ACG Research

ACG Research
We focus on the Why before the What

Monday, July 18, 2011

What's Your Security Batting Average?

The beginning…it’s a great place to start when discussing security, and I have two questions and the first one doesn’t count because it is posed to get you thinking and to set up the more important second question. Have you had a virus outbreak or malware or been hacked or had data stolen from your enterprise? Regardless of how you answer the first question, the second is much more important. How do you know if you’ve been attacked?

If knowing or not is the germinal point, we have to start by acknowledging that the “bad guys” are actually delivering some pretty cool stuff. Code is written with stealthing and propagation techniques that are designed to thwart traditional security technology. New methods of exploitation are developed such as web-apps (93 percent increase in web-based attacks in 2010 over 2009), new platforms (mobile devices), and now anything from Apple seems to be a target. Let’s face it, they’re good, and actually knowing that you’ve had an outbreak or had malware planted in your systems or data removed is not as easy to realize as it once was.

As I write this we are about a week away from the 2011 All Star Break. I am annually reminded that to be incredibly successful in baseball you can still fail at the plate 7 times out of 10. Anyone batting .300 is paid handsomely for those 7 failures. In the security space we don’t have luxury. In security we have to bat 1.000 and the bad guys only have to bat .001 to be successful. I will talk about the numbers that we are seeing in a future addition of this blog. So I will simply say that with the automated devices, developmental processes, quality control, which potentially offers huge monetary rewards, we don’t expect to see any slow down soon.

All that said, how should you respond to that kind risk? First, eliminate redundant data. Every time a data repository is duplicated it doubles the requirements for security, compliance, storage, and management.

Second, let’s talk about the elephant in the room: the general lack of knowledge about the threat landscape and how it changes every day. In 2010 the security industry surfaced 6253 new potentially exploitable vulnerabilities (PEVs), holes in operating systems, applications and hardware platforms. That’s 17 a day if you do the math. Did you know that? Again, we will talk about the significance of those PEVs in another blog. My point is that they have all sorts of implications for your environment from both a security and compliance perspective. IF you didn’t know about them or their implications, you have a personal example of the elephant.

We operate an information-centric world. The idea of defense-in-depth is still valid, but today the nomenclature includes words such as data loss prevention and encryption. The papers are full of examples of why those technologies are important — think Sony.

We’d like to hear your voice about these issues and encourage you to send an e-mail ( Give us your suggestions as to which security issues you want addressed and help us guide the direction of this blog. We don’t have all the answers, but we know the people who do and will get the answers to address your needs and bring you material at various levels of granularity about the risk landscape. We will talk about the definition of risk quite a lot, primarily because is changes daily. We will talk about the requirements to understand how significant that risk is to you and let you decide how risk tolerant you are. But if the answer is not very we will also work to deliver some help in the mitigation of that risk and help you bat 1.000.

Neils Johnson

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.