Just like other areas of information technology, information security landscape continues to change at a fast pace. The updated CISO MindMap for 2019 covers important changes in the security landscape. In some bright areas, technologies using machine learning (ML) to detect zero day attacks are getting better and integrating of threat intelligence platforms with security operations is making analysts’ job easier. However, a lot more work is needed to avoid errors in misconfiguration of Cloud services.
How many times people ask you about what you really do? Although the answer could be many things depending upon the context of the question and who is asking it, sending a copy of this MindMap could help. I have heard from many professionals that this MindMap is also helpful in explaining the complexity of a CISO job.
What is New?
There are some items in the MindMap marked in red color. These are either new or modified compared to 2018 MindMap. Also, take a look at the bottom-right box marked as “2019 Focus Areas” which lists some of the areas of your responsibility that you should pay attention to.
Following are some areas where I would recommend more focus for the remainder of the year 2019 and for planning next year activities:
Minimizing attack surface
Skill development in emerging tech & DevSecOps
Automation of repeatable tasks
Improve SOC analyst productivity
Reduction/consolidation of tools/technologies
Better protection of Cloud services
Comments and Suggestions – Feel free to send your feedback on my Twitter handle @rafeeq_rehman
Using as Poster, Derived Work, or Commercial Use – This is a copyright material but is made free for non-commercial use as long as the source is properly cited and the MindMap is not altered. Please contact me if you want to use this as a poster for your education and awareness programs or for any educational purposes. Any derived work or commercial use requires written permission of the author.
How to spot defeatist attitude? It is actually not quite difficult. People with this attitude some very specific characteristics, like:
They will always find how million different ways an initiative can/will fail
When asked for suggestions about anything, a defeatist will start with list of problems but seldom provide any solution
You will hear a lot of complaints
A defeatist is keen to transfer blame and responsibility to others
Defeatists will hesitate to take ownership of anything
You know you are taking to a defeatist when you hear comments like: “we tried it last year and it did not work”
They are looking for survival, not to accomplish anything
In discussions, they would mention strengths of their competitors and shortcomings/weaknesses of their team.
You will seldom hear much of “we will win” or “we are going to get it done” or “we are a great team, nobody can defeat us” type remarks
It would be a task to get them excited about new initiatives
This is a self-limiting behavior and toxic for any team, group, or startup that wants to achieve something big or challenge the norm.
You will be surprised that some defeatists may be quite vocal about voicing their opinion. Most of them fail to understand this behavior and actually think that they are helping while doing quite the opposite. This is one of the reasons behind my suggestion “run away from people with defeatist attitude”.
If you are a building a team or starting a new venture, try to identify this behavior during interviews by asking some probing situational questions using the list above. Remember, experience or skills can’t compensate for attitude.
I am not telling you anything new when I say that an essential part of a CISO’s job is to build a Cybersecurity program, communicate it to stakeholders, and continuously tweak it based upon continuously changing threat landscape. Job of a CISO is complex as shown in CISO MindMap for many years and it is getting even more complicated. This article is describe some tools that will help overcome some complexities, build a roadmap and request funding using a simple business case model.
Whether you are building a brand new Cybersecurity program as part of your new job or want to make some changes to improve an existing one, I have found the following tools very useful. These will help you in identifying areas you need to work on, communicate to stakeholders and request funding by building compelling business cases.
Mitre ATT&CK is knowledge base of adversary tactics, techniques, and procedures (TTP). While there are many ways to use ATT&CK, using it for an assessment of your Cyber defense capability is one of the important ones. In the framework, there are twelve main areas of tactics and a number of techniques under each of these areas. ATT&CK Navigator is a great tool to start assessment of your current capability of defending against different types of attacks, find gaps, and adjust your strategy and roadmap accordingly.
Following is a screenshot of ATT&CK Navigator where you can use it for assessment, color code your capabilities, identify gaps, and use it as a communication tool.
Use of NIST Cybersecurity Framework
NIST Cybersecurity Framework is an outcome of collaboration among government, universities/academia and industry. It provides five functions and helps you balance your efforts to cover all aspects of building an effective cybersecurity program. These functions help you organize your activities and create a balanced approach towards different aspects of a meaningful program. The functions are listed below:
Identify – Understand what you have and includes activities such as asset management, governance, risk assessment.
Protect – Build safeguards and controls to protect what is important to you.
Detect – Implement capabilities to identify security events and incidents.
Respond – When an incident happens, be ready to respond, have appropriate processes, training and tools.
Recover – Ensure resilience of your systems in the face of incidents and build capability to quickly recover from the impact of these incidents.
