TaoSecurity: TaoSecurity Security Effectiveness Model.
I like Richard Bejtlich’s Security Effectiveness Model because it highlights the key notion that information security must start with (my words) an understanding of your organization’s adversaries’ motives and methods. Richard calls these “Threat Actions.” From there, you would develop a “Defensive Plan,” and implement “Live Defenses.”
This is represented as a Venn Diagram made up of three circles. The more overlap you have, the more effective your infosec security program is. Here is the diagram:
Bejtlich calls this”threat-centric” security.
So the first question that needs to be addressed in making this approach operational is, how do you get the needed visibility to understand the Threat Actions?
I see this visibility coming from two sources:
- Third party, generally available research. One such source would be SANS. In fact, SANS developed the SANS 20 Critical Security Controls specifically in response to its understanding of threat actions. In fact, the latest version provides a list of “Attack Types” in Appendix C on page 72.
- Organizational assessment. At the organizational level, it seems to me you are faced with an evaluation problem of selecting controls that are good at finding Threat Actions. Based on my experience, there is agreement that the primary attack vector today is at the application level. If this is correct, then the organizational assessment would focus on (a) a black-box vulnerability assessment of the organization’s customer-facing web applications and (2) an assessment of the web applications (and related threats) the organization’s employees and contractors are using.
I am looking forward to Richard and others expanding on his ideas. Could be another book is coming. 🙂