Friday, December 14, 2018

DO YOU HAVE A CYBERSECURITY STRATEGY?

DO YOU HAVE A CYBERSECURITY STRATEGY?




Author:  Sean Connors, Palm Harbor, Florida                  


Your Cybersecurity Strategy (CS) is your battle plan for you company creating a strategic approach
to your Cybersecurity defenses.  A CS identifies vulnerabilities and documents the maturity of your
capability providing a compliance defense.

INTRODUCTION
We will explain why many companies do not have a strategic approach, although do effectively use
a number of cybersecurity defenses just not in a formal capability maturity model (CMM).  
The CMM formalizes documenting, identifying gaps and improving capability as part of a
Cybersecurity Strategy.

We will share with you how you can learn and implement a Cybersecurity Strategy, at no cost to you.

  • Cybersecurity Strategy
MARKETING PRACTISES DON'T PROMOTE A CYBERSECURITY STRATEGY
JUST SINGLE SOURCE.

With over 2,000 Cybersecurity Defense providers spending billions on marketing,
C-level executives are swimming in a sea of Cybersecurity solutions and under extreme compliance
pressure. The Cybersecurity industry has reached an advanced stage of maturity and notably
companies have spent good money on an array of Cybersecurity defenses ranging from
virus scanning to firewalls and sophisticated forensics engines as well as employee
Cybersecurity awareness training.
Overzealous marketing and claims of a sole source solution have resulted in companies not having
an overall strategy of risk management and if an event or incident occurs they are exposed to
regulatory compliance and the defense provider who was supposed to protect them bears no
liability and generally they do not have a mitigation plan.
Companies have spent good money on an array of Cybersecurity defenses ranging from
virus scanning network switches, firewalls and sophisticated forensics engines as well as employee
Cybersecurity awareness training.  So why do you still feel exposed especially to regulatory
compliance fines and mitigation? Why are you left bearing full responsibility when one or more of the
defenses fail and the Cybersecurity Defense providers (CDPs) do not stand by their claims?
There are a variety of different types of professionals in the Cybersecurity industry that help you
navigate various areas (list excludes your employees):
•        Compliance auditors delivering legal counsel and mitigation
•        Insurance industry auditors doing vulnerability evaluations
•        Regulatory compliance auditors delivering reports on compliance standards and
        frameworks like NIST or SOC2
•        CDP professionals marketing their products and services
•        Defense developers for CDPs
•        Cybersecurity solutions channel partners sourcing best of class CDPs for their clients
•        Compliance audit developers
•        Architects editing frameworks for compliance and standards like NIST and oasis
All these professionals may help you defend your company against attack(s) but ultimately they are
motivated to sell their products and services.

CHANGED LANDSCAPE
Companies have moved from IT network administration personnel to hiring CISCO's or outsourced
Cybersecurity experts.  As more and more defense solutions evolved, the roles of these became
managing implementation, maintenance, monitoring and policies and procedures of these defenses
vs monitoring logs and vulnerability scanning tasks.  Also as compliance becomes more defined and
regulated the task of doing audits for PCI, NIST and many others became a priority made worse by
the C-level liability for non-compliance.
Now CISCO's main tasks are to manage tools from CDP's and make choices sourcing solutions for
their defenses.

QUESTIONS RAISED

This brings up a number of questions for you, the C-level executive:
•        Why do you still  feel exposed especially to regulatory compliance fines and mitigation?
•        Why are you left bearing full responsibility when one or more of the defenses fail?
•        How do you require defense providers (vendors) to stand by their claims and products?
•        How do you find unbiased (product agnostic) help to manage risk?
•        How can you leverage using CDPs to reduce costs of the need to have many highly skilled
employees, while improving your defenses?
•        How do choose the best fit CDPs for your Cybersecurity Strategy?


WHAT ARE THE DELIVERABLES?

C-level executives through the Situ the first step of the CS identify defenses.
Is unbiased (product agnostic) to any defense.  This is important because they can discover what has
already done and how it fits into their company’s strategy and the gaps that need to be addressed. 

