TaoSecurity: TaoSecurity Security Effectiveness Model

TaoSecurity: TaoSecurity Security Effectiveness Model.

I like Richard Bejtlich’s Security Effectiveness Model because it highlights the key notion that information security must start with (my words) an understanding of your organization’s adversaries’ motives and methods. Richard calls these “Threat Actions.” From there, you would develop a “Defensive Plan,” and implement “Live Defenses.”

This is represented as a Venn Diagram made up of three circles. The more overlap you have, the more effective your infosec security program is. Here is the diagram:

Bejtlich calls this”threat-centric” security.

So the first question that needs to be addressed in making this approach operational is, how do you get the needed visibility to understand the Threat Actions?

I see this visibility coming from two sources:

  1. Third party, generally available research. One such source would be SANS. In fact, SANS developed the SANS 20 Critical Security Controls specifically in response to its understanding of threat actions. In fact, the latest version provides a list of “Attack Types” in Appendix C on page 72.
  2. Organizational assessment. At the organizational level, it seems to me you are faced with an evaluation problem of selecting controls that are good at finding Threat Actions. Based on my experience, there is agreement that the primary attack vector today is at the application level. If this is correct, then the organizational assessment would focus on (a) a black-box vulnerability assessment of the organization’s customer-facing web applications and (2) an assessment of the web applications (and related threats) the organization’s employees and contractors are using.

I am looking forward to Richard and others expanding on his ideas. Could be another book is coming. 🙂

 

 

 

TaoSecurity: What Do You Investigate First?

TaoSecurity: What Do You Investigate First?.

Richard Bejtlich offers the obvious, but usually difficult to implement answer to the following question:

Let’s say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?

Bejtlich offers two answers which generally converge into one: focus on assets, i.e. the most critical assets in your organization.

Ideally, the log, flow, event collection and analysis system you are using has the ability to discover all network attached assets and then enable you to group them into IT/Business Services. The you can prioritize your focus based on the criticality of each IT/Business Service. An example of such a system is AccelOps.