Security Metrics

A Bit on the State of Security Metrics

By Rich

Everyone in the security industry seems to agree that metrics are important, but we continually spin our wheels in circular debates on how to go about them. During one such email debate I sent the following. I think it does a reasonable job of encapsulating where we're at:

1. Until Skynet takes over, all decisions, with metrics or without, rely on human qualitative judgement. This is often true even for automated systems, since they rely on models and decision trees programmed by humans, reflecting the biases of the designer.
2. This doesn't mean we shouldn't strive for better metrics.
3. Metrics fall into two categories -- objective/measurable (e.g., number of systems, number of attacks), and subjective (risk ratings). Both have their places.
4. Smaller "units" of measurement tend to be more precise and accurate, but more difficult to collect and compile to make decisions... and at that point we tend to introduce more bias. For example, in Project Quant we came up with over 100 potential metrics to measure the costs of patch management, but collecting every one of them might cost more than your patching program. Thus we had to identify key metrics and rollups (bias) which also reduces accuracy and precision in calculating total costs. It's always a trade-off (we'd love to do future studies to compare the results between using all metrics vs. key metrics to seeing if the deviation is material).
5. Security is a complex system based on a combination of biological (people) and computing elements. Thus our ability to model will always have a degree of fuzziness. Heck, even doctors struggle to understand how a drug will affect a single individual (that's why some people need medical attention 4 hours after taking the blue pill, but most don't).
6. We still need to strive for better security metrics and models.

My personal opinion is that we waste far too much time on the fuzziest aspects of security (ALE, anyone?), instead of focusing on more constrained areas where we might be able to answer real questions. We're trying to measure broad risk without building the foundations to determine which security controls we should be using in the first place.

–Rich

Mortality, Integrity, and Risk Management

By Rich

I despise the very concept of mortality. That everything we were, are, and can be comes to a crashing close at some arbitrary deadline. I've never been one to accept someone telling me to do something just because "that's the way it is", and I feel pretty much the same way about death. Having seen far more than my fair share of it, I consider it nothing but random and capricious.

For those that follow Twitter, yesterday afternoon mortality bitch slapped me upside the head. I found out that my cholesterol is two points shy of the thin black line that defines "high". Being thirty seven, a lifetime athlete, and relatively healthy eater since my early twenties, my number shouldn't even be on the same continent as "high", never mind the same zip code. I clearly have my parent's genes to blame, and since my father passed away many years ago of something other than heart disease, I get to have a long conversation with mother this weekend on her poor gene selection. I might bring up the whole short thing while I'm at it (seriously, all I asked for was 5'9").

I tend to look at situations like this as risk management problems. With potential mitigating actions, all of which come at a cost, and a potential negative consequence (well, negative for me), it slots nicely into a risk-based approach. It also highlights what is the single most important factor in any risk analysis- integrity. If you deceive yourself (or others) you can never make an effective risk decision. Let's map it out:

Asset Valuation - Really fracking high for me personally, $2M to the insurance company (time limited to 20 years), and somewhere between zero and whatever for the rest of the world (and, I suspect, a few negative values circulating out there).

Risk Tolerance - Low. Oh sure, I'd like to say "none", but the reality is if my risk tolerance was really 0, I'd mentally implode in a clash of irreconcilable risk factors as fear of my house burning around me conflicts with the danger of a meteor smashing open my skull like a ripe pumpkin when I walk outside. Since anything over 100 years old isn't realistically quantifiable (and 80 is more reasonable), I'll call 85 the low end of my tolerance, with no complaints if I can double that.

Risk/Threat Factors - Genetics, lifestyle, and medication. This one is pretty easy, since there are really only 3 factors that effect the outcome (in this dimension, I'm skipping cancer, accidents, and those freaky brain eating bacteria found in certain lakes). I can only change two of the factors, each of which comes with both a financial cost, and, for lack of a better word, a "pleasure" cost.