The main benefit is educating the C-level executive on these issues and doing these tasks:


  1. Understanding that a CS is in its entirety achieved using a number of defenses from CDPs
  2. Adoption of a Cybersecurity Strategy, which includes Situational awareness study “Situ”,
  3. Measurement using Cybersecurity Strategy 5 Layout Capability Maturity Model “CS5LCMM”
  4. The Capability Maturity Model “CMM” which is a widely used model to measure and improve Capability as well as Vulnerabilities, Compliance and Risk Management which are functions and procedures, or tasks that a company has to perform to at least be able to say that they are capable with their cybersecurity defense
  5. Provide education on the scope of the problem or defenses which are finite and have been laid out into the 5 layouts that you see on the CS5LCMM wheel below:



     4. C-Levels have already done a lot of work in terms of selecting CDP’s and defenses in
           these layouts, and the Cybersecurity Influencer measures that based on implementation,
           management of, and policies and procedures of each defense
     5. After measurement, the tasks of Vulnerabilities and the rest of the Cybersecurity
           Strategy wheel is addressed by the including gaps on CDPs


The  Cybersecurity strategy Cybersecurity Influencers provide will follow these steps:
  1. Situational awareness 
  2. Data gathering
  3. Measurement. 
  4. Vulnerabilities
  5. Compliance and Risk management

MEASUREMENT IN THE CYBERSECURITY STRATEGY


As you know, measurement of Cybersecurity defenses is the key to understanding and the building
blocks for achieving a strategy for a company, which includes measuring capability in each area
or layout, considering the following for each:

  • Installation and configuration
  • Maintenance and management
  • Policies and procedures

CDP’S AND YOUR LAYOUT ASSIGNMENT  (Remember in CS5LCMM the L is for Layout.)
Logos are all Cybersecurity Defense Providers CDPs laid out next to their defense sector.
For example QRadar is a Forensics SIEM so it is placed next to the Layout 5 - Forensics.
The system has assigned your Layout (you pick them on your profile) and once at the stage that you are
improving your capability by filling in gaps or replacing with better CDPs, like yours,
you will assign your product to that Layout.



Author:  Sean Connors, Palm Harbor, Florida                  

Monday, February 1, 2016

CS5L CMM standards and defense metric build



CSP build: Defense metric build through OASIS

  • Defenses (may span more than 1 layout)
  • Defense Sectors
    • Installation and configuration
    • maintenance and management
    • policies and procedures 



Base defense metric: CS5L standard defense metric

  • NIST standard - Top level 
  • ISO27K standard - Maps to defenses
  • Defense metric - Inherits above


add VAA metric: specific to VAA Value Added Auditor

add industry metric: industry - compliance metric

  • Legal - client dependant
  • Investors - client dependant
  • Distribution - PCI
  • Manufacturing - SCADA
  • Retail outlets - PCI and HIPAA (if pharmacy)
  • Internet companies
  • Financial - PCI
  • Insurance - PCI
  • Healthcare - HIPAA
  • Utility power - SCADA
  • Telecommunications - PCI

Each industry inherits compliance metric

add client metric: risk and compliance specific added by VAA

Weighted: all metric builds are weighted by risk exposure
 

Thursday, January 14, 2016

CS5L CMM Cyber-ID and Score

CS5L CMM Cyber-ID and Score


Cyber-ID

The Cyber-ID is issued much the same as a Federal ID, except that it separated from the Company information and never exposed.  The Cyber-ID is used to track the companies CMM, Capability Maturity Model.

Score

The Score is derived from the CMM.  It is a five digit number representing the weighted score for each Layout.  Eg:   2 4 3 4 2    

Wednesday, May 27, 2015

Cybersecurity Strategy 5 layout capability maturity model (CS5L CMM)

Historical background
In the Information Technology industry IT, the '''evolution of the Capability Maturity Model CMM''' began with Capability modeling for software development. The security component was limited to elements for development of software applications. With the advent of many cybersecurity solutions providers (CSP), providing defenses, including those that developed cybersecurity solutions into their products, like CISCO networks, and others that were solely CSP's, the model became outdated.  It failed to include the elements outside of the  application. It reflected just one part of Application Security (AppSec).In the energy industry a cybersecurity capability maturity model developed, named C2M2. It has been progressive in addressing measurement specific to SCADA compliance, but also did not include all elements or areas of cybersecurity.

Cybersecurity solution providers, or vendors gravitated to solutions that were specific to their areas of expertise or market share. Initially there was a lot of emphasis on an all inclusive solution using technology, which later changed to incorporate social engineering, the human behavior element, only in the last 5 years, leading up to 2015. This was because of the trend of, successful cyber attacks, beginning with user behavior, that was unable to be controlled with a technically solution. The big omission, cyber security awareness training.

