Defending against Actual IT Threats

Roger Grimes has written an interesting paper: "Implementing a Data-Driven Computer Security Defense." His thesis is that most organizations don't match their defenses to the actual risks. His paper explains how it got to be this way, and how to fix it.

Posted on November 27, 2015 at 6:45 AM • 21 Comments


Who?November 27, 2015 9:44 AM

I agree. Most organizations don't match their defenses to the actual risks they face at all. How to fix it?

- There is an easy first step: drop Windows, IOS (both Cisco's and Apple's iOS operating systems), OS X, Android... anything closed source or developed by U.S. based corporations and use open source software that cares about security and can be audited and improved by knowledgeable users.

- Second step: care about hardware diversity. Do not work only on Intel/AMD compatible platforms (a difficult step these days, as most computer architectures are being silently killed). There remain a few ones (sparc64 systems, ARM appliances, some Intel-compatible systems not based on UEFI BIOS like the PC Engines APUs, ...) but accept this fact: the healthly hardware diversity of the 90s will not return anymore.

- Third step: learn OPSEC, so these secure operating systems can help protecting information, learn how make your computing technology to play on your side.


What is Cost(x)? No one using Windows considers Cost(x) either as cost of threats to information or time spent rebuilding broken systems. No one using Windows seriously consider the value of his data, the damage done by its exfiltration, or even the work done rebuilding computer systems. Ah, indeed, I know this affirmation will be unpopular.

Who?November 27, 2015 9:53 AM

Before someone asks. No, I have not read this report. Two reasons: first, I will not sign a license agreement just to read a paper; and second, I honestly think Microsoft is not exactly the best advisor on information security matters.

Clive RobinsonNovember 27, 2015 10:42 AM

Like @who? I increasingly take issue with those who want my details to essentialy do me harm. Esspecialy for "white papers" that are a thin disguise for "sales literature", which Micro$haft have pushed a lot since they fell behind on "cloud".

The "service" Micro$haft offers these days is the worst of both worlds where you pay or have payed to be currently forced to have spyware on your computer stealing you privacy and intellectual property. Time to borrow from "The War on drugs" and "Simply say NO" to Micro$haft.

@ Bruce,

His thesis is that most organizations don't match their defenses to the actual risks.

It's not just their IT or Physical defences, it's their communications, staffing and most other aspects of the business. There is a telling business statistic that has been around for quite a long while now and is as true now as it was when it first came out,

    The majority of businesses cease trading within within eighteen months of a break in or fire.

The simple fact is the directors and officers are usually focused on making profit, which is what the law requires of them. They discount risk not associated with core activities, prefering to externalize it at minimum cost and effort. In the process they tend to forget no amount of insurance can turn ashes back to assets such as business records etc.

Whilst I can understand why they want to "maximise shareholder value" they do need to think in the longterm as well as the short term. Fire sales don't make profit for the stock holder only loss after loss.

But worse these days the directors and officers are thinking way to short term and anything much beyond five months does not figure in their calculations. Which means that the likes of preventative maintenance on core equipment and general upkeep including janitorial services get cut for the sake of "Next Quaters Figures" and that realy is not healthy behaviour on any level.

worriedautistNovember 27, 2015 11:43 AM

Can we estimate either of these "Pr" or "Cost" reliably? What would seem reasonable to me, would be that one of the most efficient attacks would be an attack against our ability to estimate probabilities and costs. That is, to attack not primarily our computer machinery or it's software, but our perceptions and emotions.

In short, to make us confused, paranoid, fearful, or maybe to make us have a false sense of security so we lower our guard.

PetterNovember 27, 2015 9:05 PM

Many of the threats are far closer us then we want to believe.

Just ordinary stupidity such as account and password handling in clear text in systems outside your control. (read cloud services)
Or documentation and routines for networks placed in clouds which you cant reach when you network goes down.

We are so afraid of external threats we cant really see nor want to see those so close they are scratching our nose.

ChrisNovember 28, 2015 9:39 AM


"I will not sign a license agreement just to read a paper; and second, I honestly think Microsoft is not exactly the best advisor on information security matters."

