Tuesday, November 10, 2015

Information Security Strategy


In the few encounter I have with C-level executives, I find that most of information security investments (both engineering and its operations) are done with very little strategy.  My attempt here is to target C-level executives with a model and a set of standards with nomenclature to enable strategic decision making.  It is important to note that this strategy will require some fine tuning by project managers, solutions architects and others for each organization.  The focus here is to ensure The CEO, CIO, CISO and CTO can have the right toolkits and an abstract model to drive the information security needed for a mid to large enterprise.

"Strategy a deliberate, conscious set of guidelines that determines decisions into the future".

- adopted from "Patterns in Strategy Formation" Henry Mintzberg 

As a leader such as CIO/CISO of an organization here are the actions I recommend you take to look at strategically where your security investment should be- I will step into each one of these in detail
  1. Understand the threats and your options to secure your enterprise
  2. Estimate the inequalities in protecting your enterprise
  3. Invest in your best strategic options and be agile for tactical changes
1. Understand the threats and your options to secure your enterprise

It was 2007 summer evening at Oberoi Hotel in Bangalore, we were discussing some enterprise architectures gaps for a very large organization.  The CISO finally pushed all the technology people out saying briefly that he is not convinced that their solutions take the real threats to organizations clearly or succinctly.  I was sort of appalled but now I understand the lack of clear articulation of a threat that all of us are working to defend an enterprise and its architecture against.  This has made me take many walks in the beach to think so I can bring together some crisp, cogent and clear definition of threats and our response to those threats. 

First the threats, no matter how many security threat classification models I read (Mitre's Common Attack Pattern Enumeration and Classification CAPEC, SAN's Top10 security threats) , I can basically summarize all the threats in the cyber realm to belong to three categories - just three! They basically boil down to
  • Service Interruption (& Service Degradation) is basically attack aimed on disabling your ability to do your mission. This includes service degradation as well to the extent the degradation impacts acceptable service level.   Examples of attack are like denial of service, degradation of service or interruption to your service.
  • Stealing (& Manipulation) is a big category that captures the ability to steal your property - information, intellectual property, proprietary information or competitive information. This also includes manipulation to the extent that some value has been taken away from you. Examples of these could be stealing your customer information, your own assets or your intellectual property or election votes tampering to change outcome.
  • Shame (& Confusion)  is designed to destroy your reputation and bring dishonor to your brand or your mission.  This also includes things like confusion designed to just bring chaos into your mission either to make you look vulnerable or to bring dishonor to your image. Examples of these are defacement of websites,  destruction of publicly available information about your organization, publicly publishing highly sensitive data and causing your employees to loose confidence in your operations.
It is evident that the biggest threat in today's connected economy for most organizations is in the Stealing category.  Most common headline breaking breach you hear off seems to typically belong to this category.  Shame and Service Interruption are sometimes the last resort, however service interruption has been used many times to extort money as well.  

Lets now look at the three type of capabilities in the hands of a C-level executive who wants to secure his enterprise assuming the required initial preparation has been done to secure your enterprise .  
  • Protect is the ability to prevent incidents from occurring and protecting the enterprise assets.  Examples of these are network firewalls, application gateways and intrusion prevention systems.
  • Detect is the ability detect anomalous behavior and respond to threats to the enterprise.  Examples of these are intrusion detection , log management, security information management systems. 
  • Respond is the ability to do respond to an incident and security exception.  Examples of these are incident management systems, ISP outreach and incident response systems.
(Note these can be analogous to NIST CSF Core phases of IDENTIFY-PROTECT-DETECT-RESPOND-RECOVER)

In this model, I have paid less attention in this model to "Prepare" category which includes things like secure coding practice, vulnerability scanning and penetration testing to focus mostly on the central operational portion of C-level information security executive.   There are other softer resources used by the enterprise like training, human resources review, employee orientation and employee termination programs which are also given less focus here as I look at technology based efforts.   These can also be added as proactive elements in this model for an enterprise where these resources are considered as critical (for example intelligence agencies or private detective agency).
(click on the image to zoom in)
This type of simple model and matrix can be very effective for a C-level executive analyzing the right threats to respond to and right capability that should be his strategic focus. Some examples of capabilities, services and products that address specific threats are shown in the above matrix taken from a specific fictitious organization say "Acme Inc." - Note each of these same capabilities can be used in a different way in your specific environment.  The model needs to be built or adjusted with your specific organization's use of capabilities and services.  For example, your organization may use "Malware Protection" to do only detection more like a "Malware Sandbox", in this model "Acme Inc." uses Malware sandbox to actively detect and block binaries that is seen crossing their enterprise border (thus labeled "Inline Malware blocking"). 

