Attackers have a distinct advantage over defenders. A successful attacker needs to only find one chink in the defense, whereas defenders have to locate and protect all possible weaknesses.
This lopsided struggle has been in place since humans decided things needed safeguarding. If anything, the scales are further tipped in favor of today’s criminals, simply because the complexity of current technology makes it impossible to eliminate every vulnerability, which explains the proliferation of digital crime and its high rate of success.
The Pareto Principle
The success of digital nefarious types is certainly not due to the lack of trying by IT security professionals. Where fault may be indicated is that the industry is continuing down the same technological path yet expecting different results. Interestingly, there is something that offers promise, but has never garnered much traction—a concept called the Pareto Principle:
“Named after economist Vilfredo Pareto, the principle specifies an unequal relationship between inputs and outputs. The principle states that 20 percent of the invested input is responsible for 80 percent of the results obtained. Put another way, 80 percent of consequences stem from 20 percent of the causes (also called the 80/20 Rule).”
As to how this might apply to IT security, the Pareto Principle is a tool professionals in charge of securing an organization’s digital infrastructure can use to determine where to focus their finite defensive resources.
Joe Fantuzzi, president and CEO at RiskVision, a company providing risk intelligence solutions, suggests organizations not only need to find vulnerabilities—they must determine which ones present the biggest risk to the organization. In this Help Net Security article, Fantuzzi likens the process to “finding a needle in a stack of needles,” adding, “The ability to locate, triage, and then patch the most serious vulnerabilities is a lot more challenging than simply finding them.”
There may be some security managers who argue their organizations already gauge digital risk using a Vulnerability Management solution. However, Fantuzzi believes that is only the start, saying, “Whatever solution that’s adopted needs to incorporate three salient macro-dimensions that will help enterprises to apply the Pareto Principle to their risk environment.”
According to Fantuzzi the following domains are the ones needed to identify the 20% most critical vulnerabilities, which lead to 80% of the impact:
- The data model: To address the immense amount of data now being collected, Fantuzzi mentions that organizations will need to create a strategy designed to query, assess, analyze, and prioritize the most important threat and risk data.
- Automation: A key component is automation, as it streamlines content mapping, the use of pre-built workflows, filtering of data and business intelligence, plus customization of user interfaces that create easy-to-use dashboards and heat maps. Besides simplifying, Fantuzzi believes that automation provides organizations with continuous security threat information and hostile asset discovery.
- Risk scoring and analytics: Responsibility for secure digital operations ultimately lies with the organization’s board and upper management, meaning the reporting of vulnerability and threat intelligence must be tailored for C-Level executives. To Fantuzzi, this means a single data model with multiple reporting options.
To create the data model in near real time requires analytics that can quickly visualize business risk and determine proper remediation. “This allows organizations to leverage scoring algorithms that quantify and prioritize vulnerabilities based on business requirements, threat exploits, and vulnerability impacts,” adds Fantuzzi. “They entail the ability to correlate assets with business context and threat intelligence, and conduct event analysis so organizations can see the entire picture of their risk posture.”
Avoid becoming Pareto-blinded
Charlie Scott, in this SANS Technology Institute column, cautions, “While Pareto charting works well for quantity, it does not allow importance, weight, or risk to be assigned.”
Scott continues, saying “One way to avoid falling into this trap is to approach the data from several different angles. For instance, if an organization has estimates on how much policy violation costs the organization, then looking at the data this way can reveal how much additional weight they should ascribe to each classification.”
Put simply, organizations cannot manage what they cannot see. “A big picture of risk environment is a start,” according to Fantuzzi. “But ultimately, honing in on the most important 20 percent by understanding where to look and what to look at will offer a crucial leg up in managing the threats and vulnerabilities that have the potential to cause the most damage.”