Risk Analysis - I'm going to build three scenarios:

1. Since some of my cholesterol is good to normal (HDL and triglycerides), and only part of it bad (LDL and total serum), I can deceive myself into thinking I don't need to do anything today and ignore the possibility of slowly clogging my arteries until a piece of random plaque breaks off and kills me in excruciating pain at an inconvenient moment. Since that's what everyone else tends to do, we'll call this option "best practices".
2. I can meet with my doctor, review the results, and determine which lifestyle changes and/or medication I can start today to reduce my long term risks. I can reduce the intake of certain foods, switch to things like Egg Beaters, and increase my intake of high fiber food and veggies. I'll pay an additional financial cost for higher quality food, a time cost for the extra workouts, and a "pleasure" cost for fewer chocolate chip cookies. In exchange for those french fries and gooey burritos I'll be healthier overall and live a higher quality of life until I'm disemboweled by an irate ostrich while on safari in Africa.
3. I can immediately switch to a completely heart-healthy diet and disengage from any activity that increases my risk of premature death (and isn't all death premature?). I'll never eat another cookie or french fry, and I'll move to a monastery in a meteor-free zone to eliminate all stress from my life as I engage in whatever the latest medical journals define as the optimum diet and exercise plan. I will lead a longer, lower quality life until I'm disemboweled by an irate monk who is sick of my self righteous preaching and mid-chant calisthenics. We'll call this option the "consultant/analyst" recommendations.

Risk Decision and Mitigation Plan - Those three scenarios represent the low, middle, and high option. In every case there is a cost- but the cost is either in the short term or the long term. None of the scenarios guarantees success. This is where the integrity comes in- I've tried to qualify all the appropriate costs in each scenario, and don't try and fool myself into thinking I can avoid those costs to steer myself towards the easy decision.

It would be easy to look at my various cholesterol levels and current lifestyle, then decide that maybe if I read the numbers from a certain angle nothing bad will happen. Or maybe I can just hang out without making changes until the numbers get worse, and fix things then. On the other end, I could completely deceive myself and decide that a bunch of extreme efforts will fix everything and I can completely control the end result, ignoring the cost and all the other factors out there.

But if I'm really honest to myself, I know that despite my low tolerance for an early death, I'm unwilling to pay the costs of extreme actions.

Thus I'm going to make immediate changes to my diet that I know I can tolerate in the long term, I'll meet with my doctor and start getting annual tests, and I'll slip less on my fitness plan when work gets out of control. I'm putting metrics in place I can track over time, taking a programatic approach, and not pretending I can control everything or completely eliminate the risk. If those changes aren't enough, I'll re-evaluate them to build a more effective program and consider investment in medication.

Here's the secret of risk management- integrity. No risk framework, quantification scheme, or qualitative approach can ever compensate for self deception. Nearly every major risk analysis failure comes down to someone, somewhere, (if not everyone) closing their eyes and skewing the system to give a desired result. And the higher the stakes, the more likely we are to fool ourselves.

–Rich

The Fallacy of Complete and Accurate Risk Quantification

By Rich

Wow. The American taxpayer now owns AIG. Does that mean I can get a cheap rate?

The economic events of the past few days transitioned the months-long saga of financial irresponsibility past merely sturn ing into the realm of truly terrifying. We've leaped past the predictable into a maelstrom of uncertainty edging on a black hole of unknowable repercussions. True, the system could stabilize soon; allowing us to rebuild before the shock waves topple the relatively stable average family. But right now it seems the global economy is so convoluted we're all moving forward like a big herd navigating K2 in a blinding snowstorm with the occasional avalanche.

Yeah, I'm scared. Frightened and furious that, yet again, the group think of the financial community placed the future of my family at risk. That we, as taxpayers, will have to bail them out like Chrysler in the 70's, and the savings and loan institutions of the 80's. That, in all likelihood, no one responsible for the decisions will be held accountable and they will all go back to lives of luxury.

One lesson I'm already taking to heart is that I believe these events are disproving the myth of the reliability of risk management in financial services. On the security side, we often hold up financial services as the golden child of risk management. In that world, nearly everything is quantifiable, especially with credit and market risk (operational is always a bit more fuzzy). Complex equations and tables feed intelligent risk decisions that allow financial institutions to manage their risk portfolios while maximizing profitability. All backed by an insurance industry, also using big math, big heads, and big computers; capable of accepting and distributing the financial impact of point failures.

But we are witnessing the failure of that system of risk management on an epic scale.

Much of our financial system revolves around risk- distributing, transferring, and quantifying risk to fuel the economy. The simplest savings and loan bank is nothing more than a risk management tool. It provides a safe haven for our assets, and in return is allowed to use those assets for it's own profitability. Banks make loans and charge interest. They do this knowing a certain percentage of those loans will default, and using risk models decide which are safest, which are riskiest, and what interest rate to charge based on that level of risk. It's just a form of gambling, but one where they know the odds. We, the banks customers, are protected from bad decisions through a combination of diversification (spreading the risk, rather than just one big loan to one big customer), and insurance (the FDIC here in the US).