The matrix can also help you analyze and decide if you are actually in need of a particular type of capability for a new or a specific threat.  For example, you may decide, there is no value in investing in technical solutions against service interruption for your organization, you can manage with "Respond" actions through SLA contracts, ISP coordination and just limiting the critical services to your organization that should be fully managed internally.  Another example for a different organization the best option to prevent stealing in your organization is to put good detection in place because your organization runs an "Open Data" platform to enable vast amounts of data sharing.  It is perhaps cost forbidding to protect such large amount of data, limiting the data to not contain any private elements and putting "Detect" capability in place to find abuse or misuse may be more valuable than doing any "Protect" actions.  Finally one more example you may want to be highly conservative in heavily investing in "Protect" as most of your assets are information assets and they are core to the existence of your organization.  You could put number of controls in place which maybe inconvenient and then set expectations of your employees that "Protect" -ing this data is high priority for you. The employees are to work with inconvenience of multi-factor authentication, proper system management and highly audited systems.  Once this is in place you could reduce the amount of investment needed for "Detect" capability and put your efforts where they belong.  

2. Estimate the inequalities in protecting your enterprise

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. .... If you know neither the enemy nor yourself, you will succumb in every battle.”
― Sun Tzu, The Art of War

I am proposing here a way to model your capabilities to threat so you can pick the right combination of investment using a "System of inequalities" like mode.  System of inequalities is used in many areas of business and should not be anything new to C-level executive and business professionals (your dreaded MBA class!). It is needless to say that there is a large inequality you against the threats from the hackers - however both you and your enemy (hackers) have finite budgets.  If you pick the right combination strategically for your security investments you can reduce distraction and wastage of resource as you try to respond to a cyber borne threats to your organization.



These numbers are taken from a practical example where I basically took the amount of investment spent by an organization protecting about 1000 or less employees using a number of security products for the three capabilities outline above "Protect", "Detect" and "Respond."  For simplicity, I have assumed the cost for OPEX (Operating Expenditure) is equivalent to CAPEX (Capital Expenditure) for each of these categories.   Now I can overlay that with the resources employed by the hackers who pose those threats to your organization.  The costing model used has the hacker renting dynamic IP or compromised machines or cheap virtual machines hourly from providers like Linode, DigitalOcean, Amazon etc. for their attacks.  The complexity equation for incidents is pretty much add 50 for non-automated step in the chain of attacks (e.g., send phishing email and wait) and a factor of 100 where manual steps in the attack are needed (e.g., targeted travel alert phishing to specific people).  It is a very simple model that can be extended with a lot more complex formulae and metadata.  As mentioned earlier the numbers are all from a fictitious organization "Acme Inc." about 1000 employees working with their security budget.

3. Invest in your best strategic options and be agile to address tactical changes

If you have done inequalities before you should be able to observe the "non-intersection" areas in the above graph.  These are of interest as they represent areas where you may be spending resources (money, projects, people, process) but the attacker is spending less and is some ways not engaged in battle with you.  You could choose to drop the "Protect" budget to pick up the risk and focus on "Response" or "Detect" methods which are less expensive and more focussed on recovery from possible attacks.  This view of the problem space can help you explore options in your control to better spend your security investment.  You surely don't want to drop "Protect" to the point where you are giving the attacker an easy win and path into the organization.

The organization I represent with simulated data in the graph above is surely focussed on "Protect" and reducing its cyber attack surface. This has a few problems as it is likely to cause more inconvenience for its users  and be more expensive to run your business.  However the risks taken by such an organization is less and shows a more conservative approach.  It is also important to note that if  any organization drops its "Protect" budget does not compensate the "Detect" and "Response" fundings it is likely to cause damaging incidents and more expenses later on.

Conclusion

Today much of business's day-to-day operations depends heavily on software and the internet. This poses a great opportunity but also a challenge in securing such "soft" environments.  The cyber adversary is international and is continually adapting.  The key takeaways from this article are
  • Threats posed by the adversary should be viewed at the highest business or service impact to better align your organization's security resources
  • Each organization should understand and model information security capabilities available to it so it can clearly identify capabilities.
  • A large cost inequality exists between adversary's ability to achieve their purposes and your organization's ability to keep it save.  Unless we invest wisely we will always be extending budget without reducing incidents
 Remember strategy is all about enabling decision making and bringing cohesion to an enterprise  (Note: in this article I am very focused on the C-levels for investment decisions). A proper information security strategy can become a guiding principle to drive many tactical decisions (projects, capabilities, investments and sometimes even best fit products).  Strategy can provide this modular framework driving decisions and bringing better return on investments for your organization's security budgets.



No comments:

Post a Comment