 |
 |
|
|
||||||||||||||||||||||||||||||
 |
|
| Products / Threat Management |
|
RISK MANAGEMENT PROCESSSecurity Management- A risk management-based processSecurity has evolved in recent years from being a mystical "hackers" realm into an enterprise responsibility with deep repercussions for the business and its capabilities to deliver. Today's security professional is responsible for enforcing security and ensuring the confidentiality, integrity, availability and compliance of IT systems across the enterprise, supporting and assuring many of the most critical functions of the business. The compounding problems of (i) growing complexity of the networked environment, (ii) the shrinking elapsed time between the identification of vulnerabilities and exploits, (iii) the problematic nature of enterprise patch management and (iv) the ever increasing volumes of information is dictating that security professionals implement a systematic and auditable process for the task of security management. In order that the security team be able to respond in a timely and effective manner to these new and unknown types of threats the process flow must include context, risk analysis, mitigation and enforcement elements. ISO 17799 Information Security Management System (ISMS) The ISO security standard recommends the establishment of an on-going and systematic process for the management of security. While not dictating a specific process the Australian and New Zealand Information Security Management Code: AS/NZS 7799.2 2003 does recommend a number of key components of the process, in Section 4.2.1 of the code , including:
Risk management methodologies Risk adjusted decision making is now common place across all elements of the enterprise. Directors, stakeholders and regulators now seek to measure outcome and likelihood in enterprise decision making. An ability to see & measure enables an enterprise to manage and control potential threats and their impact on tactical as well as strategic activities. Much has been written about risk management and its principles are increasingly being adopted across enterprises. They apply equally well to the establishment of the ISMS process and by adopting internationally acknowledged guidelines and standards the management of security can be readily integrated into the enterprise risk management process. The internationally regarded AS/NZS 4360:2004 offers a compelling and mature risk management process model. 
The parallels between the elements of the AS/NZS 4360:2004 Risk Management standard and the recommendations of the more specific ISO17799 Information Security Management standard are noteworthy. ISMS Process - Risk Management methodology The key message in AS/NZS 7799 is the promotion of a "Plan-Do-Check-Act (PDCA) process approach to the management of security and that the process has at its core risk management principles and methodologies. See Figure 1 below which outlines the PDCA model. Process approach This standard promotes the adoption of a process approach for establishing, implementing, operating, monitoring, maintaining and improving the effectiveness of an organization's ISMS. A process approach encourages its users to emphasise the importance of:
A key objective of the information security process is for it to be adaptive and responsive to the changing strategic requirements of today's enterprises volatility of the threatscape in which they operate. Insight - the cornerstone of an effective ISMS The key to implementing an effective risk management based security management process is the ability of the system to provide Insight to known and unknown threats. For an ISMS to be effective an enterprise needs to be able to identify, measure and evaluate potential threats across the spectrum of information within its infrastructure, servers, applications and supporting systems in a non-deterministic manner. The ability to monitor and contextualise the events within the enterprise is the key determinant of an effective security management process, after all "you can't manage what you can't see." The corollary being, that if threats within or entering an enterprise are invisible to the ISMS a systemic risk is created. That is, a fundamental flaw exists in any resultant management information reporting system. Existing technologies are not scalable Typically, the security management process in most enterprises relies on a high level of arbitrary analysis and evaluation of possible threats. Humanistic interpretation by security professionals as a means of detecting and analysing threats and the potential severity of their impact on the business fails the process test. The methodology is not systematic, not repeatable and not auditable. More importantly, it's not scalable! The Scale & Scope challenge The business environment of 2005 is creating multiple challenges in the technological level and business level for the security management teams. These include:
Threat management process - foundation of the ISMS A risk-based ISMS process is reliant upon constant evaluation of threats and determination of mitigation strategies. This threat management process must permit integrated visualization and enable trend-based risk analysis of events across all levels of the system. Existing techniques built on compiled technologies only allow visibility of attacks which have been experienced previously or have been updated on a knowledge data base of known exploits. They operate as known vulnerability or exploit management systems rather than true threat management systems. As a consequence, they are unable to identify or manage worms, key logs, spyware and other increasingly complex threats that enterprises are experiencing from within and beyond their perimeters. Signature-based technologies rely on regular patches and function inherently as filters for a finite set of predefined conditions. In an indeterminate environment, where the next attack can often be different to anything previously experienced, deterministic security management solutions are unable to contemplate the unknown, and so can never support the complete process of risk management. Tier-3 Behavioural Intelligence Tier-3's Behavioural Intelligence system has been specifically designed and built to enable enterprises to scale security management while maintaining and even improving its effectiveness. The Huntsman suite of products introduces a breakthrough technology in Behaviour Anomaly Detection (B.A.D.) by providing security professionals with the insight to measure threats across the enterprise and for the first time provide true real-time risk-based threat management and trend analysis. Huntsman automates much of the analysis demanded of existing signature-based products and combines the detection of known signatures with unknown zero-day events to provide a real-time holistic threat management solution. 1 Standards Australia International Ltd & Standards New Zealand, AS/NZS 7799.2:2003 - Information Security Management, Sydney & Wellington, 2003 2 Standards Australia International Ltd & Standards New Zealand, AS/NZS 7799.2:2003 - Information Security Management, Sydney & Wellington, 2003 3 Standards Australia International Ltd & Standards New Zealand, AS/NZS 4360:2004 - Risk Management, Sydney & Wellington, 2004 4Ibid References: Standards Australia International Ltd & Standards New Zealand, AS/NZS 7799.2:2003 - Information Security Management, Sydney & Wellington, 2003. Standards Australia International Ltd & Standards New Zealand, AS/NZS 4360:2004 - Risk Management, Sydney & Wellington, 2004.
|
|
|
| © Tier-3 Pty Limited 2008 |  |
|
|