So far we have established:
- Security Guides are a good idea and exist in almost all organizations.
- Security audits are good and widely used.
- Security guides are often poorly written, subject to interpretation, and difficult to apply.
- Security audits are expensive and not performed as often as they should be.
Hmmm…. Well, computers are good at following rules and measuring things. And if security guide rules are precise enough to be implemented and measured, they are very close to what you need to create a computer program.
The obvious next step is to create computer programs to implement security rules and perform computer audits!
In fact, this is what has been done for years. Numerous programs have been written for security, many security capabilities are built into operating systems, and scripts to configure systems are widely used.
However: security at the enterprise level is a big, complex undertaking.
You need a large investment in tracking threats as they emerge. It would be terribly convenient if there were a standard way to talk about threats – for example, the first 6 people who identify a new computer virus are going to call it different things, unless something is done to create a standard definition.
The vast majority of computer security issues are quickly fixed after they are identified. Decades of experience show that most computer intrusions can be prevented by applying existing patches. The question is what patches need to be applied to each specific system? This is a more complex question than it appears to be – few organizations automatically apply all patches to all systems. Instead, they test patches and carefully apply specific patches to specific systems.
The challenge is knowing which patches have been applied, which patches are available, and which patches are needed for each system. What is the risk addressed by each patch, what is the impact, and how relevant is the exposure?
Creating a useful set of security rules is a huge undertaking. If each organization is 90% common with other organizations and 10% unique, it is incredibly wasteful for each organization to build 100% of the security rules themselves.
And enterprise systems are complex. You need a workflow and extensible frameworks to be able to effectively secure, manage and monitor them.
All of these things call out for an industry wide initiative to build a standard foundation for automating security.