It's a system that's failed before; once spectacularly (the Depression), and again in the 80's, but overall works well.

Thus we have empirical proof that even the simplest form of financial risk management can fail.

Fast forward to today. Our system is infinitely more complex than a simple S&L; interconnected in ways that we now know no one completely understands. But we do know some of the failures:

1. Risk ratings firms knowingly under-rated risks to avoid losing the business of financial firms wanting to make those investments.
2. Insurance firms, like AIG, backed these complex financial tools without fully understanding them.
3. Financial firms themselves traded in these complex assets without fully understanding them.
4. The entire industry engaged in massive group think which ignored clear risks of relying on a single factor (the mortgage industry) to fuel other investments. Lack of proper oversight (government, risk rating companies, and insurance companies) allowed this to play out to an extreme.
5. Reduced compartmentalization in the financial system allowed failures to spread across multiple sectors (possibly a deregulation failure).

Let's tie this back to information security risk management.

First, please don't take this as a diatribe against security metrics- of which I'm a firm supporter. My argument is that these events show that complete and accurate risk quantification isn't really possible, for two big reasons.

1. It is impossible to avoid introducing bias into the system; even a purely mathematical system. The metrics we choose, how we measure them, and how we rate them will always be biased. As with recent events, individual (or group) desires can heavily influence that bias and the resulting conclusions. We always game the system.
2. Complexity is the enemy of risk, yet everything is complex. It's nearly impossible to fully understand any system worth measuring risk on.

Which leads to my message of the day. Quantified risk is no more or less valuable or effective than qualified risk. Let's stop pretending we can quantify everything, because even when we can (as in the current economic fiasco) the result isn't necessarily reliable, and won't necessarily lead to better decisions. I actually think we often abuse quantification to support bad decisions that a qualified assessment would prevent.

Now I can't close without injecting a bit of my personal politics, so stop reading here if you don't want my two sentence rant...

rant

I don't see how anyone can justify voting for a platform of less regulation and reduced government oversight. Now that we own AIG and a few other companies, it seems that's just a good way to socialize big business. It didn't work in the 80's, and it isn't working now. I support free markets, but damn, we need better regulation and oversight. I'm tired of paying for big business's big mistakes and people pretending that this time it was just a mistake and it won't happen again if we just get the government out of the way and lower corporate taxes. Enough of the fracking corporate welfare!

/rant

–Rich

The Mozilla Metrics Project

By Rich

Ryan Naraine just posted an article over at ZDNet about a project I'm extremely excited to be involved with.

Just before RSA I was invited by Window Snyder over at Mozilla to work with them on a project to take a new look at software security metrics. Window has posted the details of the project over on the Mozilla security blog, and here's an excerpt:

Mozilla has been working with security researcher and analyst Rich Mogull for a few months now on a project to develop a metrics model to measure the relative security of Firefox over time. We are trying to develop a model that goes beyond simple bug counts and more accurately reflects both the effectiveness of secure development efforts, and the relative risk to users over time. Our goal in this first phase of the project is to build a baseline model we can evolve over time as we learn what works, and what does not. We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvements (or declines), and identify any problem spots. This information will support the development of Mozilla projects including future versions of Firefox. ... Below is a summary of the project goals, and the xls of the model is posted at http://securosis.com/publications/MozillaProject2.xls. The same content as a set of .csvs is available here: http://securosis.com/publications/MozillaProject.zip This is a preliminary version and we are currently looking for feedback. The final version will be a far more descriptive document, but for now we are using a spreadsheet to refine the approach. Feel free to download it, rip it apart, and post your comments. This is an open project and process. Eventually we will release this to the community at large with the hope that other organizations can adapt it to their own needs.

Although I love my job, it's not often I get to develop original research like this with an organization like Mozilla. We really think we have the opportunity to contribute to the security and development communities in an impactful way.

If you'd like to contribute, please comment over at the Mozilla blog, or email me directly. I'd like to keep the conversation over there, rather than in comments here.

This is just the spreadsheet version (and a csv version); the final product will be more of a research note, describing the metrics, process, and so on.

I'm totally psyched about this.

–Rich