A Cryptographer and a Data Communications Guy Talk About Risk Management
Sounds like the beginning of a joke, right? So these two guys walk into a bar…
“The” Bruce Schneier and Marcus Ranum have an article up on TechTarget/Information Security Magazine called, creatively enough, “Bruce Schenier, Marcus Ranum debate risk management“.
Unfortunately, to get to the article, you’ll have to either already be a subscriber to IT Security, a subscriber to TechTarget, or go through the 20 minute process of signing up by giving TechTarget all sorts of “market information” about how you’re really Brandon Walsh, CSO of “The Peach Pit” Industries in Beverly Hills, CA 90210 (phone 714-867-5309).
For those of you who are already a TechTarget person, the link is above. For those who aren’t, or those who just don’t have the time, I’ll summarize. The “debate” is kind of awkward because both authors seem come to the same conclusion:
Risk Management, it’s something our profession should do, something humans do naturally, it’s necessary in business, but gosh - we don’t have enough data.
I’m not a cryptographer. I don’t *nearly* have the insight on privacy and politics that Bruce has. I’m not deep in IP communications. I haven’t got a proven track record of innovation in IP Security products like Marcus has. But here’s the thing, I hope you’ll never hear me pretend that I have the skill set to speak authoritatively on those subjects. Heck, I wouldn’t claim to be a “risk” expert because I have a some insight into my shortcomings and what is needed to tackle such a complex problem. But such a tepid article on something that (at least I think) is so important kind of, well, confuses me.
Why is it such a boring article? I’m not sure. Maybe because they’re just two guys who would rather debate the merits of specific controls or control activities (after all, their penetration testing debate was a huge success), but there’s no new information in the “debate”. It’s the same old “insurance companies know risk because they have scads of data and we don’t have that” complaint. You know what? I’m tired of hearing that line, so let’s talk about it.
HOW DO YOU KNOW WE DON’T HAVE THE AMOUNT OF DATA WE NEED TO DO RISK MANAGEMENT WELL?
Not particularly picking on Marcus, but in the article he uses the common complaint, “We lack the data to do risk management well.” This mantra is repeated to the point where I’m blase’ about it. But for some reason, this sentence really jumped out at me this time for two reasons. It made me ask:
1.) How do you know we don’t have the proper amount of data?
2.) Can we even define “well” (i.e. what “good” risk management is) yet?
I really don’t know that the industry, especially concerning IT risk, is mature enough to really conclude that we don’t know (in the case of the former), nor that we can define (latter), conclusively.
PLAYING THE CONTRARIAN
Just because I’m feeling kind of zany this morning, let me suggest something. Maybe there actually is lots of evidence out there for us to use. Maybe:
1.) It’s just that we don’t have particularly good models that provide context.
2.) When that evidence isn’t an obvious phenomena that lends itself to easy measurement, we throw our hands up in disgust and fall back on “lack of data”, “can’t quantify risk”, “best practices work just fine” or any other number of arguments, no, excuses we use to justify our inability to be precise about the past (more or less the present or future - apologies to Niels Bohr).
IT’S IN THE WAY THAT YOU USE IT
Now I actually am happy to acknowledge that we don’t have enough data to be precise. You, me, even smart guys like Marcus and Bruce - we’ll never be able to “engineer” risk management. But you know what? Neither can Insurance companies. Sure, there are plenty of places where they have enough data to apply a traditional frequentist approach to risk valuations. But there are plenty of times Insurers actually insure and they don’t have centuries or decades of data. There are plenty of times when they rely on the “estimates” of subject matter experts. There are many times they have enough information to be accurate rather than precise, and that’s good enough for them.
