Closing the Gap Between Assessment and Defense

By Sean Martin  |  Posted 07-30-2010

Black Hat 10: How PayPal Minimizes GRC Risks

Organizations typically pursue the implementation of a Governance, Risk, and Compliance (GRC) program through a circular series of activities:

  1. Embracing standards and defining policies
  2. Running tests and validations against those policies
  3. Uncovering and classifying 'issues,' prioritizing and fixing some of those issues based on risk/impact guesses
  4. Doing it all again in hopes that the state of compliance and risk level stayed at least as good as it was the last time around

This method produces results demonstrating a point-in-time state, but it does little to measure the real risk to the business. If the organization is mature in its implementation, executives may be able to roll some of their findings into the next iteration in order to improve results. If the firm is really on top of its game, executives may be able to analyze multiple iterations to identify trends or patterns, which can be used to further adjust future program activities.Even with relevant trends and patterns emerging, however, those results are based on limited, isolated data and can only be measured against previous results; the analysis does little more than prove that the organization is doing better, or worse, than in the previous period.

In an attempt to help organizations improve their risk management programs, Allison Miller, Group Product Manager, Account Risk at eBay's PayPal, and Alex Hutton, Principal in Research & Risk Intelligence with Verizon Business, jointly noted that both collaborative information sharing and measurable information analysis are critical aspects of a successful risk management program. During their panel session, "Ushering in the Post-GRC World: Applied Threat Modeling," at the BlackHat USA 2010 Security Conference in Las Vegas July 24-27, 2010, Miller and Hutton discussed the need to close the gap between information security assessments and information security defenses.

Closing the Gap Between Assessment and Defense

Verizon's Hutton first referred to implementing a GRC program without any measurement as governance and compliance via superstition. Without measurement, an organization has nothing of substance to point to in order to confirm that what it is doing, it is doing well; that it is indeed mitigating risk. "We can't talk about what we can't see -- we can't see what we don't talk about," added Paypal's Miller.

Hutton also suggested that, in order for organizations to succeed in managing risk, they must embrace and promote cross-functional collaboration and trusted community information disclosure. (This is a common theme in many of this year's BlackHat sessions, including the conference's opening keynote.)

Defining 'systems' that capture every aspect of the information flow allows PayPal to expose all potential areas of risk to its business, said Miller, who is responsible for minimizing exposure to fraud for PayPal users. The systems that she defined in her sample scenario at the Black Hat session included internal business machines and perimeter protection appliances, as well as the partner and end-user machines that access the network.

Miller is realistic about the fact that her organization has zero control over those end-user machines. Yet, these devices dramatically increase the 'system' scope and bring a level of risk that must be identified, assessed and mitigated. A successful phishing attack is a simple, and highly probable, example. By helping to reduce phishing attacks that target its end users, PayPal can reduce the likelihood of such activity succeeding, thereby reducing its overall risk.

Evidence-Based Risk Management

In a Carnegie Mellon study cited by Verizon's Hutton, it turns out that, when asked to indicate their board's three top priorities, none of Fortune 1000 respondents (0%) selected improving computer and data security. When these same respondents were asked about their prioritization of improving risk management, 56% selected this as one of their top three priorities.

By collecting information from a wide and complete set of systems, organizations can begin to analyze data to uncover trends. This information can also be used to identify patterns, which in turn could be used to assess risk, detect security incidents and suggest the likelihood of a pending attack. With an information-driven risk management program, decisions can be made based on evidence as opposed to speculation.

Hutton referenced an unnamed Verizon Business client who has opted to implement an integrated risk analysis and security operations program, leveraging its own massive data warehouse to collect information from more than 110 data sources, storing in excess of 100TB of information. Sound extreme? This evidence-based program has already paid off by blocking multiple otherwise-undetected Zeus breaches that could have resulted in unauthorized ACH transactions, according to Hutton.

Share Data to Make Sound Decisions

Cross-organizational trends and patterns can be identified effectively and efficiently when risk management and security incident data are collected from multiple sources. This analyzed information can be shared with the community to help its members make informed decisions. This is exactly what Verizon produced with its annual Data Breach Investigations Report (DBIR), developed for the first time in 2010 in cooperation with the United States Secret Service (USSS). Verizon also recently announced its Enterprise Risk and Incident Sharing (VERIS) framework. VERIS, which was designed specifically to record security incident case data and other relevant details, has enabled Verizon and the USSS to capture more than 900 breaches that compromised more than 900 million records.

"Verizon is on the right track with their effort to create a way to share data about breaches to help other enterprises identify, defend, and respond to similar events on their network.  Real-time network forensics technology helps with this effort by capturing 100% of the network payload -- like a security camera for the network," Peter Schlampp, VP, Marketing and Product Management for Solera Networks, told CIO Insight during an interview following the session. "Don't fall into the illusion of 'fire and forget' -- that's what I call faith-based security.  It doesn't work. You must collect network forensics data that provides a full-fidelity view that's neither summarized nor signature-based."

Highlights from the Verizon 2010 Data Breach Investigations Report

  • The DBIR series now spans six years, 900+ breaches, and over 900 million compromised records
  • The current dataset contains 141 confirmed breach cases worked by Verizon and the USSS in 2009
  • Organizations with 101 - 10,000 employees were targets of nearly half (49%) of all breaches
  • 86% of victims had evidence of the breach in their log files
  • 96% of breaches were avoidable through simple or intermediate controls
  • 79% of victims subject to PCI DSS had not achieved compliance

In addition to being proactive in risk and security management, organizations can also benchmark their data against that of other organizations to generate comparative results, enabling organizations to measure themselves against other firms.To implement a successful risk management program, an organization's best bet is to set aside faith by collecting as many datasets as possible, analyzing the collected data against its own metrics to identify trends and patterns. In addition to their own analysis, the organization should consider sharing the information with a trusted risk and incident analysis community leader, such as Verizon Business, thereby incorporating the community-based findings in their ongoing information analysis and incident response activities

Sean Martin, CISSP, is founder of imsmartin consulting. He can be reached at sean@imsmartinc.com.