Scott E. Donaldson1 , Stanley G. Siegel2, Chris K. Williams3 and Abdul Aslam3
(1)
Falls Church, Virginia, USA
(2)
Potomac, Maryland, USA
(3)
San Diego, California, USA
Overview
This study guide describes a
pragmatic framework for managing a cohesive enterprise cybersecurity program that
ties together architecture, policy, programmatics, IT life cycle, and assessments into a single framework.
aligns functional areas with real-world skills of cybersecurity professionals, and operational budgets, and cybersecurity technologies.
Functional areas enable easy delegation and reporting of status at an abstraction layer suitable for executive consumption.
Functional areas support the business decision-making process for strategy and prioritization.
While this framework may provide a successful cyberdefense today, attackers and defenders are not standing still.
Cybersecurity challenges and technologies continue to evolve quickly.
This chapter examines how this cybersecurity framework may evolve in the future.
Generations of Weapons Systems
Context
Jet fighters since WWII
are often grouped into generations.
Each generation represents a leap forward in capability and renders the previous generations obsolete.
Generations of Malware
Context
Malware can also be grouped into generations.
Subsequent generations reflect increases in capability and threat.
Generations of Cyberdefense
Context
Cyberattacks and defenses can be characterized as generations.
Topics
The Power of Enterprise Cybersecurity Architecture
Evolution of Cyberattack and Defense
Evolving Enterprise Cybersecurity over Time
Final Thoughts
The Power of Enterprise Cybersecurity Architecture
Policy
Policy can be orga
nized using enterprise cybersecurity functional areas.
Policy helps to ensure comprehensive coverage of enterprise cybersecurity with clear policy statements.
People
Functional areas align closely with actual skill sets of technical staff and team leaders.
Technical staff and cybersecurity leadership are positioned for success in their areas.
Functional areas also align well with typical organizational boundaries for matrixed teams where cybersecurity policy and enforcement might be separated from technical implementation and operations.
Budget
Functional areas align well with policy and organizational structures.
Cybersecurity leadership can allocate operational and project funding among functional areas to ensure people, budget, and technology are all coordinated.
Technology
Functional areas
align well with the capabilities of many security technologies.
Strategy
Functional areas w
ere designed with the IT Infrastructure Library (ITIL) framework in mind.
IT strategy and architecture can be planned using the functional areas to help ensure a well-integrated overall solution.
Engineering
Functional areas align well with typical engineering boundaries for system design, deployment, support, and retirement activities.
Operations
Cybersecurity operations can be performed in an integrated fashion across the functional areas to ensure all aspects of security operations are well coordinated.
Assessment
Functional areas provide a straightforward framework for quantitatively ass
essing the cybersecurity program, measuring its quality over time, and reporting against external frameworks.
Evolution of Cyberattack and Defense
Context
Over time, attacker sophistication increases.
Casual Attackers
Use professional attacke
r capabilities when they become mainstream
Use them for opportunistic ends
Disrupt operations
Explore private enterprises and their data
Make political statements
Professional Attackers
Take nation-state attacke
r techniques and commercialize them for use on industrial scales
Espionage, Blackmail
Larceny, Identify Theft
Nation-State Attackers
Have greatest amoun
t of sophistication
Generally are the trailblazers of the most sophisticated and devastating cyberattacks
Cyberattacks and cyberdefenses can be grouped into discrete generations of cybersecurity.
Cyberattack generations represent a leap forward in capability that is almost completely effective against previous cyberdefense generations.
Generation 1: Hardening the Host
Generation 2: Protecting the Network
Generation 3: Layered Defense and Active Response
Generation 4: Automated Response
Generation 5: Biological Defense
Before the Internet
Before the
Internet,
there was the Advanced Research Agency Network (ARPANET), but
the network was small and not designed with security in mind.
As ARPANET got larger,
users started putting passwords on computers and networking protocols;
cybersecurity was not robust; and
“Good-fences-make-good neighbors” security was used as everyone was trusted.
At the same time,
personal computers had little to no security; and
early viruses ran rampant propagating from machine to machine via “floppy disks” and other media.
Since personal computerization was not interconnected and essentially being used as advanced typewriters and calculators, not much was at stake.
Generation 1: Hardening the H
ost
Generation 2: Protecting the Network
Generation 3: Layered Defense and Active Response
Generation 4: Automated Response
Generation 5: Biological Defense
Cybergenerations Moving Down Market
Cyberattack generations move down market over time.
Cyberattack techniques become cheaper and more widely used over time.
Generation 5 cyberattacks are solely in the domain of advanced nation-state attackers. However, it is realistic to expect that
five years from now, these techniques will be used by other nation-state attackers; and
ten years from now, these techniques might be used by everyday professional cybercriminals.
Generation 3 cyberattacks that are causing trouble for commercial industries today were being commonly used by nation-state attackers only five years ago.
Five years from now, these cyberattack tools and techniques will likely be in the hands of casual hackers.
Enterprises must be aware of these trends and try to stay ahea
d of them.
Future Cybersecurity Evolution
New generations of attacks will be extremely effective against older generations of defenses.
Defenses cannot simply skipa generation and jump straight to advanced defensive techniques.
Each successive generation of defenses builds upon the previous generation of defensive technologies.
Most of today’s compliance frameworks to assess cybersecurity effectiveness were designed around the Generation 2 model of perimeter defenses and endpoint protection.
Such compliance models only go so far in thwarting professional attackers using Generations 3, 4, and 5 capabilities.
Upgrading these frameworks is essential to confronting Generations 3, 4, and 5 attack techniques.
Cybersecurity practitio
ners can use this study guide’s framework to organize and measure
real-world cyberthreats,
cyberdefense capabilities, and
day-to-day cybersecurity operations.
The framework is designed to
accommodate a wide spectrum of enterprise cybersecurity configurations;
manage and communicate challenges; and
summarize the richness and nuance of the underlying reality.
The major goal is to
help enterprise leaders and practitioners represent real-world complexity effectively so that they can make informed strategic and tactical decisions.
Implementation considerations include
functional areas that app
ly to a wide range of enterprise types, buy that may need to be modified to meet an enterprise’s needs.
Functional areas are approximately equal in importance so the enterprise does not rely too much on a single set of cybersecurity capabilities for enterprise protection.
Enterprise cybersecurity capabilities are not and will never be perfectly complete; each enterprise should add, remove, or tailor capabilities as needed.
Functional areas help align cybersecurity capabilities to policies, programmatics, IT life cycle, and assessments; however, the alignment should reflect how the enterprise prefers to operate.
The framework is not perfect; however, it is comprehensive, integrated, and adapt
able.
Tailoring Cybersecurity Assessments
The enterprise cybersecurity frame
work works well for conducting a cybersecurity program assessment.
By considering risk mitigations, cybersecurity capabilities (grouped by functional areas), and security operations side-by-side, assessment results align closely with an enterprise’s real-world cybersecurity effectiveness.
By using a hierarchy of risk mitigations, functional areas, capabilities, and underlying technologies, assessments can be performed at numerous levels to provide high-level results quickly and detailed results progressively.
By organizing an enterprise cybersecurity program into functional areas, assessment results are already aligned with the way policy, programmatics, IT life cycle, and operations are organized.
This alignment enables immediate delegation and assignment of resulting recommendations to appropriate teams for execution.
The cybersecurity
capabilities presented are meant as a starting point for consideration.
New technologies may deliver new capabilities for cybersecurity.
Such information should be incorporated into an enterprise’s cybersecurity framework for assessment and evaluation.
Object Measurement can be used to quantitatively measure cybersecurity program effectiveness.
This measurement approach provides a direct correlation between an enterprise’s risk analysis and its level of protection.
Value scales and resulting metrics help p
oint to potential weaknesses that cyberattackers could use as attack vectors.
Evolution of Enterprise Cybersecurity Capabilities
It is difficult to envision
today what cybersecurity capabilities might look like ten years in the future.
The enterprise cybersecurity framework will continue evolving along with the strategic challenges of managing complexity in an increasingly interconnected world.
Enterprise cybersecurity changes may include the following:
Valid security capabilities should be considered and added to the framework as necessary.
New security technologies may or may not fit easily into the existing functional areas.
A single technology may provide multiple capabilities falling into different functional areas; enterprises will need to decide where to house the technology.
Over time, security capabilities may merge into a single, integrated capability or split into multiple sub-capabilities.
Existing capabilities may be superseded by other capabilities, fall out of favor, or simply bec
ome obsolete.
Evolution of Enterprise Functional Areas
All of an enterprise’s cyberse
curity should be divided up into functional areas, and capabilities within those functional areas, so everything is accounted for and nothing is missed.
Over time, the functional areas will continue to evolve.
As capabilities are added to the architecture, functional area definitions may need adjustments to continue providing clear lines of delineation for organizing policies, people, programmatics, IT life cycle, and assessments.
As cybersecurity technologies and practices evolve, there may be a marked shift in the importance of different functional areas.
The framework was designed to address the needs of Generations 3, 4, and 5 cyberdefenses, but cloud and BYOD are straining enterprise c
ybersecurity methodologies, technologies, and practices.
Innovations and paradigm shifts might prompt future adjustments.
Over time, the framework will need to evolve to remain relevant and effective.
Final Thoughts
This study guide presents a number of key ideas and methodologies for dealing with modern enterprise cybersecurity challenges.
Management techniques for facing those challenges
Coherent, integrated cybersecurity framework suitable for an enterprise ranging from a few dozen employees to hundreds of thousands of employees
Techniques for applying this cybersecurity program framework against modern adversaries
Ideas and methodologies are not theoretical, but represent real-world experience and work across a wide range of enterprise situations.
Clients ranging from the US Federal Government to the US Department of Defense to commercial customers (small nonprofits to large multinationals)
Organizing cybersecurity into functional areas makes it possible to manage most aspects of a cybersecurity program under one convenient and coherent framework.
Policy, people, budget, technology, architecture, engineering, operations, and assessments
Cyberattack and cyberdefense generations provide a context for considering cyberthreats at a strategic level.
Technology evolves on a continuous basis, but it is helpful to use generation groupings to characterize different levels of cyberattack sophistication and the corresponding cyberdefenses.
The cybersecurity industry is in throes of a generational shift going from Generation 2 to Generation 3.
Within the next decade, a similar shift will occur to get to Generation 4 defenses, and then to Generation 5 defenses.
By the time Generation 5 defenses are commonplace, there will be 6th and 7th Generation attacks to defend against.
As computers have risen in power and capability, and their capability has been multiplied through networking, the threats against these systems have risen as quickly as the capability.
Computers and networked systems are becoming mission critical.
Airline and financial industries stop when their computers go down.
Over the next 20 years, this mission-critical reliance will occur in almost every area of business and government.
Over the next 30 years, computers will have to achieve a level of resilience where they do not go down, even in the face of severe crises from adversaries, criminals, or natural disasters.
Looking back at the past 30 years of information technology, it is mind-boggling how information technology has transformed our lives.
Today’s children cannot conceive of televisions that aren’t large and flat, of typewriters that only put words on paper, or of mobile devices that don’t have instant access to most knowledge on Earth.
Let’s work together to keep these machines and ourselves safe for the next 30 years.