Prioritizing the 'big rocks' in data security threats
Habit #3 in the late Steven Covey’s perennial bestseller, The 7 Habits of Highly Effective People, is “Put First Things First.” The basic idea is that personal effectiveness is maximized by focusing on your most important priorities first, but this habit is typically remembered by the famous Big Rocks analogy.
In addition to being a practical strategy for personal effectiveness, the same concept can be applied across your infosec team for effective breach risk reduction.
The idea behind Mr. Covey’s analogy is that if you focus first on all the small things in life (the “sand” and “pebbles”), they will take up all of your time and you won’t have time for the important things (the “rocks”). If, instead, you focus on the “rocks” first, the “sand” and “pebbles” will fall into place later.
In your personal life, it might be (relatively) straightforward to come up with a list of your 10-20 important tasks and then prioritize that list. In information security, however, your enterprise likely has between 10 million and 100 billion time-varying signals across your attack surface, with changes happening every second. Quite the daunting task, and definitely not one that can be accomplished by humans alone.
Finding the infosec Big Rocks starts with building an up-to-date and accurate inventory of everything that your team must defend. This inventory must include every potential target that an adversary can go after. Networking equipment like switches and routers, managed and unmanaged computers and smartphones, enterprise cloud apps, shadow IT, IoT devices, third party vendors in your supply chain and more.
Calculating and analyzing all that exists across an organization’s IT environment, which contains nearly unlimited permutations and combinations of risk factors, is a very big rock of its own.
For every asset identified, there are 100 or more attack vectors that could potentially be leveraged against the target. These range from simple vectors such as stolen passwords or reused credentials to things like phishing, man-in-the-middle attacks, and zero-day exploits.
It’s critical to view all ways which an adversary can compromise an enterprise asset, and to quantify risk for each of these points. But the risk calculation isn’t as simple as identifying unpatched vulnerabilities. Risk is a function of inventory and vulnerabilities, but several other factors as well.
Mapping vulnerabilities to active threats is crucial. Many high severity vulnerabilities have never been exploited in the wild, while other, seemingly more mundane vulnerabilities are in active use by adversaries. Organizations must be able to quantify and prioritize which active threats currently exist and which are easiest for the adversary to exploit.
If there’s an unpatched vulnerability on a piece of software that hasn’t been used in 2 years, or on a machine that hasn’t been powered on in 60 days, the risk of exposure to exploit or attack is far lower than for the unpatched machine with a power user leveraging risky software 10-12 hours per day.
Smart attackers will attempt to first infiltrate the “riskiest” available nodes on a network, and use those as a beachhead from which to move laterally inside the network. Propagation is when an attacker uses the beachhead to attack a more critical asset, leveraging things like shared credentials or a trust relationship between the machines.
Traditional vulnerability assessment techniques identify unpatched assets, but can’t account for the compensating controls, in the form of security products, elsewhere in the network. These controls can render some vulnerabilities unexploitable.
Your domain controllers have a higher breach impact than a kiosk machine at the front desk of your corporate offices that checks in guests. Business criticality is a key factor in the risk equation.
Finally, The Big Rocks
At long last, we have what we need to figure out the Big Rocks. Risk quantification, accounting for vulnerabilities, threats, exposure, propagation, compensating controls, and business criticality, is the key to identifying and prioritizing our infosec rocks. The industry is beginning to see tools on the market that can assist with this quantification step, because it is nearly impossible using manual process.
From here, the task is easy - simply task your team with solving the (now identified) biggest impact security issues facing the organization.