Defenses
As the insurance industry began servicing companies with cybersecurity insurance, It became apparent that there was a lack of data on 'incidents' unlike for example, hurricanes or wildfires.
There has been an attempt to measure capability on network incidents, that is, attack attempts on IP addresses and even more sophisticated traffic analysis. This however renders useless results as a noise signature on any company at the time of an attack has no correlation to the likeliness a breach may occur.  Thus capability has to be measured using defenses, or defenses from CSP's at a company.


A strategic approach
In collaboration with many companies, associations and government, a strategic approach, to include the elements or areas in 5 layouts. The layouts included Training. The 5 layout strategy was adopted, and became part of many initiatives, in organizing cybersecurity measurement in state government and private industry. The approach is to have a strategic defense, hence a cybersecurity strategy. This is much like a military defense strategy, where assets (Air force, Tanks, Infantry are used strategically to develop a tactical plan) This also simplifies the analytic phase of the resulting data collected, and the data acquisition process in the CMM, having the strategy is broken out into 5 areas or Layouts. This allows easier identification of responsible parties in an organization, areas that cybersecurity solutions providers are focused, and an simplified view for management, while inherently providing a clear understanding that '''a cybersecurity strategy is an executive responsibility''' reaching across the organization, (including training) encompassing computer systems, hardware, software, people, policies and procedures. This helps negate, "ask my IT guy about compliance", and the "white horse cybersecurity solution".

Measurement
This modeling evolved to address the layouts and encompass all vendors providing cybersecurity solutions, and thereby provide a model that is useful at an executive level, '''to measure and manage''' not only its enterprise but those it does business with, and allows access to its systems.

   Hence we arrive at a Cybersecurity 5 Layout Capability Maturity model. CS5L CMM.

Side Note: The Cybersecurity Strategy 5 layout capability maturity model (CS5L CMM) now inherits the yet to be published Energy sector, CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2)

Cybersecurity Strategy 5 Layout Capability Maturity Model
The Cybersecurity Strategy is used to manage and measure all the aspects of IT security, by grouping security functionality into 5 areas, or layouts of defense. A strategic approach identifies 5 layouts and adopts a Cybersecurity Strategy 5 Layout Capability Maturity Model (CS5L CMM) The CS5L CMM model has a tool CS5L CMM, which is an open source web application that is used to collect data and measure. This is part of a "Mature Cybersecurity Strategy".

Cybersecurity Strategy
The Cyber Security Strategy is a framework to determine gaps and to measure using 5 Layout approach (CS5L), which results in standard measurement from which a tactical plan can be developed. In military terms the strategy is how we plan our defenses.

The tactical plan is how we implement and perform it. In practice, companies have various vendors that provide security, most of which participate in providing data, have system interfaces and are able to supply iterative answers to their layout of defense, sometimes spanning more than one areas or layouts.

The five layouts cover the general areas known at this time, and the strategy model formalizes measurement of each, and facilitates a road map to improve by using capability maturity modeling. (CMM) This way we identify security risks, address them, and have a plan to improve going forward, whilst maintaining a record of such.

We show how the CS5L CMM measurement fits into a complete 'mature' defense.. A ‘mature’ cyber security defense includes a cycle of before and after processes to the data gathering CS5L and measurement CMM, namely, before, a situation awareness study (largely a self study), and after, vulnerability and compliance mapping and risk management. The CS5L CMM framework is developing quickly into a measurement standard, this is the groundwork of the complete cycle. CS5L The Cybersecurity Strategy 5 layout are the strategic asset areas, devices, people, policies and procedures, in the strategy model. CMM Using a Capability Maturity Model, which formalizes and standardizes measurement of each layout, and facilitates a road map to improve capability.

Mature cybersecurity defense
The CS5L CMM is part of a bigger process we call a Mature cybersecurity defense.

A mature cybersecurity defense, is called mature as it implies that all the process are addressed. The CS5L CMM is used in the two processes, to collect data and to measure.

The processes are as follows, and are a continuous cycle:
 * A situation awareness self study,
 * Data gathering (a checklist of questions and answers and data inputs on a user and devises etc) - CS5L,
 * Measurement using a Capability Maturity Model - CMM,
 * Vulnerability mapping,
 * Regulatory compliance check and planning,
 * Risk planning and risk management including incident mitigation.


Cybersecurity 5 layout
The strategy areas or layouts, help organize an all encompassing approach and lend to separating the data into manageable segments for measurement. This allows drill down of the measurement results, in the analysis phase.

Measurement results in identifying security risks, addressing them, and devising a plan to manage and improve improve going forward.

The five layouts are;

1. AppSec - Application Security

2. Networks - Networks, and Firewall Hardware and devices, Bring Your Own Devise BYOD, network encryption, Multi-locations, ...

