Many years ago, I consulted with a non-profit agency that needed firewall remediation. They had just purchased an upgrade to the vendor’s latest and greatest firewall, and needed to build a policy that met their needs. One of these was the need to control the use of instant-messaging throughout the environment. Indeed, the Security Director was obsessed with stamping it out completely. Instant-messaging clients were notorious for finding egress paths out of the environment, and could find an open port in the firewall. Therefore, it stood to reason that all unused ports would be plugged, sources requesting to use these ports would be checked against the policy, traffic would be thoroughly inspected, and known destinations hosting instant-messaging servers would be blocked. This resulted in no less than 39 firewall rules dedicated just to blocking all instant-messaging traffic that could possibly exist.
In many ways this “war” against instant-messaging clients was a success – the traffic was locked down airtight. But much time had been expended in an exhaustive effort to find every possible source and path of this traffic, as well as in designing, implementing and testing the effectiveness of the controls to stop it. No doubt another vendor would have come along with a product that could handle it in ways that no firewall ever could – just plug it in, send the traffic our way, and we handle the rest?
From a much broader perspective, we spend time fighting to reduce risk – increasing the effectiveness of security controls – this is our role as the Information Security professionals. We understand that a security control that is 90% effective is better than a control that is 80% effective. But we also understand that there is a cost differential between the two – and 90% is probably not good enough. What will it take to get to 100% (e.g., stamp out all instant-messaging traffic) – and can we afford it?
Rather than expending much effort and expense to get to 100% effectiveness, we can combine multiple layers of security, each layer significantly less than 100% effective, but with the right combination we can approach 100% effectiveness through synergy between the controls.
Let us suppose we have a security control that is 80% effective at protecting our resource. Perhaps this is an Administrative control – a policy or procedure that controls personnel behavior. In this example, this particular control alone is 80% effective.
A clear target for improvement – replacing this control with another that is closer to 100% effective. But again, how close to 100% can we come and how costly is this stronger control?
Another option is to add a second control to bolster the first control, perhaps a Technical control that controls logical access at the network layer. Let us assume this control is also 80% effective. If the first control eliminated 80% of risk, and the second control eliminates 80% of the remaining 20% not addressed by the first control, we have now increased our effectiveness to 96%.
Effectiveness may be calculated as:
E total = 1 – ((1-E1)*(1-E2)*(1-E3)…)
Where E total is the total effectiveness of the security controls, and En is the effectiveness of any one control in the system.
So in this case, the effectiveness is:
E total = 1 – (1-80%) * (1-80%) = 96%
In other words, by combining two security controls whose effectiveness is each 80%, we have built a solution that is 96% effective.
Let us take this a step further and add another 80% effective control: this time at the system-level:
E total = 1 – (1-80%) * (1-80%) * (1-80%)= 99.2%
At this point, we have increased our effectiveness to over 99% by combining three controls whose individual effectiveness is 80%. We could stop here, but for the purposes of this exercise, we will add another control. Imagine adding an application layer control:
E total = 1 – ((1-80%)*(1-80%)*(1-80%)*(1-80%)) = 99.84%
If we continued to be obsessive about reaching 100% effectiveness, and the cost wasn’t prohibitive, we might include a fifth security control, this time a Physical control:
E total = 1 – ((1-80%)*(1-80%)*(1-80%)*(1-80%)*(1-80%)) = 99.97%
What we conclude from this exercise is that individual security controls do not need a high rate of effectiveness to be part of an overall security system that is effective by leveraging synergies of adjacent controls. We also note that as each additional control is added, security effectiveness improves, but at a declining rate: Adding a second control increased our effectiveness by 16% — adding a third control increased effectiveness barely more than 3%, and by the time we discussed adding a fifth control it yielded an increase of 1.3% effectiveness.
As with all security controls, we must first understand not only the level of risk facing an asset, but must also understand the level of risk that is acceptable. Our goal is not to eliminate all risk completely, but to reduce level of risk to an acceptable level. The selection of security controls must be appropriate to meet or exceed that level risk reduction through adequate control effectiveness. When we find that we encounter diminishing returns in increase of security effectiveness, it is time to consider concentrating our efforts in other areas where security improvement is needed – and where we may realize greater return.
