Dampened Countermeasure Effectiveness
By Peter Tippett and Wade Baker
Studies are useful to help us to learn what works and what does not. Studies of other’s experiences, such as The Verizon Business 2008 Data Breach Investigations Report, are especially instructive. But most of us crave to actually understand why events play out as they do, and to be able to accurately predict what the results of those studies will be. Risk models can be very useful in driving our understanding.
As you are probably aware, risk is calculated in the following manner: Risk = Probability * Impact. Furthermore, those of you who are familiar with our work over the previous 15 years know that Probability can be calculated as Threat Rate * Enterprise Vulnerability. Therefore, it is also true that: Risk = Threat Rate * Enterprise Vulnerability * Impact. These “risk equations” when coupled with an overall understanding of how countermeasures work together create what can be termed “synergistic effectiveness.” This topic has been discussed and published in many places by the Verizon Business RISK Team (formerly Cybertrust) over the years. But there are far more subtle issues at play when one considers the effectiveness of countermeasures that cannot be perfectly deployed - as is almost always the case in an enterprise setting.
One of the problems we face is the complexity of all things, and our fundamental inability to be perfect in the deployment of anything related to human endeavor. Much of the misunderstanding around the control effectiveness power of patching, for example, is due to the fact that for some threat scenarios, the effectiveness of some countermeasures is “dampened.”
The following example is an instance of what we mean by ‘dampening.’ Imagine that an attacker is using a particular attack for which a patch is protective. Imagine also that the enterprise would suffer only if the attacker succeeded at hacking one particular machine. If that machine is patched then the hacker could not succeed, and the company would not be harmed. If there were several machines with these properties, and several hackers (each successful only if they breached a particular machine), and if the value of each of these machine’s data were all the same, then there would be a roughly linear relationship between the number of machines that are “patched” and the risk to the company (dotted line). Our brains naturally assume that risk decreases linearly with the deployment of a particular control in our enterprise. But this is often not the case.
If the threat scenario is of the type that would significantly harm the enterprise if the hacking step was successful at ‘any one’ or a ‘few of many’ computers at an enterprise, then the curve describing the percent of protected computers and the bad outcome (risk) to the enterprise would be “dampened” as is shown in the red curve above.
Broad-scale worms, pervasive attacks that result from endless scanning and reconnaissance (or which result from incessant and widespread bots), backdoors, trojans, and etc. are all threat scenarios where patching might have dampened control effectiveness behavior in enterprises. When the effectiveness is dampened, protection of 50% of machines results in less than 50% “risk” reduction to the enterprise. This is because success at more or less “any” of the remaining, un-protected computers still leads to a significant loss to the enterprise. For highly-dampened threat scenarios, the risk to the enterprise does not drop significantly until the percent of protected machines reaches the high 90% range.
Likewise, some countermeasures are “amplified.” For example, in years past, the total monetary harm caused by a replicating virus was disproportionately larger when more computers were infected. Anti-virus software then had the dual properties to both interfere with propagation and quickly alert the employees (who would often then decrease behavior conducive to more replication). For instance, when deployed on just 50% of computers the likelihood of infection of a large cohort of computers would typically decrease by perhaps 90%. Thus, the countermeasure in this threat scenario is said to have “amplified” control effectiveness.
Unfortunately, whether something is dampened, linear, or amplified depends on both a particular countermeasure and the particular threat scenario under consideration. Some countermeasures are linear versus some threat scenarios and dampened versus others, as we saw in the patching examples above.
The bottom line is that dampened countermeasure–threat scenario pairs are notoriously difficult to address by spending more time and money on the single countermeasure under consideration. The world is full of colorful metaphors, such as “beating a dead horse,” to help describe the value of working harder in situations like these. Instead, it is almost always less expensive, and much more effective, to add one or several complementary, or “synergistic”, countermeasures into the mix. These “synergistic” countermeasures can often be relatively inexpensive and often need not be particularly “strong” in order to significantly decrease risk.
Share your own experiences so we can further amplify our understanding.
Tags: Computer Attacks, countermeasure, Data Breach Report, InfoSec, risk
