Home > Information Security, Musings > Random thought: Security Absolutes

Random thought: Security Absolutes

September 6th, 2009

Over the last few years, I’ve really noticed a trend in security practitioners who tend to ask: “Are we secure?”

Good question.

The problem with this question is that it implies that an absolute answer is required. However, at this point we can all guess that an answer of “yes” is too ambitious, whereas an answer of “no” doesn’t take into account any protective/defensive measures we may have employed.

Security is, in my opinion, unable to accommodate absolutes. There is no black. There is no white. There is only gray. That then leads to the inevitable follow-on: how (in)secure are we? And that, of course, is a much harder question to answer. Much attention has been devoted to security metrics, and Andy Jaquith’s book on the subject is a hell of a good start. Although lately, however, I’ve been doubting the ability of current risk management and metrics “best practices” to adequately frame the “current state” of our security and risk tolerance. Why?

Simple: Things Change.

Unless we’re measuring constantly and re-adjusting our concepts of risk posture, we’re likely to be (almost) always wrong. In its own right, this represents a series of absolutes itself. Every measurement we make, using your favorite metric or risk analysis measure (SLE, ALE, etc) is a point in time. Thus, an absolute, albeit one that is measured and quantified in some way. However, how do we accommodate for changes? How does a change in the environment impact the measurement we are relying on? I know products like Skybox and Redseal do “what-if” types of analysis, but I’m looking more at the big picture – how do we get a real idea of “how secure” we are? In real-time?

And yes, I know – this seems to be the stuff of unicorns and flying pigs, but I don’t want to be cynical or sarcastic forever. At some point, we need to get this right.

Categories: Information Security, Musings Tags:
  1. September 10th, 2009 at 18:37 | #1

    Two things:

    1.) Things don’t really change as rapidly as you’d think. In other words, the amount of uncertainty (measured) change introduces is *relatively* insignificant compared to other amounts of metric uncertainty.

    2.) Rate of change is something else to be measured (estimated) and accounted for if you’re really going to get into predictive analytics. But that’s a level of precision that is, as you say, unicorns (and rainbows).

Comments are closed.