In my previous post, I went through the need and benefits of deploying a security control baseline according to the framework researched. Two of the most important ideas extracted from the first post are:
- Implementing a security control baseline to address low to moderate threat sophistication is essential and economically beneficial, because it will target the most common threats that an organisation will encounter
- For sophisticated and highly sophisticated threats an organisation must focus its investments beyond the security control baseline and it needs to target those business functions / data that are more critical to an organisation and its survivability.
From this point onward let’s look at why and how the deployment of targeted controls is done and what are the benefits. According to the extension of the first research paper the organisations consulted reached the following conclusions:
- The traditional concept of defense in depth, based on the addition of new layers of security controls, is not financially feasible and not effective for sophisticated threats. Most low to moderate threats will be stopped by the control baseline but the sophisticated threat will be able to change their modus operandi ( TTPs) and evade these static controls what is known as threat shifting.
- The solution is to deploy advanced targeted controls to the enclaves and data that it is critical for the survival of an organisation. To deploy these additional layer of customized controls the organisations make use of techniques such as threat modelling, threat analysis and strong security operations and intelligence (PEOPLE).
“Upon further discussion, it became clear that, as shown in the Cybersecurity Framework above, the organisation had actually implemented a core set of baseline security controls to address the less sophisticated threats. However, this organisation, as well as others contacted, strongly asserted that a static defense based found in the DND Top 35 and CSC was neither economically feasible, nor effective in countering sophisticated threats”
“… complementing the implementation of baseline security controls with the employment of a real-time, threat based security protection strategy (consisting of highly focused automated controls, as well as human analysts for identifying and countering more sophisticated threats).”
For those of you who do not have a background in defense operations, you are going to take a leap of faith and believe this, however personally after spending some time in operations and intelligence, I totally agree with this strategic approach for a cyber security investment road map. You need to understand your organisation, its operating environment and the threat it faces. If you do not understand any of this, you are likely taking a very expensive road to protect your organisation among other adverse effects.
The investment approach described above does not align with the guidance from the US government in publications such as NIST, which recommends primarily the development of additional control rings around the company assets. Still, the NIST CSF is key to development and deployment of targeted security controls using threat modelling for those critical enclaves of an organisation.
The extended Cyber Economics Framework below:
This framework highlights the importance of developing advanced targeted controls as a way to make financially sound security control investments and avoid the pitfalls of compliance driven risk management practices. To do this, threat modelling is paramount, understanding your organisation, people, process and technology and map that to a particular business enclave will help you locate your organisations’ Achilles tendon and your next step in your investment road map once the control baseline is in place. Furthermore, threat modelling per enclave provides the input you need to start doing risk quantification. In order to quantify the risk you need to start by developing the scenario according to the process followed by the FAIR methodology, which is one of the most well known risk quantification methodologies and also accepted by NIST CSF.
I do not want to extend too much into threat modelling, but Enterprise threat modelling all the way down to tactical and operational ( Kill Chain, ATT&CK, STRIDE) is a good start to model these critical enclaves in your organisation. Check the references at the end of the article.
The key takeaways from the extended cyber economic framework are the following.
- NIST CSF up to Tier 2 is a “security control baseline”, from Tier 2 upwards we need to apply threat modelling to customize and deploy advanced targeted security controls in the critical enclaves of the organisation.
- NIST CSF Tier 3 and Tier 4 provides better ROI when threat modelling is applied; achieving such a maturity level is expensive and the controls should be tailored to the evolving threat characteristics of that particular organisation. Tier 3 and Tier 4 put a lot of emphasis on people, process and intelligence over technical controls.
- Each of the levels in the Cyber Economics Framework is related to an adversary class as previously defined by Deborah Bodeau and Richard Graubart in their Mitre Cyber Prep 2.0 research paper.
This is not a hard subject to understand but it can be complex if you do not have the right experience, one that starts by understanding the cyber threat and your organisation and its critical business functions and the people, processes and technology that support it. If you can take the leap of faith previously mentioned adopting the investment principles cited in this Cyber Economics framework will help you overcome the pitfalls of those who blindly follow the recommendations of security frameworks such as ISO 27001, NIST, CSC and many others.
There is still an outstanding area I have not talked about, what happens with the low risk that comes up as a result of sophisticated threats engaging your organisation? The recommendation is accepting the risk (in 2013), but what else can you consider in 2020?
The answer is cyber insurance , only after you have reduced your organisation’s risk to a level that is acceptable, you can go to the insurance market to find an insurance company that provides the right level of cover for your business needs.
The market is far from being mature but it is currently engaged in a mission to develop the solutions that their customers demand and need. I will not get into this discussion but there are some good reports that explain the current state of the market, and the best ways to choose and engage the insurer across this journey to obtain a solution that if possible, is customized to your organisation’s needs and offers at least pre and post breach cyber security support.
For cyber insurance