From Dan Geer, we know that digital security is fundamentally about risk management. We further know that risk is comprised of threats exercising vulnerabilities against some set of assets, which may or may not be defended by the countermeasures we deploy. This is all well and good...looks great in the ppt, but doesn't exactly help your average middle manager or pragmatic CSO fill in their project plans of what to do about security in an organization.
To help focus and find action steps, I advocate for my clients to separate their activities into several categories, two important categories are threats and vulnerability management. How to differentiate the two? Well, first off, it is helpful to understand where you can be proactive (most desirable) and where you must be reactive. I explored the difference of risk and uncertainty in a paper on Identity Management Risk Metrics
Risk differs from uncertainty in that risk may be measured and managed whereas uncertainty may not. Risk management efforts hinge on this important distinction because it highlights differences where a team may be more proactive. For instance, many vulnerabilities are known, hence they may be measured and managed whereas the threats to a systems contain a greater degree of uncertainty in that the threat environment contains numerous elements such as threat actors that one’s organization can not directly control.
" The national-security expert Gregory Treverton has famously made a distinction between puzzles and mysteries. Osama bin Laden’s whereabouts are a puzzle. We can’t find him because we don’t have enough information. The key to the puzzle will probably come from someone close to bin Laden, and until we can find that source bin Laden will remain at large.
The problem of what would happen in Iraq after the toppling of Saddam Hussein was, by contrast, a mystery. It wasn’t a question that had a simple, factual answer. Mysteries require judgments and the assessment of uncertainty, and the hard part is not that we have too little information but that we have too much. The C.I.A. had a position on what a post-invasion Iraq would look like, and so did the Pentagon and the State Department and Colin Powell and Dick Cheney and any number of political scientists and journalists and think-tank fellows. For that matter, so did every cabdriver in Baghdad.
The distinction is not trivial. If you consider the motivation and methods behind the attacks of September 11th to be mainly a puzzle, for instance, then the logical response is to increase the collection of intelligence, recruit more spies, add to the volume of information we have about Al Qaeda.
If you consider September 11th a mystery, though, you’d have to wonder whether adding to the volume of information will only make things worse. You’d want to improve the analysis within the intelligence community; you’d want more thoughtful and skeptical people with the skills to look more
closely at what we already know about Al Qaeda. You’d want to send the counterterrorism team from the C.I.A. on a golfing trip twice a month with the counterterrorism teams from the F.B.I. and the N.S.A. and the Defense Department, so they could get to know one another and compare notes. If things go wrong with a puzzle, identifying the culprit is easy: it’s the person who withheld information. Mysteries, though, are a lot murkier: sometimes the information we’ve been given is inadequate, and sometimes we aren’t very smart about making sense of what we’ve been given, and sometimes the question itself cannot be answered. Puzzles come to satisfying conclusions. Mysteries often don’t."
What does this have to do with infosec? There is a lot of vulnerability data out there. Many known knowns. Excluding zero days (which are unknown to enterprise security managers), we have many vulnerability puzles to deal with. These puzzles can be sized, remediated, measured (how many vulns? where? how long to patch?), managed, etc.
Threats and zero day vulns are mysteries, they require different tools, different techniques, like monitoring and detection process and tools. Gladwell on the evolution from Cold War to present day:
Then the pressing questions that preoccupied intelligence were puzzles, ones that could, in principle, have been answered definitively if only the information had been available: How big was the Soviet economy? How many missiles did the Soviet Union have? Had it launched a “bolt from the blue” attack? These puzzles were intelligence’s stock-in-trade during the Cold War.
With the collapse of the Eastern bloc, Treverton and others have argued that the situation facing the intelligence community has turned upside down. Now most of the world is open, not closed. Intelligence officers aren’t dependent on scraps from spies. They are inundated with information. Solving puzzles remains critical: we still want to know precisely where Osama bin Laden is hiding, where North Korea’s nuclear-weapons facilities are situated. But mysteries increasingly take center stage. The stable and predictable divisions of East and West have been shattered. Now the task of the intelligence analyst is to help policymakers navigate the disorder. .
Puzzles are “transmitter-dependent”; they turn on what we are told Mysteries are “receiver dependent”; they turn on the skills of the listener
When enterprise "Security" staffs for only one of these, the other is inevitably short changed. When security teams conflate threats and vulnerabilities, the result is confusion. Instead efforts dealing with threats (tune the listener) and vulnerabilities (tune the transmitter) should be separately optimized, besides both being part of "security"; they don't have that much in common.