A couple of weeks ago I was invited by IANS to participate in a panel presentation in one of their Executive Client Briefings. The theme for the event was on building risk-based management frameworks and I headed up the Next Generation Threat Management portion. First off, many thanks to the folks at IANS for having me, as usual they did a great job. If you happen to be an IANS client, you can access the presentation online.
While the topic itself is extremely broad and impossible to cover in an hour, there were a few important take-aways I felt worth calling out here. A lot of the presentations and content I see around threat management – specifically “next generation” – all too often involve the dreaded A.P.T., or specific threats to technologies such as mobile or cloud. The problem I have with this focus in the industry isn’t that those threats aren’t real or don’t exist, we’re simply not even close to being able to deal with those.
Take a look at the breaches laid out in the Verizon DBIR year after year after year. The vast majority of the incidents we call in the forensics and incident response teams to deal with have to do with us getting the basics wrong. A couple of years ago, David Mortman and Alex Hutton gave a great but overlooked presentation at Black Hat. It was in the final time slot of the conference and unfortunately went head to head with Bruce Schneier that year, which means that most missed it. What they did was create a simple model to run vulnerabilities through to essentially determine if it was something the average security team needed to worry about. They began by using actual vulnerabilities that were disclosed that week at the conference. I often recite a quote from that presentation which is “The sexiest vulnerability isn’t the one you should be worried about”. Or as Bruce Schneier himself often says, “The very definition of news is something that hardly ever happens.”. We need to spend a lot more time focusing on the real and most common causes of security breeches and incidents.
Recently, Josh Corman came up with the term H.D. Moore’s Law at metricon and wrote up a great follow up post on it. His assertion goes like this:
“Casual Attacker power grows at the rate of Metasploit”
Or to put it more simply, if we cannot protect our environment from the latest metasploit module used by what we deem a script kiddie, how and why are we talking about how to protect ourselves from advanced persistent threats or the latest threat du jour?
Alex Hutton came up with a similar concept which he referred to as the Security Mendoza line. We as an industry need to strive to hit above the Mendoza line and focus on the data that provides evidence to the most likely of threats. The first step in this is using the data we have to help prioritize our focus. For the majority, “next generation threat management” is same as it ever was.