Time to throw away the 80-20 security rule?

For many years security policies have been largely governed by the notion of the 80-20 rule. This states that 80% of security risk is effectively managed by implementing the most important 20% of available technical security controls, such as removing unneeded services, keeping service patches current, and enforcing strong passwords.

The logic of this is that every security control implemented within an organization costs money, and in sound economic terms, the 80-20 rules helps an organization spend their security dollars wisely. By focusing the attention of security officers and IT staff on the most important 20%, a large and seemingly unbounded security problem can be successfully managed, and at a reduced cost. These three controls remove the most common avenues of attack and significantly raise the attacker’s cost of successfully penetrating and exploiting information resources.

The assumption made with this rule is that at any given time, there is a set of vulnerabilities and exploit kits that are considered “fashionable” and popular among attackers. These vulnerabilities are used as entry points for the vast majority of attacks primarily because they are pervasive and available.

However, as we discovered in the recent Cisco Annual Security Report 2015, many high profile exploit kit producers have been targeted by authorities and shut down so attackers are realizing that bigger and bolder is not always better – be it the size of malicious C&C infrastructures or finding discrete ways into networks. Attackers are more proficient than ever before at discretely leveraging gaps between defender intent and actions to then hide and conceal malicious activity.

Increasingly attackers are looking to be stealthy and more targeted. They are predisposed to being as quiet as possible since making ‘noise’ during their attacks, risks them being caught quicker and most cyber criminals are in it for the long-term and once in a network they aim to stay as long as possible.

At the same time we know that patching of vulnerabilities is still not satisfactory in many organizations around the world.

For example, researchers for the CASR 2015 also reported the vulnerability in OpenSSL which allowed the much publicised Heartbleed compromise to spread so rapidly last year; was still evident in 56% of all OpenSSL versions are older than 56 months. What’s more at the time for the release of the report in January 2015 they were still vulnerable, as they have not been updated in recent months.

Similar poor patching in Internet browsers is leaving businesses open to attack. The CASR 2015 reported Internet Explorer is the least updated browser – some 10% of web requests from IE browsers originate from the latest version with the most common IE version being 31 months older than the most recent. In comparison, 64% of Chrome requests originate from the latest version of Chrome – suggesting Chrome’s automated update system may be more successful in ensuring that as many users as possible have the most recent software version.

So while focusing the most resource on the most pressing problems would seem to make sense, organizations must recognize that the security landscape has changed and today it is a threat centric model focused on finding vulnerabilities in the increasingly dispersed network. Today’s cyber criminals don’t want to be seen and so they are increasingly looking for the weak spots, which are not obvious so they can remain hidden for longer.

Stealth is everything and to spot them you have to change your security team to begin to think like an attacker and see where the potential exploits are in your network.

At the same time you have to recognize that cyber attack is inevitable and so you need to take steps to protect the whole threat continuum before, during and after the attack.