For that matter, it’s worth noting that there are plenty of scientific disciplines that have to deal in imprecise prior information, or evidence that’s fraught with uncertainty (what Ranum calls “squishy”, and what I’ve heard real honest to goodness physicists call “noisy”). Unfortunately, we’re going to be like them. Until we can read minds and predict the future, there will always be uncertainty in our measurements and posterior conclusions. The trick is in how you deal with it and express it. And while I really don’t know how much time Marcus or Bruce have really spent in the deep end on the subject of risk and its management - I have seen people doing brilliant things around risk (though they just aren’t mainstream). Whether the tools are Bayesian methods, Monte Carlo engines, reductionist models of complex problems, there are risk analysts trying to deal with the problem. These analysts are applying scientific method(s) and developing reasonable approaches to a very complex problem. There are people trying, and our body of knowledge is growing, growing well beyond “gee, I haven’t got an obvious solution so I’ll blame it on lack of data”. Heck, I’ve seen readers of this blog suggest Douglas Hubbard’s book in other security forums!*
I’VE GOT YOUR DATA RIGHT HERE…
But we don’t have enough data? I have to ask, how much more do we need? I mean crikey, JPMC just visited our ISSA chapter claiming, like, a bajillion events an hour. There’s not one, but several companies out there that will want to tell you about how they have deep “insight” into the attacker community. The boundaries of IT Risk losses are pretty well established by events that happen to public companies. We have pretty mature testing/assessment tools and methodologies now that help us test our ability to resist the force an attacker can apply to us. So what part of the Threat Landscape, Asset (Controls) Landscape, or Loss Magnitude landscape is too incomplete (and what are you doing to find the information you need)?
SO WHY DO WE FAIL?
Which brings me to a final, somewhat depressing conclusion. Maybe there’s data, and maybe we’re starting to see the means to use it. But in the end I do have to agree with Marcus that the vast majority of the infosec world *is* doing a really, really bad job with regards to “risk” and “risk management”. The majority of people I know consider GRC to be a cruel, expensive joke. Risk Assessment Methodologies tend to be built on the faulty premise that if we create a repeatable process, our measurements and conclusions will magically become accurate and wise. Risk models tend to be factors loosely measured by ordinal scales and then somehow “multiplied” together to create a relatively meaningless qualitative value. The State of the Union here is not good. But after reading such a superficial treatment of an important and complex subject, I am left wondering if Bruce and Marcus were the right people to write about risk management in a mainstream publication. As Inspector Callahan says, “A man’s got to know his limitations.”
===============================
* Speaking of which, if you want to do one cost effective thing to address your uncertainty - go find Douglas Hubbard’s book. It’s even got a nice recommendation from Peter Tippett. The book is called “How To Measure Anything” - the title sounds rather hyperbolic, but there are good techniques in it we can use to identify useful information and refine our ability to frame that qualitative information into quantitative values. The key is how Hubbard has you deal with your uncertainty. For those of you who are more scientific minded and want to dig deep into the subject, I have on good authority that E.T. Jaynes “Probability Theory, The Logic of Science” is a rather under appreciated work.
Neil HB Oct 16
great stuff!
In answer to your question “what part of the Threat Landscape … is incomplete?” my belief, which I think you and Jack may concur is …a true record of impact!
Saso Oct 16
Thank you.
Thank you, thank you, thank you.
Every time I hear “we don’t have enough data” I feel like going into a lengthy argument about data and information. Data we have. We have shed loads of data; we’re buried in it up to our noses and we’ll soon suffocate unless we find a way to process that data and get some useful information out of it. Insurance companies have less data than we do, honestly, but have models and means of turning it into (useful and accurate is not always a qualifier here) information that is then used.
I completely agree with you w.r.t. insurance companies. Some look in awe at insurance companies, investment banks and other places managing financial risks falling from grace lately, and always quote how much historical data they have to fall back on. Well, that’s all fine and well when you want to manage risks in the past - but to manage risks in the future you need to take that data and turn it into information. Lloyds of London is a prime example of an insurance company that has been around for longer than many others and specialises in taking on exotic risks that other insurance companies don’t even want to consider (no data). I don’t remember hearing Lloyds ever complaining that they have insufficient data.
I think “no data” is really just a cop out so we don’t have to do anything. It’s really just a CYA policy.
P Oct 17
I am a bit on the fence here about “we don’t have enough data”. In many cases we have lots of data, but not the “right” kind of data to help make better risk decisions.
The type of data that security departments tend to have gobs of are threat type statistics. So what - that I know about how many packets I dropped at my firewall, or how much spam I dropped at my mail gateway - I guess I know that there is a real threat but not really much about risk.
