A view on Cyber Security

Speech proposed to ISACA Ireland on

Governance Risk and Compliance

Cyber Defense Strategy - Situational Awareness - GRC

Changing viewpoint, from the Enterprise IT business operations space, to a new domain entitled as “Cyber Territory” entailing IoT and Cloud, we find inevitable to consider a layered and holistic approach to :

- Security Management,

- Risk Containment,

- Threat Response,

- Crisis Management.

Intro

Confidentiality, Integrity and Availability as “Basic unIT of information” attributes, are applied to each information set we map, and consider of value, for the uses it is subject to.

Access to, and use of, that information is the key element for the future of “business”, in a truly transforming landscape.

CIA to the BIT

The enormous attention we give to Industrial Control Systems today, is a hint of what we can expect from the near future:

The Information, to control industrial processes and wealth assurance and growth, as more valuable than the product or asset itself.

Information Builds Bridges ( LITERALLY )

How the information surpasses the intrinsic value of the product of its elaboration?

By having, in a controlled (automated) environment, creative (as destructive) power.

The Information piece of IoT and Industry Control Networks, as the Item (BIT) to which, Confidentiality, Integrity and Availability, have to be attentively applied.

Creative Power

Alienation of Data items in an industrial control system or a data-centric enterprise environment, or IoT, means disruption of creative processes.

Same applies to wealth management and banking environments.

For this specific reason the “information capital”, intended as the “Data Set” for these specific purposes, have to be:

Known, Valued, Managed, Protected, Disposed.

Information as Capital

In this document Introductory Slide a “layered approach” was mentioned as key element of a sound Information and Cyber Security practice.

To further explain, there are two dimensions we can easily mind-map to progress with the concept:

- Edge-to-Core - when considering perimeter to the core networks;

- Logical-to-Physical - when considering the top-down network traffic layers.

Layered

Edge to Core

This is where Attack Vector analysis applies.

Logical to Physical

This is where DPI and Realtime analytics applies.

Taking from the established GRC and “Active Defense” Information Security practice, we tend to consider, as ways to protect the Information Assets:

- Sound Governance of business processes - Extensive Risk management practice - Compliance to regulatory frameworks - Tools and Processes protecting our assets - Effective Incident Response procedures

There is nothing inefficient in this list, if they blend.

Holistic

Translating the objectives of Layered and Holistic into practice yet, it is easily done by mutuating the concept of Situational Awareness.

Being this declined into the perimeter defences, it means the combination of proper edge and core security tools.

Applied to communication layers, it has to conciliate with the capability of monitoring physical data transmission and its transformation, by application and user, access.

Layered Holistic

To properly appreciate an elevated cyber security posture the two aspects of: 1) Perimeter and Data Egress points protection 2) Deep to Surface Data Analytics

… Shall blend together, aiming for a timely and proactive …

… Situational Awareness.

Information Protection

“Governance, Risk and Compliance”-wide, the concept of Awareness is partly technological and partly procedural.

Blending system and network status change with the capability to govern (Vulnerability), having a sound scoring system to track risk and its impact on the business (Risk), and the capability to have real time evidence of events (Threats).

Linking these feeds to facilitate and improve incident response capability. (Countermeasures)

… all in a world where M stands for Management …

VM – RM – TM – CM

The underestimated gap in GRC programs, around Data (Information Item or BIT), its Value, its Container, the Transformation it is subject to, and the desired Outcome of that transformation, is to apply segregated forms of protection to it.

A missing goal even for the Defense-in-Depth, if left to reciprocally unrelated technical capabilities:

The Physical-to-Logical Data monitoring

Deep Inspection and Application Protocol Analysis.

The Emmenthal Effect ( IN SECURITY PROGRAMS STRATEGY )

I substantially want to point the auditor attention to the lessons learned, from the latest advanced, or low-and-slow cyber attack winning techniques:

- Weak Application Protocols, even where encrypted; - Flaws in core operating system kernels and modules; - Holes into (managed) network elements firmware;

Opening doors to … Advanced and Persistent Threats.

That’s where I’d like to point at the “age” of these flaws, often there by design and unnoticed for decades.

“Trailing” Persistent Threats

No matter how complex a network environment is, it

will anyway fall into a 3D (three dimensional or more) layered model:

The perimeter is a layered Candy.

Communication stack is a Milfoil.

Candy and Milfoil

To achieve Situational Awareness, the synergy between the procedural governance and controls, and visibility across the communication stack when perimeters are crossed, is key.

In industry specific scenarios, Industrial Control Systems more than Financial Systems, the Data Stores, Data Classification, and allowed Data Transformations are well-known helping these use cases to be more easily implemented.

( easy-to-classify, easy-to-map egress points )

Synergy

Situational Awareness is a live, universal, social and environmental concept. Applied to the Enterprise it is a mean to support its body immune defences and to enable the evolution of its organs and limbs.

Translating into Compliance and Security Practice, the DPI and Application Protocol analysis, SIEM, GRC and Vulnerability Management outputs shall be systematically joined to achieve:

a brand new level of detection and response capability.

Conclusions