You have already signed a license agreement to even browse the Web but you suddenly have an issue with Microsoft wanting to protect their intellectual property and avoid lawsuits?

Also, Microsoft has spent hundreds of millions in security and security research and yet your disdain for Microsoft is why we should dismiss them for security information? And this is a paper by Roger Grimes who has been in the security industry for a long time with a good reputation.

No, I'll read the white paper and learn something instead of listening to a troll...

Nick PNovember 28, 2015 11:20 AM

@ Gerard, Chris

Working link here.

The integrity of the organization is a very important point that's often overlooked. Microsoft and IBM have little to no integrity. Hence, they've screwed their customers to their detriment in the long-term keeping the business only due to enormous expense of switching. Best to invest in companies that take care of their customers or at least support open interfaces/formats that allow integration with 3rd party innovations.

One can see the difference in the cloud market. I'm not a fan of it but it's one of most innovative and allows a direct comparison. Cloud tech are pretty much re-inventing mainframe tech for commodity servers and networks. They're not quite there in terms of reliability or security but the likes of Amazon's stack have long exceeded them in price/performance/energy/flexibility. You can get about any language, OS, library, container... whatever you want... for a reasonable price, with short lead times, and with no long-term commitment. Make a mistake, it's a small write-off so long as you didn't get a lot of data stuck in their service. For the mainframe? Let's talk $10-25mil a year with only what IBM provides.

Why would anyone choose IBM outside highest reliability? IBM's customers stay on because they can't afford to leave. It's also a very profitable division, which IBM mostly soaks up. The money they do put into it incrementally upgrades it in ways that strictly they decide they want to do. Third party innovation outside their acquisitions is mostly discouraged because it threatens dependence on IBM's high-margin software. So, people that chose IBM instead of open, innovative organizations are stuck with IBM and always will be behind in tech.

Same with Microsoft, SAP, etc. Vendor lock-in is inevitable with pure proprietary stuff your company can build on. So, if you go that route, make sure it's with a high-integrity company that also can't be acquired by a company like Microsoft. Good luck on that. Meanwhile, there's a number of platforms and portable software that are backed by non-profits. They don't trick, bribe, sue, or financially extort their users. They're the safest choice. :)

Frank WilhoitNovember 28, 2015 2:57 PM

It is always amusing to savor the richness of Microsoft, whose core products evolved directly from consumer-grade toys, lecturing on security.

From the title, I thought they were going to talk about enterprise data (classification, sensitivity), which might have been a productive approach.

Now that we see what they actually mean by "data" (i.e., how many attackers are trying to use what techniques), the key weakness in the approach emerges on page 14. The alignment between the top and bottom diagrams on that page can never happen, because top management cannot afford to allow anyone below them to know how they rank threats to the organization.

ElliotNovember 28, 2015 6:50 PM

This paper is pointless. While he raises good arguments, if he actually read Cisco's Annual Security Report, he would realize he is going about this from the wrong angle. He thinks the blame should lay on the IT Security staff, because they do not see the forest for the trees, and are incorrectly identifying and analyzing risk to the company. While I'm sure this is true in many environments, allow me to present an alternate synopsis.

In this paper, it is mentioned, that there are a few web-based vulnerabilities targeting unpatched software with exceptional success rates. The popularity of such attacks in connection with their success is no coincidence. What he fails to mention, is that these applications are INHERENTLY BROKEN, with no hope for ever achieving security. Anyone who works in this field already knows the usual suspects: Adobe Flash, Java, and Internet Explorer (of course, they can't badmouth IE in a M$ paper now can they?).

If you've ever tried to keep on top of patching this software, you know how exhausting and tireless this work is. The attackers are also aware, and many, many, MANY unfixed zero-days exist and are traded on the black market for the above software. In other cases, when a new vulnerability is announced, the exploit is integrated into the attack within hours. To put the blame on InfoSec teams is disingenuous. If Mr. Grimes had actually read the Cisco report, they lay this all out there. Waste of my goddamn time.

hermanNovember 29, 2015 10:03 AM

What TFA talks about, is Metrics driven defence - that is, undefined hocus-pocus based on unspecified statistics...