The data we often don’t have is value related data points; how much money will you lose if something “bad” happens to an asset? what are the industry attack frequencies that result in a loss, and how much was that loss? It is this value data / frequency data that completes the equation to help present a better picture to help manage risk.
Jack can obviously speak to insurance data better than I, but it seems to me that insurance actuarial data does a much better job answering the value questions than we can do today in security (how many deaths are the result of X type of accident, replacement value of something bad happening to an insured asset, frequency of “bad” events that result in a loss).
Speaking to the value data, look at how our financial markets are struggling because they lost track of the value of the assets they were either holding, investing, or insuring and making poor risk decisions based on a misguided view of the value (I know, overly simplistic answer to the financial market problem - but certainly a factor).
Luke O’Connor Oct 18
@Alex
this is a great post that I can only encourage you to develop it into a proper document because it addresses perhaps the main problem that we have with IT risk management - our obsession with data and its apparent shortage.
You can get NYSE data going back 20 years, but having or not having this data is not the difference between being a success and failure in the stockmarket. You have to know what you want to do with the data, which in short means you need a model. The Pagerank algorithm of Google does not simply materialize from having access to the data set of which pages reference which others. Google has a model (a Markov chain) which uses this information to produce numbers that tell you something about the value of each page. And the model seems to work but the data itself is not the breakthrough.
I think in IT Sec we don’t know what we are really looking for (we don’t have models that we are trying to paramterize) and we are hoping that the meaning of the data is self-evident. But its not.
My big takeaway from the recent book on Security Metrics is to plan top down. Start with statements or hypotheses that you want to proved or disprove, and then create sub-hypotheses that can either be directly proved or falsified by data. If not then go down another level (in search of data) or remove the hypothesis (no data). Actually I don’t see how someone could assess the risk of general problem such as data loss without such a structured approach.
Without the hypotheses the data we have cannot be effectively marshalled to support or falisfy claims. I could keep writing more but its late. I have posted some comments on the weaknesses of quant modeling which may be relevant here as well
http://lukenotricks.blogspot.com/2008/06/goodbye-yellow-brick-road.html
regards Luke
Dean Loomis Oct 19
I think Bruce Schneier is being disingenuous when he talks about not having enough data. As the founder of the first managed security services company, he has access to more data than most of us can dream about. It should be a simple thing for him to tell his customers “here’s what you need to tell us so that we can give you better information about how effective your security actually is.” Bruce’s company is already seeing sensitive data from his customers, so the argument that they don’t want to disclose their intrusions doesn’t apply.
The real problem is that business managers can’t value their IT assets, for all kinds of reasons, not the least of which is that information is an intangible that doesn’t acquire a consensus value until it participates in a market-based transaction. Then security “experts” are prisoners of a risk equation that has “value” as an essential parameter. And nobody seems to know what to do to fill in this hole in our thinking.
Anonymous Oct 20
Wrt. Mr Walsh’s address, I usually live at 1541 Disk Drive.
djb Oct 20
I agree that we have tons and tons of historical data that can be used to one degree or another for risk analysis.
Having said that, it seems to me that many people mistakenly consider historical data to be (1) unassailable and (2) a perfect indicator of future events. I suspect that some pieces of data meet these two criteria, while the vast majority does not.
Past data cannot tell us when or where an event that occurs randomly and periodically will occur. Example: See the market crashes of 1987, 2008, or the 100 year flood. Past data also cannot tell us when events that have never happened before will occur, i.e., the space shuttle disaster in 1986 or 9/11, because what hasn’t happened doesn’t exist in the data. In fact, if the world were governed solely by past data, a new event such as 9/11 couldn’t occur. So, while past data is useful, there remains a need to think qualitatively and creatively about the future even if our conclusions contradict historical data.
I’m not against historical data based risk analysis. Rather, in fact, I’d like to see more research in this area to fully enumerate when and where past data can help us, and under what conditions, assumptions, and constraints. This will provide actionable information and allow practitioners to focus on those events that cannot be discerned from the past.
As an aside, insurance risk programs tend to work because they are geared towards protecting the insurance company from risks posed by it’s customers, not the greater possibility of risk posed by the world. The insurer faces quantifiable risks, the extent of which are limited and fully known, while the insuree is faced with unlimited risk beyond the limits of insurance coverage. That’s not managing risk, that’s just deciding who pays the tab.
