By Ron Temske, Vice President of Security Solutions, Logicalis US
In an earlier article, Back to Basics: Risk-Centric Security Strategy we discussed a Risk-Centric approach to enterprise security. Briefly, a Risk-Centric Approach to Security is very process-oriented. We discussed the steps used in identifying assets to protect and the level of risk assigned to these assets. Today, I want to take a look at a Threat-Centric Approach to Security.
The first thing to understand is that the two approaches are complementary and, in an ideal world, your organization might pursue both a Risk-Centric Approach (RCA) AND a Threat-Centric Approach (TCA) to enterprise security. For brevity, I’ll refer to these two models as RCA and TCA respectively for the remainder of this article.
The TCA is a more technical strategy and attempts to evaluate security from the viewpoint of a threat actor. Applying this approach to your organization can consist of multiple activities and assessments, such as:
- Vulnerability Assessment
- Penetration Testing
- Key Stakeholder Interviews
- Social Engineering
- Capabilities (e.g. you need a Web Application Firewall)
- Architectural Review
- Review of breach data and how that may apply to your business
The outcome of these assessments can provide you with a series of prioritized recommendations for enhancing your organization’s overall security posture. Unlike the RCA, no attempt is made to align security principles with business risk. We’re not prioritizing one set of data over another, assigning value to assets, etc. The TCA approach does factor in technical risk however, and will prioritize items with a high probability of compromise over more obscure vulnerabilities. An example of this is leveraging the Common Vulnerability Scoring System from the National Vulnerability Database.
While organizations should employ both a RCA and TCA to provide the greatest level of security, the reality is that many organizations will choose to only pursue a TCA-only path. It’s rare for organizations to choose and RCA-only path. The challenge with the TCA-only path, as we’ve mentioned, is that all assets are treated equally. So, organizations either spend more than they should, providing the highest levels of protection to all assets, or they leave critical assets under protected, by applying a moderate level of security across the enterprise, rather than segmenting and securing items with high business value appropriately.
It’s worth noting that a TCA is always relevant for providing security. However, it works best – and most cost-effectively – when your organization combines it with some form of the RCA approach as well.
Read more about the Risk-Centric Approach in our article, Back to Basics: Risk-Centric Security Strategy (http://ow.ly/gEvx30aXhNe). Also, take a look at our two-part article exploring what an umbrella approach to security can look like in your enterprise – Part One: Potential DNS Vulnerabilities (http://ow.ly/Gd7Q307SBUE) and Part Two: A Secure DNS (http://ow.ly/kSuT307SCnY). Then, download an infographic displaying the benefits of Taking an Umbrella Approach to Security and one displaying the benefits of Transforming Internet Security with Big Data.