Thinking about risk: Active defense
If we can agree…
(e.g. Ryan and Ryan heuristic). Then most policy, mechanisms, and effort has in the past been at decreasing vulnerabilities. FISMA, IAVA’s, patches, etc. are all part of the mitigation of vulnerabilities. They are not countermeasures. This was state of the art around 1990. Government is still having troubles with it. This is diversion from the Ryan and Ryan paper on risk, but well worth the additional baggage.
After patching and other vulnerability centric mechanisms we started looking at intrusion protection, detection, and mitigation systems. These would be countermeasures. Various technologies exist and some new ones are being introduced. Increasing the (cap) ability (not cost) has significant impact on risk to the enterprise.This was the leading mechanism of risk reduction circa 2000.
Here we are in the 201X period talking threat reduction. Once again we’re looking at a mechanism that has little actual impact driving us back to circa 1990s thinking. I don’t need to know “WHO” is shooting at me. Just that if somebody shoots at me it will make my non-permeable membrane known as skin leak red fluid.
So far only very few authors even talk about the one and only element of risk to the enterprise that acts upon and in fact can zero out the other aspects of risk. Impact is the golden nugget that operating against has the most significant impact against the heuristic. Regardless of probability assessments found within the other terms of the heuristic if impact is decreased significantly so will risk.
Everybody creates a new version of the SEI Capability Maturity Model, and there already is a security
and risk maturity model
attached to the concept. I’d say that a real world model has evolved that says level one organizations focus on vulnerabilities, level 2 organizations focus on vulnerabilities and countermeasures, level 3 organizations look at vulnerabilities, countermeasures and threats, and level four organizations take all of the prior into consideration and add impact. Those organizations that look at only one or maybe two aspects remain ad hoc process of risk organizations.
The focus on “active defense” or proactive defense though leads to all kinds of problems. As a corporate or government user you only control (and weakly at that) what you own. Prosecuting active, hostile, robust attacks against hostile actors sounds sexy but what would it look like? It doesn’t have any effect on impact and could in many cases increase impacts against the enterprise. If you burn down your house to put out a kitchen fire you’ve succeeded at what cost? Similarly active defense can have unexpected consequence against countermeasures and vulnerabilities. This is very much a situation you don’t want arm the wrong person and they shoot their or more importantly your foot off.
There is a place for active defense but rather than thinking about reaching outside of the enterprise it should be looking at what the enterprise controls as a method of protection. There are reasonable and significant issues if the chosen analogy to respond to this risk calculation is based on specific analogies. Those analogies can bias the resultant strategy chosen. It is much better to use an evidence based approach to risk and balance the biases as best as possible.