Threat management – shifting from vulnerabilities to risk management

As a long time veteran of RSA, Robert Griffins has worked across the world, with his most recent posting being in Zurich. He is the strategy architect for RSA in Europe.  He is the director of a major project in Europe, funded by the EU, as part of its security project.

In the RSA conference opening keynote , Art Coviello noted that standards are critical in in how countries manage their threat/response balance.

"Within the standards community there are three very important initiatives. One are the technical standards. They attempt to increase interoperability and make systems work together better. Key management is part of that. Crypto is part of that'" Griffins said.

"Equally important are the standards that deal with the framework of security as a whole. Some, like the ISO 27000 standard establish models for how tools work together. Given the complexity of systems and the threats we face it's extremely important to have those frameworks"

Griffins contends, though, that the most important are standards about we understand and respond to the risks that we face. He notes that there have been some important developments in that area. In particular, risk management has moved away from looking at specific vulnerabilities towards looking at which assets are at risk.

This approach is in response to the attack models and sophistication that are being seen today. Given ever expanding threat surfaces created by increasingly open systems, BYOD and cloud-based solutions, it's simply not possible too know how or where a malicious party will launch an attack.

The models RSA is investigating has been used in operational fault isolation for many years but its application in security is new.

Griffins suggests that this model is much like what happens on the power system. "If a transmission line is cut, does it matter whether that was done by lightning or by the falling of a pylon? The issue is that it was cut. "

The focus isn't on how the line was cut but on identifying the fault, rectifying and taking remedial action so that the same fault doesn't recur.

The more secure cloud?
Although many people see cloud-based solutions as being inherently less secure than internally hosted systems, Griffins pointed to instances where cloud-based infrastructure was a more secure solution.
"When I was producing a demo system for a show, it was much safer for me to take that software, which required access by some major competitors, and to stand it up on Amazon Web Services rather than to try to stand it up inside on our own servers. We would have had to open up ports. In that case cloud was a much more secure solution as we didn’t have to expose any of our assets," he said.

Griffins said there are some critical questions that need to be asked before placing anything in the cloud. "What are you trusting? What are the mechanisms in place to secure it? How much of that can you trust? What kind of oversight do you have? These are the critical questions."


Anthony Caruana travelled to RSA Conference as a guest of RSA

Tags #rsa2014Vulnerabilitiesthreat managementcloud-based solutionsISO 27000@RSACriskrsa conference 2014CloudBYODstandards

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Mobile Security for Enterprise

Embrace BYOD and gain full control, visibility and security of your mobile devices in a single endpoint solution

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.