Case Study

How to Prioritize Threats (Without Spending Big Bucks)

An internally developed risk matrix helps utility company PG&E figure out which vulnerabilities to focus on first

By Robert McMillan

April 17, 2008

Like many other security professionals, PG&E's Seth Bromberger gets up every morning and faces a serious case of information overload. Not a day goes by without the report of some new software bug or security vulnerability. Weekly bug reports have jumped from just a handful of issues a few years ago to more than 400 in a typical week.

But what to do with all this information? And how to decide which problems need to be fixed first? Two years ago, Bromberger, manager of information security and his security team at PG&E, started developing a threat assessment system that would answer this question. It's inexpensive, easy to maintain and--most important--it helps him sleep at night.

Like most organizations, PG&E had a pretty good handle on vulnerabilities, but the utility company didn't really have a great way of measuring threats--evaluating the odds of whether anyone was likely to actually exploit the problem.

This is a common state of affairs, according to Eugene Schultz, CTO at High Tower Software, a company in Aliso Viejo, Calif., that specializes in security event management appliances. "That's because we don't really understand threats very well, and what we don't understand, we tend to gloss over."Bromberger puts it another way. "There's a question as to whether there's any benefit in measuring the threat," he says. "If you know you have vulnerability, do you really care about the threat?"

PG&E decided that it did, in part, because it had to develop a rational way of prioritizing the vulnerabilities. So Bromberger met with his staff, and over the course of just a few days they hammered out a first draft of a risk matrix for his company. (He guesses it took about 150 hours of labor.) First they identified close to 40 "threat agents." These can be things like disgruntled employees, nation-states, nature itself or even journalists. When a vulnerability is identified, PG&E looks through this matrix and determines which of these agents have the capability of exploiting the issue.

Here's how the matrix works: Bromberger's team rates the capabilities of every threat agent, giving each one a score between 0 and 5. A nation-state would have a "financial" capability of 5, but a "PG&E institutional knowledge" capability of, say, a 1 or a 2. Then when vulnerabilities crop up, the team decides what kind of capabilities are needed to exploit them, using the same scale. If a known threat agent has the capability to exploit a known vulnerability, it gets priority treatment.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Manage your IT more effectively

Simplify your data center with Juniper Networks. View the webcast

Efficient - Flexible - Compliant

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously