Review of Microsoft's Security Risk Management Guide
Ever since my wife bought me a copy of Peter Drucker's book Management: Tasks, Responsibilities, Practices, I've been hooked on the idea that managing large organizations is more a science than an art. And when it comes to network security for large enterprises, I have a similar belief, namely, security can be managed by applying well-known principles and practices in a disciplined and consistent fashion.
That's why I rarely get excited anymore by new books proclaiming they reveal the secrets of how hackers break into networks and cover their tracks. That's only the technical side of security, and being focused on a bottom-up approach like this can make you miss the larger picture of what security is really about. Instead, I prefer to recommend large organizations adopt a top-down approach to security that accepts the fact that computer networks will never be 100% secure, and as a result one should be more concerned about managing risk than the fine details of any single method used by hackers to gain access. If that sounds defeatist, it isn't--it's realistic. I don't denigrate the need for deep technical knowledge of vulnerabilities and exploits, I just believe that is only a small part of what network security is all about.
Risk management is a set of principles and practices like any other management discipline, and involves evaluating the value of your assets, possible threats to them, and determining appropriate measures to take to secure them. By learning to manage risk proactively instead of reacting to it when an exploit occurs, companies can better utilize their resources to protect their business.
Unfortunately most companies don't manage risk. Instead, they react to threats and exploits in an ad hoc fashion, which can often lead to one of two extremes: either complete neglect of a certain type of threat with concomitant results, or paranoid lockdown of assets to the point that usability is impaired and business effectiveness is reduced. I don't denigrate the importance of having a trained security response team for your network, but which is more effective, particularly from a monetary perspective: prevention or cure? A good analogy (which Microsoft uses) is influenza: from a business perspective, is it better to spend money on hospital beds in case people catch the flu, or to spend it on vaccinizations to ensure they don't catch it in the first place?
Clearly, proactively managing risk is a better approach to infosec security than simply reacting to incidents when they occur. But even risk management can take many forms ranging from acceptance of risk to mitigating risk to transferring risk to a third party under a service level agreement (a good approach for smaller companies that don't have the infrastructure to conduce a full risk assessment or effectively manage risk within their business environment).
Unfortunately, many organizations are still novices at managing risk, and that's why Microsoft has released their new Security Risk Management Guide on Microsoft TechNet. This Guide is the first attempt by Microsoft to provide prescriptive guidance for companies to help them learn how to implement sound risk management principles and practices for enhancing the security of their networks and information assets.
About the Guide
I've worked through much of this guide and I must say I'm impressed. Not only does the guide take a balanced approach to managing risk, one that implements both quantitative and qualitative risk analysis, it also walks you through an example of implementing risk management practices for a fictitious company called Woodgrove Bank. Using a concrete example like this lets you see risk management practices at work instead of simply reading about them, and I for one am more a concrete learner than an abstract one. In other words, I like it when someone shows me how to do something instead of just telling me how to do it. If I see it done once, I can imitate it and learn by doing. Microsoft even provides blank Excel template worksheets you can easily use to perform a risk assessment for your own company's information system assets, which are found in the zipped package when you download the Guide.
The Guide is intended for a range of audiences including senior management, network architects, infosec team, and auditors. The Guide is divided into several chapters that lead you through the process of implementing an effective risk management program for your company. Here's a breakdown of what the Guide covers:
Chapter 1 provides a brief overview of risk management and what the Guide contains.
Chapter 2 surveys the various approaches to risk management prevalent in the industry today, examining the strengths and weaknesses of each approach. The difference between qualitative and quantitative risk assessment are outlined in a clear fashion.
Chapter 3 explains Microsoft's unique four-step approach to risk management that combines both a qualitative and quantitative approach to assessing risk. Detailed instructions are also provided on how to set up a risk management team and the various responsibilities for each role on the team. This four-step process for managing risk that Microsoft recommends involves the following:
- Assessing risk by identifying and prioritizing the risks to your information assets.
- Conducting decision support by identifying control solutions to mitigate the risks identified in the previous step.
- Implementing the control solutions identified in the previous step to proactively protect your network by mitigating each identified risk.
- Measuring the effectiveness of your risk management program on an ongoing basis to ensure your controls are doing their intended job.
In the remaining chapters Microsoft examines each of these four steps in detail, breaking them down further into practices that can be rigorously implemented and monitored. Specifically:
Chapter 4 looks at what sort of data you need to gather to assess risk, which is the first step of Microsoft's four-step risk management process. The chapter also explains how to prioritize risk so you can optimize your resources for your risk management program. In my opinion, risk prioritization is one of the key ingredients of a successful risk management program. If you pick up any of the popular "hacking exposed" types of books out there in the marketplace, you get the impression that there are any number of obscure exploits you need to guard against in order to safeguard your information assets. The reality however is that some exploits have only a small chance of happening while others are more common, and by prioritizing threats against your network based on an accurate profile of your assets and exposure, you can effectively protect your network for much less time, energy and money than if you tried to block all threats equally.
Chapter 5 covers the second step of the process by providing you with guidance on how to determine which actions are appropriate for mitigating each type or instance of risk to your network.
Chapter 6 provides actual proscriptive recommendations for establishing controls for mitigating various kinds of risk. Be warned however that this is where the real work begins from a technical point of view, as there are dozens of links to Microsoft white papers, hardening guides, and other TechNet documents (some of them themselves hundreds of pages long) covering specific steps for mitigating risks to various Microsoft platforms, products and applications. When reading all this technical information however, you should keep in mind the prioritization scheme you've established in step one of the process so you don't get bogged down trying to harden network components from threats that have little chance of turning into actual exploits. Chapter 6 also concludes with recommendations for ongoing monitoring and evaluation of your risk management program to ensure its continued effectiveness.
The Guide concludes with several appendices covering topics like ad-hoc risk assessment, a summary of types of common information systems assets, and descriptions of common threats and vulnerabilities. And as I mentioned previously, the downloadable zipped version of the Guide also includes various tools and templates (in the form of Word templates and Excel worksheets) that you can use to implement Microsoft's four-step program in your own corporate environment. What could be easier?
Microsoft's approach to risk management and assessment isn't the only one available to organizations. Some other popular approaches include:
- Risk Management Guide for Information Technology Systems and Security Self-Assessment Guide for Information Technology Systems, both developed by the National Institute for Standards and Technology (NIST)
- Information technology - Code of practice for information security management (ISO 17799), available from the International Standards Organization (ISO).
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from Computer Emergency Response Team (CERT) at the Software Engineering Institute at Carnegie-Mellon University.
These resources are also useful in helping you plan and implement an effective risk management solution for your company. But in my opinion, Microsoft's approach is simple and easy to implement, and is a good starting point, especially for IT shops that are strong on Microsoft platforms. For although the Guide is described by Microsoft as being cross-platform and vendor-neutral in its approach, its prescriptive control solutions target Microsoft products in particular. That doesn't surprise me however, and in no way reduces the usefulness of this excellent Guide.