Alex Oct 21
Wil Gragido left the following comment on the previous post, so I’m going to go ahead and plop it in here:
Nice commentary. I believe the that both authors are missing the point with respect to risk management. I disagree that there is not enough data to properly execute. In fact, I’d assert there is a tremendous wealth of data with respect to the subject matter. The challenge is in securing the cultural / corporate ‘buy in’ and subsequent support necessary for execution. It’s not a matter of a lack of data, it’s a matter of a lack of dedication and desire in the absence of consequence.
Luke O’Connor Oct 29
One more comment here
http://lukenotricks.blogspot.com/2008/10/wisdom-of-random-crowd-of-one.html
the conclusion being that
In IT Risk we seem to be stubbornly waiting for a data set that is self-modelling, self-analysing and self-explaining. We are desperately trying to bypass the modelling and analysis steps, hoping that meaning can be simply read off from the data itself. As if data were like one of those “Advance to Go” cards in Monopoly where we can skip over most of the board and just collect our $200. The problem is that we keep drawing cards that direct us to “Go Back Three spaces” or “Go to Jail”.
regards Luke
P.S. Apologies for any typos!
Marcus Ranum Jul 16
“How do you know we don’t have the proper amount of data?”
How do you know that we DO? If someone is producing some kind of statistic or model and suggesting that it should be used, effectively to predict the future, it should be shown to have more predictive power than randomness. I’m sure there are some IT security risk models that hold water, but I’d be prepared to bet that they’re the ones where the model is equal to obviousness. I.e.:
Statistician: “Our predictive weather models say it’s got a 90% chance of raining”
Engineer: “I just looked out the window and there’s a huge thundercloud with lightning and rain headed our way. Who needs your predictive model when the window works just fine?”
Eventually, you move into the territory typically held by psychic card readers: “someone famous will die in the next year.” For example, I could predict fairly confidently that there will be a major security breach at some bank or brokerage in the next year. The question is, does someone have models and numbers that would allow more detailed projections? If you think about it a little bit, you realize that “risk management” equates to predicting the future. That’s hard, but predicting the past is easy. Predicting the future is going to be like the past is a good bet and it works for Sylvia Browne but it’s not a basis for business decisions.
“there are plenty of scientific disciplines that have to deal in imprecise prior information, or evidence that’s fraught with uncertainty (what Ranum calls “squishy”, and what I’ve heard real honest to goodness physicists call “noisy”)”
Physics is a good example. Yes, you don’t know where an electron is, but you’ve got a mathematical model that works with a high degree of accuracy in spite of your ignorance. But you’ve constrained the problem to the point where the electron is, at least, in your experimental apparatus. Network security is a problem that involves a lot more variables - including an active, intelligent, creative, hostile power - the “enemy” if you will, does nothing BUT perturb your models. That’s what innovation in attack IS.
“These analysts are applying scientific method(s) and developing reasonable approaches to a very complex problem.”
Isaac Newton used the scientific method to do alchemy. I’m sure it was a perfectly reasonable approach; too bad it didn’t work. I know that’s just an example, but don’t make the mistake of thinking that the scientific method can allow people to predict the future. I’ve been through this game with models for risk a couple times in the past so I’m not entirely blowing smoke: guess what happens when the model fails? They change the model to match observable reality and say that’s “scientific.” They neglect the part where scientific theories show predictive power. That’s why I take quantum electrodynamics seriously and laugh at risk management. The physics works out to be able to predict cause and effect with a great deal of accuracy whereas the risk management happens to predict that the model is correct, given inputs that make the model correct.
“JPMC just visited our ISSA chapter claiming, like, a bajillion events an hour.”
I suspect JPMC’s event load has completely different meaning from, say, ebay’s event load - or mine. Just because there’s a lot of data doesn’t mean that you can easily find an underlying theory that unifies it.
“The boundaries of IT Risk losses are pretty well established by events that happen to public companies.”
Unfortunately, those events are often self-reported. Psychologists (the honest ones) can tell you about the problems of dealing with self-reported data. Pollsters (the honest ones) and statisticians can tell you about the problems of self-selected samples and sampling bias.
