The biggest challenge of security is not knowing the value of security.
Business can be measured by sales and the number of users; Operation and maintenance can be measured by stability indicators, such as the number of failures; R&D can be measured by the number of vulnerabilities, the number of servers, scalability and patents.
However, it is difficult to reflect the data security and basic attack and defense effects within the enterprise.
The problems faced by data security and basic security are often events. There is a good chance that you will do nothing, but there will be no problem for a year.
Maybe you spent a lot of effort and money, but there are still many problems.
Therefore, it is difficult for us to measure data security with a single event indicator, which is also the reason why many security industry practitioners do not work hard enough.
It is also difficult for them to explain to their boss why they spent the money, but they still can't guarantee that nothing will happen.
After a long time, two industry bad habits have been derived:
First, I dare not let the boss know that there is a problem.
Many companies lock their reports in drawers after completing penetration tests, and there are also some external reported incidents, some of which are serious, but as long as the boss doesn't know, they will secretly dispose of them and whitewash them.
Second, no one wants to take responsibility.
Many security vendors are only responsible for the function of the equipment they sell, but not for the effect, because they can't actually take responsibility, so in the end, no one is responsible.
Many customers think that if they buy equipment and services, nothing will happen and they can give their boss a job.
This is actually two different things, because everyone is gambling on luck, and no one is in charge of safety anymore.
Second, the dark forest law of enterprise safety
The dark forest law is very suitable for enterprise security: once exposed to the public, hackers will be very interested in you and will find many problems with you.
For example, during the World Cup, lottery websites were seriously attacked; During the influx of hot money into the P2P small loan industry, the whole P2P small loan industry was attacked very frequently.
Now that hot money is pouring into the live broadcast and enjoying cycling, it can be expected that this industry will soon experience the baptism of hackers.
It's hard to know when hackers will visit you. If you haven't had safety problems, your business is not big enough.
Then, let's go back to the most fundamental question, how to measure the effect of enterprise data security and basic attack and defense?
Three, the two core indicators of enterprise safety
The ultimate concern of enterprise data security is data security, one is not to be stolen by attackers, the other is not to interrupt business.
Therefore, to do enterprise safety, we are ultimately responsible for these two results.
We can't guarantee that security accidents will never happen, but we should ensure that the whole security risk of enterprises tends to converge in a long enough time latitude.
In fact, we have also observed that with the expansion of enterprise business, the original small probability security incidents have gradually become the norm.
For security effect, there are two key core indicators, one is the number of vulnerabilities, and the other is the number of security incidents.
In the long run, these two indicators should tend to be consistent. This is also the responsibility of the security team or CSO.
Four, how to prove that these two indicators are reliable and effective?
As a CSO, I have done a lot of things and spent a lot of money, hoping that the number of vulnerabilities and security incidents will gradually converge.
However, the number of security incidents is related to luck (including the dark forest law), and the number of vulnerabilities is based on the ability to discover. If the ability is found to be weak, the number of vulnerabilities does not explain anything.
So it is necessary to find a standard ruler as a measure.
At present, it seems that the most effective means of inspection is through public testing services and external security information collection.
For example, emergency centers (SRCs) set up by major companies. By seeking help from the security community, White Hat is given a paid reward to submit vulnerabilities from the outside.
The number and quality of vulnerabilities discovered in this way may be dozens of times that of traditional penetration testing. White hats swarmed in, which just simulated the attack scene in the actual network.
What we have to do is to ensure the safety of the public beta itself and to operate this community relationship effectively for a long time.
Based on this idea of open testing, there are three indicators to measure the strength and effect of enterprise security capabilities:
The first is the number of vulnerabilities reported to the outside world through public testing and SRC;
The second is that the number of vulnerabilities and attacks perceived by the perception system in our security system is one-to-one corresponding to the previous indicators;
The third is that the number of vulnerabilities and attacks that the defense system can effectively defend in our security system corresponds to the first two indicators respectively.
Through the gradual convergence of these three indicators, we can effectively guide all our safety work.