A new security vulnerability hit the press recently. This time it was the alleged flaws in the ASN.1 standard that lies at the heart of Internet communications. Before that it was some Microsoft exposure. Before that it was a Linux hack. Let's face it: Bad things happen. However, to try and eliminate every exposure will be very costly, and probably impossible. The better approach is to take some risks, and focus on your core mission: doing business efficiently and aggressively in the competitive marketplace. Just as you put steel-belted radials on your automobile and then drive a dangerous highway, you should take some basic security precautions and then focus on your business.
Bad Things HappenBut are they really so bad? To do business, you have to take risks. One of the risks of doing business while connected to the Internet is that bad things will happen occasionally. Sometimes, the email service will be interrupted, or the website will go down. Your organization may be one of the unlucky few that suffers a loss of personally identifiable information such as customer names and credit card numbers. Yet in nearly every case, business recovers and resumes. Even the damaging Blaster worm or Slammer attacks left companies bruised and battered, but not crippled.
Quick RecoveryThe most clear-headed security folks have a standard, time-honoured methodology: detect, react, recover. Of course, it makes sense to lock doors and secure perimeters to try to eliminate most of the common bad things. But if you assume - or realize - that bad things will still continue to happen, the most important security posture is defence. In other words, put systems in place that will help you to understand and analyze events, to respond to them efficiently and effectively, and to recover quickly. Even during the worst moments of the Blaster or Slammer attacks, the companies and government agencies with the best event management programs suffered little.
Steel-belted SecurityAt a point, spending money on security follows the law of diminishing returns. That is, the 100th dollar you spend has less relative impact than the 1st. Therefore, it is not the size of your security budget that matters, but the effectiveness and efficiency of your security choices.
Good enough is always good enough
It is very tempting to buy products or services because you are afraid of the next security vulnerability. If you have that attitude, you will be the friend of dozens of security vendors. They never sleep if they think they can develop a new product for a new perceived need. Instead, focus on value, and focus on the mission of your company.
Value is the key
A security technology deployment is appropriate not if it merely mitigates risk, but if it moves you closer to achieving your business goals in an efficient way.
Success lies in not over-spending on security nor making the security architecture so complex and extensive that it cannot be managed efficiently. Yes, you can buy products and services designed to mitigate specific threats, but be careful. Buying a product for every threat will deplete your budget and burden your networking infrastructure.
Look for Solutions, Not Problems
— Create and empower an incident response team.
— Security Event Management products are excellent tools for detecting, responding to, and recovering from attacks.
— Find exposures before they are exploited either by scanning for vulnerabilities, or by analyzing attack scenarios. Foundstone, Qualys, ISS, and many others scan for relevant vulnerabilities and prioritize them based on likelihood of affecting your systems. Skybox Security takes the reverse approach by analyzing actual exposures and reporting which known threats actually will effect specific systems.
By Steve Hunt is vice president, security, for Forrester Research