In a recent Dark Reading article, a number of experts gave their perspectives on where the focus should be in order to prioritize security effort.
Focusing on attacks and not vulnerabilities can help companies prioritize their defensive efforts, says Dino Dai Zovi, a well-known independent security researcher.
Security consultant Daniel Guido stated "We can step back and study these things that are coming after us, and we can build more informed defenses that are more effective against those particular threats and that are less costly than not having done this process to begin with,"
The industry has traditionally focused on vulnerabilities as the primary way to prioritize security efforts. Momentum is gaining to move away from this practice and put more focus on the attacks themselves as well as the threat agents who initiate them. I have to say I am in the "know your enemy and know yourself..." camp. What can I say, I am a fan of Sun Tzu's "Art of War". When trying to interdict the enemy, I believe it is far more important to know what is likely, versus what is theoretically possible.
I say let Occam's razor, the law of economy, path of least resistance, and common sense rule. Given a large number of paths to success, people tend to choose the most convenient, less risky, and most cost effective options. The others are ignored. The sheer volume of vulnerabilities is overwhelming. History shows only a small number are regularly exploited. In large or complex environments, knowing and attempting to close every possible vulnerability is an expensive and never-ending exercise in futility. Better to make informed decisions based upon what is likely. Understanding vulnerabilities is a valuable and necessary exercise as part of the decision process, but does not deliver optimal security prioritization alone.
I refer back to an older Fortune Cookie Security Advice blog:
I think the industry is starting to delineate between threat agents, the 'attackers', and the methods to use, the 'attacks', to exploit known vulnerabilities. It may be why I am getting more and more inquires about the Threat Agent Risk Assessment (TARA) whitepaper I published back in 2010.
The underlying concept for the Threat Agent Risk Assessment (TARA) methodology is to narrow down the focus by taking into consideration the people behind the attacks. Knowing your attacker, their objectives, and the likely methods they will employ, gives a tremendously powerful picture of what should be prioritized, based upon known vulnerabilities, controls, and exposures.