Just saying that there’s lots of data doesn’t help unless there’s a unifying theory of what the data means, that has some predictive power. If someone wanted to do science in this area, they would propose the theory first, then gather evidence that supported it. Statistical methods are tools to explore problems we don’t understand, looking for correlations and possible areas of significance that might allow us to build those theories. But, ultimately, since risk management is dealing with human behaviors you’d need a predictive behavioral model for it to be anything much better than astrology.
“I am left wondering if Bruce and Marcus were the right people to write about risk management in a mainstream publication.”
Yes and no. The best reply to that question, unfortunately, is fairly nasty and it’s PZ Myers’ “the courtier’s reply” ( http://scienceblogs.com/pharyngula/2006/12/the_courtiers_reply.php ) Essentially it’s that if your field of endeavor is so obviously fake that even non-expert outsiders can dismiss it - don’t attack the non-expert outsiders for playing outside their field: ask yourself “what’s so obviously wrong here.” If you ask the risk management faithful, of course they aren’t going to see that the emperor has no clothes - they can dismiss me as “not understanding risk management.” I’m fine with that.
I don’t hear anyone successfully refuting my charges that, namely:
- Risk management inputs are estimates and the results are therefore questionable
- Risk management attempts to predict the future; that is hard
- Risk management is based on backward-looking statistics, which does not make sense in an environment where you’re up against a creative attacker
Thanks for your stimulating comments and blog posting,
mjr.
Marcus Ranum Jul 16
“I think Bruce Schneier is being disingenuous when he talks about not having enough data. As the founder of the first managed security services company, he has access to more data than most of us can dream about.”
Very good point! But here’s another way of looking at it: as founder of one of the first managed security services companies, Bruce has a good idea of how hard it is to derive strategic information out of a mass of tactical data.
Log data and event data is very specific to the here and now and the target in question. It’s often entirely site policy centric. I.e.: does a “firewall deny” mean the same thing on my SCADA network as it does on my DMZ? No. How, then, do I separate those out, and apply meaning differently to them? In the environment of worms and robotic attacks, does 100,000 bad logins mean more than 10 bad logins? And, would a jump from 100,000 to 200,000 indicate an important trend, or just that we upgraded our bandwidth?
What winds up happening (another reason I reject risk management) is that values to those questions above get plugged in based on expert opinions. If the customer doesn’t have an expert who understands the significance of those factors to the site in question, you get nonsensical outputs if you try to plug the same factors from another site. At best, you are building an expert system - at worst you are building a site-specific expert system. If that’s the case, then skip the “risk management” label and just call it what it is: an expert opinion.
Bruce and I have both looked at enough logs and security data to be able to tell you how dramatically they change when the bad guys come up with something new. That’s also a serious problem for the notion that security data is going to be useful: at any given moment there can be huge discontinuities. I remember when Code Red came out, my IDS logs went from 10,000 events/day to 250,000 - so I turned off Code Red alerting because I knew it didn’t matter to me. How do you represent that kind of incident and suppression response in a threat model? You can’t. You can, perhaps, model that new forms of attacks come out every year - but there’s no historical data on how effective they are.
Zooming out to a macro level you might be able to say “at any given time, 40% of the windows machines in the world are vulnerable to 5-10 well-known attacks.” or something like that. So what? Any organization will assert that ‘that doesn’t apply to us because we have patch management!’ — and then you are left making guesses about the effectiveness of a particular organization’s patch management. Actually, nobody even tries that because the concept is laughable.
“The real problem is that business managers can’t value their IT assets, for all kinds of reasons, not the least of which is that information is an intangible that doesn’t acquire a consensus value until it participates in a market-based transaction.”
Exactly. Add to that the fact that the value of information fluctuates and the amount of effort an attacker might spend to get at it does, too. That’s where the creative attackers come in, again - and that can be at a tactical or strategic level; someone might suddenly find a day-zero into a database and instantly render a million dollars worth of security useless - or Google may announce they are giving away a free version of a core business process and the value of corporate information assets suddenly goes from millions to somewhere close to zero.
You can do “risk management” if you play roulette (probability says that there are only 2 ways to win: be the house, or be the state) but that’s because the rules don’t change and the probabilities are therefore fixed.