Aberdeen Group - Home
Endpoint Security and the DSD Top 4: One Size Does Not Fit All
Derek Brink
APR 12, 2013 08:00 AM
A+ A A-

Have you been hearing lately, as I have, about the "DSD Top 4"?

This refers to the Australian Government Department of Defence's Defence Signals Directorate (DSD), and its recently updated publication called "Strategies to Mitigate Targeted Cyber Intrusions". In it, they suggest that the following four endpoint security controls would have successfully protected against more than 85% of the cyber intrusions that they responded to in the previous 12 months:

  1. Whitelist endpoint applications
    • Permit execution of approved / trusted programs
    • Prevent execution of unapproved and potentially malicious programs and dynamic link libraries
  2. Patch endpoint applications
    • E.g., PDF viewer, Flash Player, Microsoft Office, Java
    • Discontinue use of Adobe Reader prior to Version X
    • Patch or mitigate high risk vulnerabilities within two days
  3. Patch endpoint operating system vulnerabilities
    • Patch or mitigate high risk vulnerabilities within two days
    • Discontinue use of Microsoft Windows XP or earlier
  4. Minimize users with domain or local administrative privileges
    • Use separate unprivileged accounts for email and web browsing

These particular controls have the benefit of preventing attacks earlier in the attack lifecycle — a topic which I have just written about in the context of incident response. (Look for the Analyst Insight "Incident Response: Detecting and Containing Earlier in the Attack Lifecycle, to be available — at no charge — on the Aberdeen / IT Security practice web site starting next week.) That is, the timeline of an attack typically fits the following pattern, as described from the attacker's perspective:

  • Identify vulnerabilities (i.e., reconnaissance of IT networks and systems)
  • Implement exploits
  • Execute exploits
  • Automate exploits (i.e., run at scale)
  • Modify exploits (e.g., adapt as vulnerabilities are identified and eliminated)

In my personal view, to see such a practical-minded document coming out of a federal government is a unique and wonderful thing, and hats off to the Australian DSD for making this kind of contribution. An obvious caveat with such a list, however, is that when it comes to information security one size never fits all.

For example, the DSD cites end-user resistance to these controls as "low" for patching and "medium" for application whitelisting and restricted admin privileges. This may be true in a restricted government / military / defense environment, but in many other corporate cultures these restrictions would be met with abhorrence by end-users who have zero tolerance for anything that prevents them from getting their work done. From an end-user perspective, implementation of the DSD Top 4 basically means that no one can install and run any software that isn't approved and enabled by a centralized IT function — and most of us have the experience that these models usually devolve to IT being unable to keep up, and end-users doing an end-around to keep up with the demands of business. Say, why not prevent 100% of cyber intrusions by just disconnecting everyone from the network?

The DSD publication also makes it clear that these four endpoint security controls tend to have high upfront cost (in terms of staff, technology, and technical complexity) and medium ongoing cost (primarily staff) – which not all organizations are willing or able to bear. It's one thing to have a policy that critical patches must be implemented within 48 hours, but quite another to have the resources and processes to make this happen. In "The Virtues of Virtual Patching" (October 2012), I wrote about how compensating controls such as virtual patching can make operational and financial sense for the business, by:

  • Buying additional time until patches are available
  • Provides a compensating control when patching is not possible or practical (e.g., an older platform or application)
  • Reducing the need for "emergency" patches or workarounds
  • Requiring fewer policy enforcement points (i.e., at selected points in the network, as opposed to applying a patch on every system)
  • Giving enterprises the flexibility to patch on a planned schedule
  • Helping to mitigate the high opportunity cost of unplanned downtime

I'll be writing more about virtual patching in the next 30 days, in the context of database security.

Bottom line, for me: (1) kudos to the Australian Government DSD, for creating and sharing this kind of analysis and information and (2) as always, security controls have to be evaluated in the context of your own business environment.

Derek Brink
Vice President and Research Fellow
IT Security

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: