Raise the level of your cyber team with sound fundamentals

Michael Jordan is not usually cited as an authority on Information Security, but few will question his standing as a leading authority on team sports. As a player, Jordan was famous for spectacular dunks where he seemed to float across the key, and a fade away jumper that always seemed to find the basket. There is no doubt however that it was his consistency with the fundamentals, and teamwork that put him in a position to make the spectacular plays we remember. There is also little doubt that Information Security is a team sport.

In basketball, the fundamentals are grouped by offensive, defensive and ball handling skills. Whether shooting a layup or foul shot, boxing out or blocking a shot, dribbling and passing are the skills of a winning team. In cyber security sound execution of the fundamental skills surrounding Policies & Procedures, People and Products are the keys to a winning team.

Policy and procedures

Technical people frequently mistrust and underestimate policy & procedure as effective controls, but without them even the most skilled technical team is blindly flying by the seat of their pants. These documents are the foundation for any program. They set priorities and expectations as well as foster consistent, repeatable results. To be effective, policies and procedures need the participation and support of the entire team from the top levels of management down.

Key policies for any organization should include:

·       Security and Risk Management to define the rules.

·       Acceptable Use Policies and Rules of Behavior to communication proper code of conduct

·       communications policies and procedures ensure that all team members understand how authentic information is distributed throughout the organization.

·       Robust change and configuration management policies ensure that changes and additions to a system are validated and introduced in a controlled manner as well as documented in a way that they can be repeated at a later date.

One need look no further than your favorite new outlet to see the importance of comprehensive patch management and hardening procedures. From WannaCry to this week’s congressional hearings on the Equifax Breach, ineffective systems patching has been a consistent theme.

The need for comprehensive Incident response plans detailing who needs to do what are critical in any response. Even more important, knowing your legal and regulatory obligations in an incident or data breech as well as who need to be notified are essential.

When building a program this is definitely an area where better is the worst enemy of good! These plans need to be living documents that adapt and grow as your organization’s needs evolve. Don’t wait for perfection. Use templates to ensure key information such as; definition of terms, roles and responsibilities, and a framework to de-conflict competing priorities are included by all authors.

People

The next family of controls focus on people, both internal and external to your organization. There is little doubt that one of the most important concerns in this control family is “Be careful who you trust”. This concern extends to your partners and service providers as well. Additionally, it does your organization no good to do exhaustive reference and background checks on employees, if they allow unvetted service providers access to their systems or data carte blanche. It is equally important to take steps such as multi factor authentication to ensure people who are who they claim to be.

Every organization has that one user who will click on anything. Training at all levels is one of the most effective preventative control in your arsenal. Whether training your technical staff, or instructing your user base in basic cyber awareness, training has the capability to stop an incident before it occurs.

Another important facet of training is exercises. Whether performing system recovery exercise with your technical staff, or conducting a phishing exercise you’re your users, don’t wait for an actual incident for your staff to see if your incident response or system recovery procedures work. Over the years my organization has conducted everything from table top exercises to live recovery drills. We have improved our knowledge, systems and processes  with every single one of them!

Products

Thanks to the marketing budgets of product manufacturers, the last control family is often the first many consider. The show floors of every conference, targeted advertising accompanying every web session and the advertising in every published magazine push products that offering “industry leading” solutions “guaranteed” to protect our enterprises from the myriad of threats and vulnerabilities plaguing our organizations. The truth is, there are no silver bullets that will send our cyber nightmares to the netherworld.

I am not advocating for a product free existence, but to be effective, the products in our security arsenal should support policies, procedures and provide efficiency and risk mitigation for the ever-increasing scope of our cyber programs. In his keynote speech at this year’s RSA Conference in San Francisco, RSA’s Chief Technology Officer, Zulfikar Ramzan advocated that organizations consolidate and minimize the number of vendors and products used to secure their environments. This is a remarkable statement from the CTO for one of the leading providers of Cyber Security products, but the truth is that each product in your portfolio requires resources to administer and monitor them. As we add more and more products in the name of security, our limited resources are stretched thinner and thinner, the limited amount of attention available for the task at hand can easily overcome our ability to execute the fundamentals. As a result, our overall programs become ineffective. The Agile ethos of “minimizing work in progress” is really about allowing people to focus on the tasks that deliver value to the organization.

It’s all about the team

One defining trait of championship teams and winning players, is they never stop practicing and looking to get better at the simple things, the fundamentals. As your organization develops, make certain that they don’t overlook them either. In this post, I presented these skill sets in a specific order for a reason, each build on what came before. The people learn and implement the policies and procedures, products provide the needed efficiency to get the tasks done. The lessons learned by the people through exercises and experience with the products need to be brought back to the policies and procedures to update and improve them

To paraphrase another luminary on the subject of winning teams, the key to winning is fundamentals, And the occasional three run homer never hurts!

"The key to winning baseball games is pitching, fundamentals, and three run homers”

Earl Weaver

Qualitative vs. Quantitative, Is That Really The Question?

In last month’s post, I proposed an approach identifying risks to your organization strategically. By aligning your organization’s values and key assets with the threat vectors and risk sources that threaten them, we can define a multi-dimensional attack surface that helps us gain a deeper initial understanding of risk and risk motivation than a traditional risk register.

Identifying your risks and aligning them with your strategic assets are a great start, but to really help your management make good, impactful decisions some risk analysis is needed.

There are two primary schools of thought in risk analysis, the qualitative and quantitative approaches. The qualitative approach which focuses on narrative descriptions of risks, their likelihood and impact. These risks are then rated on a scale such as 1 though 9 or red, yellow green to help prioritize them. This approach tends to enjoy widespread use due to its perceived simplicity and speed. However, these ordinal scales are rarely well defined or consistent and do not lend itself well to mathematical analysis.

The Quantitative approach relies on measurement and metrics to provide “value” for risks. Many people feel that for these “Value” measurements to be valid, they must have high precision and be backed up by vast amounts of data and statistical information. This concept has prevented many people from implementing quantitative risk analysis in any widespread manner.

In their book “How to Measure Anything in Cyber Security”, Douglas Hubbard and Richard Seiersen propose that the purpose for quantitative measurement is to reduce uncertainty, and even a course measurement with low precision can significantly reduce uncertainty. The key to having a useful measurement is knowing what question the measurement of trying to help answer, “What are we trying to protect from who?”. This is what the FAIR risk analysis standard refers to as scoping. Our method for identifying risks by assets and vectors have already provided us with a very good understanding of this scope.

But what do you need to measure and how do you do you get it done? The first step is to go back to your qualitative analysis and break it down into discrete items that can be estimated and measured. To be accurate, you need to go to your technical experts and stakeholders and get their input, their story.

In their book “Scrum, The Art Of Doing Twice The Work In Half The Time” Jeff and JJ Sutherland point out that “people think in narratives, in stories. That’s how we understand the world. We have an intimate grasp of characters, desires, and motivations. Where we get into trouble is when we try to abstract out of the main through-line discrete parts and deal with them out of context…. You need to think of motivation. Why does this character want the thing?”

“Those stories are ones that a team can wrap its head around. A discussion can actually ensue about how to implement them. They’re specific enough to be actionable”

Once you have decomposed the story line of actionable pieces, project your estimates into ranges expressed of a period of time. In this way “Quantitative” measurement becomes another quality in your qualitative analysis. You don’t need to begin with “Monte Carlo” analysis or forgo your quantitative legacy information, just continue to extend it until you reach a level that can be accurately measured and expressed. Start small, with low hanging fruit, risks that are better understood and more easily measured.

Risk analysis and measurement are all about assigning value to uncertain events and properties. These are estimates of the potential impact of threat events across a frequency of events over time. Be wary of the pressure to give an exact dollar figure to a given risk, unknowns cannot be expressed in exact figures. Don’t re-invent the wheel, use a framework or standard such as FAIR, and engage your technical experts and stakeholders. Your analysis are more easily defensible and management will be enabled to be more effective and your teams more efficient.

Strategic Risk Identification

In last month’s post, I discussed evaluating software patches and vulnerabilities against strategic risk in order to effectively prioritize your patch management resources. Traditionally, frameworks utilize tools such as risk registers and the risk matrix to help organizations identify and organize risk to an organization based on likelihood and impact. These can be valuable tools but by themselves they tend to produce generalized lists of issues and symptoms that lack bias adjustment and do not promote strategic thinking.

To gain some strategic perspective, I prefer to align the discussion with organizational priorities by asking two key questions

·      What are we trying to protect?

·      What are we protecting it from?

What are we trying to protect?

To be effective we need to protect those assets that are of strategic value to the organization. Although these “assets” can by physical assets such as equipment, facilities and property, I prefer to look deeper into the organization to identify items characteristic of greater value. Many companies and organizations have committed significant resources to identify their core values or overarching goals, these are a great place to start place to start!

Other recommendations include those items that set you apart from the completion of have regulatory or legal concerns such as:

·      Intellectual Property

·      Personally Identifiable information (PII)

·      Medical Records

·      Customer information, payment records

The key to successfully identifying your strategic assets is to setup a cross-functional team and avoid silos. Many organizations rely on a limited number of technical experts who suffer a failure to challenge each other and disagree. Identify and involve the stakeholders who are accountable and set the organization goals and priorities. Don’t take a “one and done” approach, take an agile mindset, be iterative, adapt and evolve with your organization.

What are we protecting if from?

Risk sources and threat vectors are any force deliberately, or inadvertently seeking to harm your organization. These can be both internal and external to your company Quite often the most impactful vectors are from well-meaning insiders, or trusted partners. Examples include:

·      Changing regulatory and/or market Conditions

·      Competition and adversaries

·      Hackers and criminal activities

·      Well-meaning insiders and trusted partners as well as those with malicious intent

Define your attack surface

Your attack surface is where your strategic assets and threat vectors meet individual risks. Begin by asking your business and technical experts what vulnerabilities and exploits exist that threaten your strategic assets through the identified risk sources and vectors. You may well discover additional threat vectors or assets with significant value that were not well understood or easily identified. Continue to develop your understanding your organization awareness, be iterative!

Putting it all together

Every organization is subject to the same vulnerabilities and exploits, but the risk they pose is as unique as the organization they affect. Through a rich understanding of our assets and what we are trying to protect them from we can take measured and appropriate action. Try to understand the motivation and root cause behind each risk. Adding technical controls or products where policy and training are appropriate just adds more overhead and risk. Select your controls and mitigation strategies carefully, and measure their effectiveness against your strategic objectives. Be iterative, wash rinse and repeat!