McAfee Security Insights

McAfee Security Insights

Measuring Risk to Gauge Vulnerability

As the diversity of threats facing IT organizations continues to grow, it’s easy for security professionals to become overwhelmed. Every alert about a new software vulnerability or new strain of malicious code can send IT staff scrambling to get a fix in place as soon as possible. The result can be frenetic, event-driven action that consumes time and energy but may not necessarily provide maximum protection for the business.

Instead, security teams should develop smart risk management strategies so that their finite resources are focused on the greatest threats to their business.

“No company has enough money and people to completely eliminate absolutely all of its potential IT-related risks,” explains George Kurtz, Senior Vice President of Risk Management at McAfee. “So you have to be able to quantify the risks you face and prioritize your security investments accordingly.”

To quantify risk and prioritize corrective action, Kurtz, who joined the McAfee management team from the recently acquired Foundstone, proposes a model whereby risk is measured by looking at three factors: asset value, asset vulnerability and real threats.

Asset Value: A server processing thousands of dollars worth of transactions every minute is obviously a more critical asset than a customer service representative’s desktop. So an intelligent risk reduction strategy requires clear insight into the business value represented by the various types of IT assets across the enterprise.

Asset Vulnerability: In addition to having different business values, IT assets have different levels of inherent vulnerability. A system serving up public Web pages is more vulnerable than one that’s not connected to the Internet at all. And a switch locked up in a wiring closet is less exposed than a laptop that’s thousands of miles away from the corporate security perimeter.

Real Threats: Finally, security teams need to have a clear picture of the actual threats to which any given asset is exposed. More exploits are targeted at commercially popular operating systems, for example, than at legacy systems. So while older applications running on those legacy systems may be of high value to the company, they are also the target of far fewer threats and may therefore represent a less substantial risk to the company than applications running on Microsoft® Windows® or Linux™.

By factoring these three attributes together, security teams can understand exactly where the greatest business risk exists and prioritize their risk mitigation activities accordingly.

Risk can be calculated by factoring in the business value of the asset, its inherent vulnerability, and the intensity of the threats it actually faces.

Risk Management Strategies

In addition to understanding specific risk levels, security teams can significantly enhance their effectiveness by broadening their perspective on how IT-related risks can be addressed. Kurtz points out four possible risk management strategies: risk mitigation, risk acceptance, risk transfer and risk avoidance.

Risk Mitigation: This is the response to risk that typically comes to mind first. It includes all the countermeasures that security teams take against threats including firewalls, intrusion detection and antivirus.

Risk Acceptance: If the cost of addressing a risk is greater than the risk itself or if addressing the risk would pull resources away from a far more serious risk, the rational course of action may be to simply accept the risk.

Risk Transfer: In some cases, it is more prudent to transfer the risk to a third party such as an insurance company than to allocate limited resources toward mitigation efforts that are unlikely to make a difference.

Risk Avoidance: There will be situations when the level of risk and the cost of addressing that risk are simply not tolerable. In these cases, it is best to avoid the risk entirely by either retiring the system in question or not deploying it in the first place.

“If you think you have to mitigate every risk you encounter, you’re going to run out of resources before you run out of exposures,” says Kurtz. “You have to use a combination of strategies based on the nature of your IT environment and the size of your security budget.”

Security teams can further enhance their effectiveness by automating as much of the risk management process as possible from the discovery of assets and the assessment of risk associated with those assets to verification that remediation procedures have been properly executed and have had their intended impact.

According to IT research firm Gartner, organizations that implement appropriate risk management processes and technologies to discover, prioritize and remediate vulnerabilities will be 90 percent less likely to be the victim of a successful attack.

“The biggest myth out there is that you make yourself secure by simply putting up a firewall,” declares Kurtz. “The reality is that your level of security depends largely on how well you understand and manage risk in all of its various forms and how good a job you do of focusing your limited resources where they will do you the most good.”

Since this article was written, McAfee has introduced new products that offer similar capabilities. Please see our products section for additional information.

Learn More (US)

Read the white paper “Strategies for Managing Vulnerabilities and Threats to Critical Digital Assets” to learn more about the McAfee® Risk Management Solutions.