Threat management – shifting from vulnerabilities to risk management

As a long time veteran of RSA, Robert Griffins has worked across the world, with his most recent posting being in Zurich. He is the strategy architect for RSA in Europe.  He is the director of a major project in Europe, funded by the EU, as part of its security project.

In the RSA conference opening keynote , Art Coviello noted that standards are critical in in how countries manage their threat/response balance.

"Within the standards community there are three very important initiatives. One are the technical standards. They attempt to increase interoperability and make systems work together better. Key management is part of that. Crypto is part of that'" Griffins said.

"Equally important are the standards that deal with the framework of security as a whole. Some, like the ISO 27000 standard establish models for how tools work together. Given the complexity of systems and the threats we face it's extremely important to have those frameworks"

Griffins contends, though, that the most important are standards about we understand and respond to the risks that we face. He notes that there have been some important developments in that area. In particular, risk management has moved away from looking at specific vulnerabilities towards looking at which assets are at risk.

This approach is in response to the attack models and sophistication that are being seen today. Given ever expanding threat surfaces created by increasingly open systems, BYOD and cloud-based solutions, it's simply not possible too know how or where a malicious party will launch an attack.

The models RSA is investigating has been used in operational fault isolation for many years but its application in security is new.

Griffins suggests that this model is much like what happens on the power system. "If a transmission line is cut, does it matter whether that was done by lightning or by the falling of a pylon? The issue is that it was cut. "

The focus isn't on how the line was cut but on identifying the fault, rectifying and taking remedial action so that the same fault doesn't recur.

The more secure cloud?
Although many people see cloud-based solutions as being inherently less secure than internally hosted systems, Griffins pointed to instances where cloud-based infrastructure was a more secure solution.
"When I was producing a demo system for a show, it was much safer for me to take that software, which required access by some major competitors, and to stand it up on Amazon Web Services rather than to try to stand it up inside on our own servers. We would have had to open up ports. In that case cloud was a much more secure solution as we didn’t have to expose any of our assets," he said.

Griffins said there are some critical questions that need to be asked before placing anything in the cloud. "What are you trusting? What are the mechanisms in place to secure it? How much of that can you trust? What kind of oversight do you have? These are the critical questions."


Anthony Caruana travelled to RSA Conference as a guest of RSA

Tags BYODriskVulnerabilitiesstandardsISO 27000rsa conference 2014#rsa2014cloud-based solutionsthreat management@RSAC

Show Comments