In military IT systems, there is the idea of 'Data Diodes' and 'Red-Black Interfaces'. These are devices specifically developed to filter network traffic and allow specific types of data to flow only to/from specific destinations. These type of things are actually useful.

Mark SNovember 29, 2015 7:47 PM

The dismissal of the paper by many who haven't read it is quite amusing, given who is recommending reading it (hint, Bruce Schneier himself is recommending it.)

If you don't trust Bruse's recommendations, you're wasting your time being here.

Roger A. GrimesNovember 30, 2015 12:30 PM

I'll be glad to send the paper to anyone who wants it. Just send a request to me at my personal account, There is not one iota of sales in the paper. It's written 100% out of my personal observations over a nearly 3 decade career. If asking that defenders use real data to decide on which defenses make the most sense to deploy is crazy, I'll take the label. I think most people reading it will see that it points out key problems and offers up some solutions, none of which require buying a single thing, one of which requires that a single Microsoft product be involved. I've written 8 books and over 600 magazine articles on computer security, and I think this is the most important thing I've ever written.

Nick PNovember 30, 2015 4:18 PM

Dr. Robert Schell, one of founders of INFOSEC, used to say something in his presentations along the lines of "Spend your money and resources where it matters most. Your enemies will." I think your write-up is a lot more detailed explanation of the same concept with some good recommendations on organizational priorities.

However, they aren't going to get secure this way. The reason is that the real problem is hardware architecture: the root problem that needs to be fixed in a gradual or thorough way. The methods of high assurance security attempt to achieve protection on current, insecure hardware. They're difficult and quite specialized. At Microsoft, only Steve Lipner has experience in such methods that I know of. He was clearly against using them due to disadvantages in time-to-market, backward compatibility, and feature parity. I doubt Microsoft's position on that has changed. So, even a company acquiring products built more robustly will unlikely to be able to use Microsoft stack without secure virtualization and guards.

Meanwhile, a number of hardware and software solutions have been ported to Linux and BSD. These are usually prototypes. Most run on non-x86 architectures like SPARC or MIPS that already have an obfuscation benefit where attackers don't pre-make kits for them. That alone was an effective protection in practice in my experience. However, using Linux/BSD w/ alternative ISA's will only get stronger as this research transfers into industry. So, they're the best investment for now in terms of reducing risk of successful, system-level hacks. With configuration, hardening, backup, recovery, and monitoring as usual.

Side note: I do thank you for all your good write-ups on security, esp product reviews and pushing whitelisting. Need to get the latter out there especially as I think it's a good counter to much social engineering and spyware targeted at employees for malware injection. The latest one should benefit both Windows and 'NIX shops trying to get better security ROI.

gordoNovember 30, 2015 8:01 PM

With Mr. Grimes’ paper and Nick P’s latest comment, as well as other posters’ comments in view, I found the below two documents complementary food for thought/synthesis: Some of the why and how; securing virtual environments at scale; open source threat taxonomies/threat intelligence; asset/event inventories; machine learning; etc. I hear that security estimates/attestations are making their way into SEC filings, e.g., i.e., into business plans; maybe a GRC standard or two comes of it some day. For the most part, known quantities don’t go away. Inherent hacks gets tweaked to deliver the same/similar outcomes, i.e., engender/accomplish desired capability(ies)/objective(s). Necessarily incomplete. ymmv

Fenton, N., & Neil, M. (2011). The use of Bayes and causal modelling in decision making, uncertainty and risk. CEPIS Upgrade 12 (5), 10-21.

Schneier, B. (1999). Attack trees. Dr. Dobb’s journal, 24(12), 21-29.

Gerard van VoorenDecember 2, 2015 5:21 AM

@ Gordon Youd,

> I have a fear that terrorists could catch on to using the latest gadgets, namely, the
> quadcopter or drone.
> We could have them being used to deliver explosive devices, etc

Funny, I don't have that fear at all. Especially when you consider most terrorists are a bunch of losers. I fear overreacting however.

> It's a scary scenario but we have to be prepared.

You mean buying your stuff.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.