TaoSecurity Security Effectiveness Model

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.



Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses".



I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.



I call the area covered by the Live Defenses as "Defended," but I don't assume the defenses are actually sufficient. Some threats will escalate to whatever level is necessary to achieve their mission. In other words, the only way to not be compromised is to not be targeted! So, I call areas that aren't defended at all "Compromised" if the adversary targets them. Areas not targeted by the adversary are "Compromise Avoided." Areas targeted by the adversary but also covered by Live Defense are "Compromise Possible."



The various intersections produce some interesting effects. For example:

1. If you're in the lower center area titled "Incorrect, defended, compromise possible," and your defenses hold, you're just plain lucky. You didn't anticipate the adversary attacking you, but somehow you had a live defense covering it.



2. If you're near the left middle area titled "Correct, undefended, compromised," this means you knew what to expect but you couldn't execute. You didn't have any live defenses in place.



3. If you're in the area just below the previous space, titled "Incorrect, undefended, compromised," you totally missed the boat. You didn't expect the adversary to target that resource, and you didn't happen to have any live defenses protecting it.



4. If you're in the very center, called "Correct, defended, compromise possible," congratulations -- this is where you expected your security program to operate, you deployed defenses that were live, but the result depends on how much effort the adversary applies to compromising you. This is supposed to be "security Nirvana" but your success depends more on the threat than on your defenses.



5. The top-most part titled "Incorrect, undefended, compromise avoided" shows a waste of planning effort, but not wasted live defenses. That's a mental worry region only.



6. The right-most part titled "Incorrect, defended, compromise avoided" shows a waste of defensive effort, which you didn't even plan. You could probably retire all the security programs and tools in that area.



7. The area near the top titled "Incorrect, defended, compromise avoided" shows you were able to execute on your vision but the adversary didn't bother attacking those resources. That's also waste, but less so since you at least planned for it.

What do you think of this model? Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack. That's the idea of threat-centric security in a nutshell -- or maybe a Venn diagram.

Tweet