What gets measured gets done

The original saying may have been "If you can't measure it, you can't manage it" or "If you can measure it, you can manage it", and its origin in not clear. But the core idea stays:
  1. Measure where you are today
  2. Decide where you want to be tomorrow
  3. Work towards that goal
  4. Got back to 1
Measuring helps you understand:
  • where you are
  • which direction you're going
  • how far you are from your destination
Not measuring is a bit like finding yourself in the middle of the desert without water, knowing there is an oasis somewhere, but not knowing where, with no map or compass (no GPS either, sorry). Your chances of survival are pretty limited...

In security measuring and managing is called risk management:
  1. Measure your current risk profile (threats, vulnerabilities, assets)
  2. Decide the acceptable risk level (assets value)
  3. Implement mitigations based on priorities (risk reduction, cost)
  4. Go back to 1
Trying to understand where you are today is a very important first step. Many organisation think they are safe because they believe they have not been compromised so far. Security experts have probably all heard something in the lines of: 
nothing happened so far, so why would it be a problem now?
If you don't have antivirus, if you don't look at your logs, if you don't have an IDS, how would you know you have been infected in the first place? You may think you are safe when in fact you've been compromised long time ago. HP estimates that it takes 416 days on average to detect a breach, and that 94% of breaches are found by a third party! The potential loss of money (IP, trust of clients...) is very high.

The second part of the question is about the "why is it a problem now?" and it quite easy: Because the internet is becoming more dangerous. Attackers are smarter, better equipped, better organized and more motivated: The majority of attacks now are done for profit, political or financial. In its latest quarterly report F-Secure found that almost 60% of mobile threats are motivated by money. A clear trend can be seen over the years.
Source: F-Secure
So measure, audit, control!

On your next day to work go to see you cyber security team, and ask them to see what is measured in your company:
  • Do you have the right tools to do the job?
    • Firewall between the different network zones, on all servers and workstations
    • Antivirus on the gateways, all servers and all workstations
    • Hardened devices, whitelisting of applications
    • IDS/IPS on the network and on the hosts
    • Configuration management to monitor changes in the environment
    • Data Loss Prevention mechanisms
    • Central collection of all logs (OS, AV, apps, network...) to avoid losing traces of attack
  • Do you have the process to find and correct problems?
    • Regular review of the collected logs, possibly automatic (SIEM)
    • Rapid deployment of security patches
    • Regular pentests from inside and outside the network
    • Strong SDLC which help deal with security aspects from idea to launch to decommission of a solution
  • How well is this working?
    • How many security patches have not been applied? For what reason?
    • What are the trends of detection and mitigation of attacks (IPS/IDS/Firewall) and other nasties (antivirus, whitelisting)?
    • How many data loss have you been able to detect/prevent?
Don't be afraid to ask for evidence, numbers, independent audit reports. Whether you are the CxO, the business owner , the Security Manager, the Ops Manager or the System Owner "I did not know" or "nobody told me" are not acceptable answers.

 Measure it and manage it!

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)