The Cherry on Top: Add Value to Existing Risk Management Activities With Open Source Tools

Telling people about the virtues of open source security tools is like selling people on ice cream sundaes: It doesn’t take much of a sales pitch — and most people are convinced before you start.

It’s probably not surprising that most security professionals are already using open source solutions to put a cherry on top of their existing security infrastructure. From Wireshark to OpenVAS and Kali Linux, open source software is a key component in many security practitioners’ arsenal.

But despite the popularity of open source tools for technical tasks, practitioners often view risk management and compliance initiatives as outside the purview of open source. There are a few reasons for this. Open source projects that directly support these efforts are harder to come by, and there’s often less urgency to implement them compared to technical solutions that directly address security issues, for example. Although open source solutions aren’t always top of mind when it comes to these broader efforts, they can help IT teams maximize the value of their risk management frameworks and boost the organization’s overall security posture.

5 Ways to Supplement Your Risk Strategy Using Open Source Software

Two years ago, we compiled a list of free and open source tools to help organizations build out a systemic risk management strategy. Since much has changed in the cybersecurity world since then, let’s take a look at some additional tools that can help you cover more ground, drive efficiency and add value to your existing risk management strategy.

1. Threats and Situational Awareness

All security practitioners know risk is a function of the likelihood of a security incident and its potential impact should it come to pass. To understand these variables, it’s crucial to examine the threat environment, including what tools attackers use, their motivations and methods of operation, through formalized threat modeling.

When it comes to application security, threat modeling enables practitioners to unpack software and examine it from an attacker’s point of view. Tools like OWASP’s Threat Dragon and HTML5-based SeaSponge help security teams visually model app-level threats. If used creatively, they can be extended to model attack scenarios that apply to data and business processes as well. Security teams can also incorporate threat modeling directly into governance, risk management and compliance (GRC) processes to inform assessment and mitigation strategies.

2. Workflow Automation

Logistical and organizational considerations can have a significant impact on risk management. The process has a defined order of operations that might span long periods of time, and it takes discipline to see it through. For example, risk assessment should occur before risk treatment, and treatment should be completed before monitoring efforts begin.

It’s also important to account of interdependencies. It might be more effective to assess a RESTful front-end application before the back-end system it interfaces with, for instance. It’s all about timing: If you assess the risk associated with an application or business process today, what will happen a year from now when the business process has evolved? What if the underlying technology shifts or the business starts serving new customers? What about five years from now?

Process automation tools, such as ProcessMaker and Bonita, can help security teams support both of these aspects of the risk management process. These are not necessarily security solutions, but tools designed to build and automate workflows. In a security context, they can help analysts automate everything from policy approval to patch management. For risk management specifically, these tools help security teams ensure processes are followed correctly, and risks are reassessed after they’ve been completed.

3. Automated Validation

The process of implementing a risk mitigation strategy has two steps: The first is to select a countermeasure or control to address a certain risk. The second is to validate the effectiveness of that countermeasure. It can be extremely time-intensive to execute the second part of the process consistently.

The Security Content Automation Protocol (SCAP) can help security leaders ensure the validation step is performed consistently and completely. Introduced in National Institute of Standards and Technology (NIST) Special Publication 800-126, SCAP enables analysts to define vendor-agnostic security profiles for devices and automatically validate their configuration.

One benefit to using SCAP for validation is the degree of support in the security marketplace. Most vulnerability assessment tools natively support it, as do a number of endpoint management products. By employing tools, such as those available from the OpenSCAP project, security teams can derive value today and in the future as security toolsets evolve.

4. Documentation and Recordkeeping

Risk decisions made today are much more defensible in hindsight when there’s documentation to support them. Let’s say, for example, that you’ve evaluated a countermeasure and decided that the cost to implement it outweighs the risk — or that your organization has reviewed a risk and decided to accept it. Should the unthinkable happen (e.g., a data breach), it’s much easier to justify your decisions when there’s documentation supporting your analysis and the conclusions you’ve drawn. While any record-keeping tool can help you do this, a specialized solution, such as the community version of GRC Envelop, can add value because it was developed with risk activities in mind.

5. Metrics and Reporting

Finally, open source tools can support ongoing metrics gathering and risk reporting. There are numerous aspects of a risk program that are worth measuring, such as near-miss information (i.e., attacks that were stopped before causing damage), log data, mitigated incidents, risk assessment results, automated vulnerability scanning data and more.

Tools like Graphite are specifically and purposefully designed to help security professionals store time-series data — numeric values that change with time. Collecting and storing the data enables analysts to report on the risk associated with those assets. The more frequently they collect it, the closer they can get to producing a continuous view of the organization’s risk profile.

The Cherry on Top of Your Risk Management Strategy

As we’ve shown, there are quite a few open source alternatives out there that can add value to the risk management activities you may already be performing. By choosing the right tools to supplement your strategy, you can drive efficiency with your risk efforts, realize more valuable outcomes and improve your organization’s overall risk posture today and in the future.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Share this Article:
Ed Moyle

General Manager & Chief Content Officer at Prelude Institute

Ed Moyle is currently General Manager & Chief Content Officer at Prelude Institute. Prior to joining Prelude, Ed was Director of Thought Leadership and Research for ISACA and a founding partner of the analyst firm Security Curve. In his 20+ years in information security, Ed has held numerous positions including: Senior Security Strategist for Savvis (now CenturyLink), Senior Manager with CTG's global security practice, Vice President and Information Security Officer for Merrill Lynch Investment Managers, and Senior Security Analyst with Trintech. Ed is co-author of "Cryptographic Libraries for Developers" and a frequent contributor to the Information Security industry as author, public speaker, and analyst.