3. Security Awareness - Administration, policies and procedures, Cyber security training Employee training, application developer security training, ...

4. Internal defense Anti-virus, data encryption, backup and recovery, version control, ...

5. Forensics Denial of service attacks, breach attempts, ...




Measurement
The levels are each measured using the Capability Maturity Model (CMM) for all 5 layouts.

GRADE A. '''Self optimizing'''
At the optimizing level, processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the :::organization's particular needs. At the self optimizing level, the organization has the processes in place to in addition to be managed, replicate and educate the process to have an ongoing maturing capability as the organization changes, people come and go, and the processes change.

GRADE B. '''Managed'''
At the managed level, an organization monitors and controls its own processes through data collection and analysis.

GRADE C. '''Defined and Measured'''
At the defined and measured level, an organization has developed its own standard process through greater attention to documentation, standardization, and integration.

GRADE D. '''Repeatable'''
At the repeatable level, basic project management techniques are established, and successes could be repeated, because the requisite processes would have been made established, defined, and documented.

GRADE E. '''Initial'''
At the initial level, processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable, because processes would not be sufficiently defined and documented to allow them to be replicated.


Data Collection
Using the Cyber Security Strategy CS5L CMM system, two steps are performed to collect data for each layout.

1. a survey of questions directed to the responsible person in the organization is performed, and
2. where applicable data is drawn in and applied dynamically to the CMM.

Capability for each question is rated on each CMM level using
         ... 'As is' (where you are now) and
         ... 'To be' (where you need to be) as the choice of levels, where you are at today and where you need to be establishes the 'gaps' which enables us to identify and focus on maturing your capability.

Hence we call this Capability Maturity Modeling. An example of how a question is presented;

In step 2., where data is drawn in dynamically, (an example would be each users training courses completed), the data is applied to the CMM by the system, using some preset rules, like if the user has completed these sets of courses the user will be mapped to the CMM level say, manged. Dynamic links are setup in co-operation with each cybersecurity vendor. Questions are created in co-operation with each cybersecurity vendor. Questions are assigned to a responsible person in the organization to provide answers, all communicated using emails.

CS5L CMM system
The CS5L CMM system is a open web SAAS system which delivers measurement data to a MS SQL Database which is then available free to report on the measured data. There are two parts, Data collection CS5L, and measurement CMM.

Data is collected on Policies, procedures, devices, users, each employees training maturity, in each area or layout by questions and answers and input feeds from various vendors. (sometimes crosses two or more layouts). As part of the CS5L Data is collected in these main ways,
     1. In a survey method, using emails, questions and CMM Answers (CMM levels are selected) to the responsible person for a layout or part thereof.
Questions that will be added to the database of questions that are specific for a vendor, are surveyed and added in to the system. These are then in turn send out to the responsible person for the management of that security vendors product.
     2. Data inputs are configured specifically for the security vendor, and inserted into the database, for later dynamic CMM level assignment, that is specifically configurable. As part of the CMM, data is applied and analysed.

The CMM records data through it's maturity and assists in drill downs to easily identify deficits, and retains and reports the CMM data.

Notes
* The intent of the Cybersecurity Strategy Capability Maturity Model framework is to adopt a measurement standard of an all inclusive cybersecurity defense which includes gathering performance data via question and data links to security vendors for the measurement of PEOPLE (Training), PROCEDURES, HARDWARE, SOFTWARE, DATA and ACCESS. * According to Gartner; CISOs Must Own the Following Six Security Processes and Ensure That They Are Defined and Executed Reliably Security Governance, Policy Management, Awareness and Education, Identity and Access Management, Vulnerability Management, Incident Response * CISOs Must Ensure That the Following Four Processes Are Defined and Executed Reliably, Regardless of Ownership Change Management, Business Continuity Management, and Disaster Recovery Management, Project Life Cycle Management Vendor Management * These processes are accounted for in the cybersecurity strategy measurement framework. * The current version of the CERT® Resilience Management Model (CERT®- Advancing the CMM by adding levels, argument by the 'Software Engineering institute', see references. * RMM v1.2) utilizes the maturity architecture (levels and descriptions) as provided in the :Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with :CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some :difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University’s :Software Engineering Institute did a comprehensive review of the existing specific and generic :goals and practices in CERT-RMM to determine if a better scale could be developed to help users :of the model show incremental improvement in maturity without breaking the original intent of :the CMMI maturity levels. This technical note presents the results: the maturity indicator level :scale, or CERT-RMM MIL scale.