of interrelated overlapping domains you have sequential (potentially superseding) layers in both directions. These are layers where (for a given threat) you can show a certain level of protection. Multiple layers can be stacked for increasing sequential protection versus a threat from a given vector.

So let’s add these into the mix. Do they overcome the shortcomings? Well not completely. There is one thing still missing, visibility.

So feed visibility as a subset requirement into each of the layers.

As a quick example of that meme:

A firewall is valuable because it stops some attacks

If you are able to see how many attacks occur “outside” the firewall and compare them with how many attacks make it “inside” the firewall you have added value. The value isn’t directly added to the control that is the firewall. The value is added at the Process layer where an evaluation of the effectiveness of the firewall occurs and other controls can be used to mitigate the identified weaknesses. It might also be added at the Compliance layer where an organization might have to meet PCI requirements on proof of effectiveness of controls (specifically the firewall as a Control).

So what I was trying to say when I wrote:

“Vendors that are able to encompass the concept of measurable layers in security will emerge (or in the case of the few that are already out there will do well financially)”

Is that vendors that are able to add or combine either automated or easy to implement means of measuring effectiveness of the controls they peddle will add value.

Also

Vendors that facilitate the process of not only tying controls to specific effectiveness but also representing the effect of overlapping controls on overall risk mitigation will add a great deal of value.

If you can demonstrably add value then you can make money.

That’s what I meant …

Sort of

So now I am circling around to tag the originator of the chain letter.

No comments: