Sign in Subscribe

Money, Money, Money... Always about the money.

Last updated on 
Money, Money, Money... Always about the money.
Best security is not the strongest, it's the best balance between costs of risks and costs of security

There are way too many things that go down to money. Should you offer something for free, people will start to abuse it. They will not care about it and will waste it without remorse because it was free. Another example is the fact that one needs to pay to volunteer for a cause. Transportation (gaz, parking, public transport), food, tools and more all have costs but are not fully paid for by the organization and must be absorbed by whoever wishes to volunteer for the cause.

Security too goes down to money. Security is a cost and will not payback anything directly by itself. Because things can work without the extra cost of security, many are tempted to avoid or minimize that cost from the start. Unfortunately, that is more a way to maximize the costs.

Next image comes from a formation presented by SANS in 2017 and illustrates that reality.

Sliding scale of Cyber Security. Source : SANS

At the lowest level, Architecture is what can do the most and cost the less. One can implement many security mechanisms from day 1 and integrate them properly for maximum effectiveness. Access control, authentication, encryption, role segregation and more should be designed there.

Still, there are security features that are not included in typical solutions and must be provided by external tools. Examples of such external security mechanisms are anti-virus or firewalls. These are Passive defenses. Passive not because they don't do anything but because whatever they do, they do it without human intervention. They cost more than Architecture because they must be acquired, deployed, maintained and operated but they still add a significant protection in their environment.

No matter how many security mechanisms are deployed in an environment, one will never be fully protected against everything. That is why security is a process and not a product (another post on that subject later). To ensure an environment will remain safe, it must be under constant surveillance. That is the role of the next layer, Active defenses. An example is a SIEM like the one monitoring this very site, QRadar. A SIEM requires a permanent review and everything that goes through it must be validated by an analyst. Because they require permanent manipulation, these solutions cost more than Passive defenses but again, they bring something that was not possible in another way.

And now are the next layers that are incredibly popular these days despite they are less and less effective and cost more and more. Next one is Intelligence.

Instead of monitoring only internal resources, Intelligence starts monitoring external sources. When something of interest is identified, one looks internally to see if it applies locally or not. This approach costs much more than Active defense because you monitor even more without the guarantee to find anything. True, it can ring an alarm before an incident hits the environment but how helpful is that if you are already overloaded with alarms from other sources ? How helpful is it if you do not have a complete inventory of your own environment to define if that case is present or not ? If you do not have the proper security mechanisms to adjust to face that threat ?

Last and most expensive step is to use Offense as a defense. Instead of waiting for outsiders to compromise your environment, you try to do it yourself. Again, this approach is very popular today despite its limitations.

The failure to compromise an asset during a test is not a guarantee in anyway that someone else would not do it. Because there are new vulnerabilities and technics coming every day, the output of such a test is valid for a few hours at best. Almost always these tests are restricted in what they are allowed to do while attackers are not restricted in any ways. These tests must be completed within a time frame when attackers have all the time in the world. If again it is true that this approach can offer some extra security, it is only at a great cost and for adding very little benefit.

Security is a cost. So are risks. If one can choose not to do any security, nobody can choose not to be exposed to any risk. The purpose of security is to reduce the total cost of risks + security. To do it, security must lower the cost of risks to as low as possible while keeping its own costs as low as possible. As illustrated here, that is achieved by proper Architecture, Passive defenses and some Active defenses. Do that first to save money on both risks and security. Do that first to provide Intelligence and Offense what they need to bring back the little benefit they can. Yes that means to consciously engage extra costs now but as pictured here, that is the way to lower total cost tomorrow.