There are many success stories about how different organizations have used NIST framework and I am sure some of these will be interesting for you.
CISO MindMap as Communication Tool
Over a number of years, I developed CISO MindMap to describe complexities of job that security professionals and leaders have to deal with on a daily basis. Since then, this MindMap has been adopted by many leaders and organizations. SANS adopted it for training program and published Leadership poster based upon it.
CISO MindMap is a great tool for communicating security programs and complexities of your job to different stakeholders.
Request Funding with 9 Stage Business Case Model
Justifying investment in Cybersecurity and developing a business case is not always straight-forward arithmetic. I have found 9-stage business model by Chris Luxford as one of the great tools. Use it as a single-page business case template and attach it with your funding request. Focus on cost of doing something vs. cost of not doing it.
Depending upon where you are in your journey of implementing your security program, your budget may be skewed in certain direction. However, a good advice is to balance it between the following three areas (three Ps):
People – salary and benefits, training & development
Products – purchase tools and technologies
Partners – contract third parties for services that you don’t want to build in-house and that are rarely used
While there are many ways to build and execute a security program and roadmap, I am confident that the above tools are only going to help you continuously improve your Cybersecurity practice and make you successful as a leader.
Many CISOs and Infosec leaders I meet face continuous challenge to communicate their strategy that is simple and others can understand and relate to. I have created a simple model for CISOs to explain it on a single page and have found it to be an effective tool. Part of this is based on NIST Cybersecurity framework.
The strategy has three parts:
What do I want to achieve?
Where will I invest – both time and money?
How would I do it?
What do I want to achieve?
Communicating your objectives in clear, concise and easy-to-understand manner that others can relate to is key to success of a CISO. Here are three key objectives:
Enable business to gain competitive edge and using security as an enabler.
Manage risk to an acceptable level
Communicate continuously with and East/West/North/South model. The East represents other IT teams. The West includes business leaders within your organization. The North refers to executive leadership and board. The South means that you communicate continuously with your own team.
Where will I invest?
This is both about time and money investments and falls into the following four areas:
People – People being the most important part of any security program and investing in hiring the best, retain the talent, and train security teams on the latest technologies.
Processes – This is about simplifying and optimizing processes to achieve some goals without relying to fix everything using technology. According to a quote from Bruce Schneier, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”.
Products – Here you would look at technology, services, consulting from different vendors.
Partners – Spending time and energy in building partnerships with both internal teams and external vendors.
How would I do it?
It is a great idea to pick a framework to communicate how would you achieve your objectives. I like NIST Cybersecurity Framework but you can choose a different one based upon you needs. I prefer NIST because many organizations follow it and it fits well into explaining your strategy. With this framework, you have talk about business outcomes in the following five areas:
Identify – assets and risk that face your organization, build a governance model
Protect – systems, data, and other digital assets
Detect – threats using a number of methods including but not limited to logs, anomalies, network, threat intelligence and others.
Respond – to incidents quickly and effectively
Recover – business quickly after a security incident
Why name it 3-3-4-5 model?
I named it 3-3-4-5 model because it has three parts. The first part includes 3 components, the second one 4 components and the third one 5 components.
Many organizations with mature Cybersecurity program have implemented controls to safeguard their digital assets. However, controls can give a false sense of security as many times mere existence of a control does not mean that it is (a) adequate and/or (b) effective. Protecting crown jewels requires continuous monitoring and evaluating controls. Following is a 5-step threat modeling process to improve resiliency of your program, identify gaps and close these gaps. The process starts from identifying the digital assets you are most concerned about and potential attack scenarios and ends at building a business case to close any identified gaps.
Step 1 – What am I concerned about?
A typical starting point for threat modeling is to identify digital assets that you are more concerned about. A digital asset may be in different forms. It could be an overall system crucial for your business, a process, a data store where business critical data is stored, a specific piece of technology and so on. The important thing is that you select an asset based upon criticality to business operations. Some people may refer to the critical business assets as “crown jewels”.
Step 2 – What could go wrong?
Once you have a digital asset identified, the next step is to brainstorm about:
Who are potential threat actors (internal, external, partners, state sponsored, hectivists, financially motivated, corporate espionage, etc.)?
Attack methods used by these threat actors (hacking, phishing, malware, physical, and others?
How these attacks will manifest in detection mechanisms (logs, behavior/anamolies, network traffic etc.)?
Step 3 – What can protect from attack?
Here you are going to evaluate all controls in place to prevent and/or detect the attacks. These controls could be different flavors:
Preventive controls that stop something bad from happening (firewalls, end point protection, IPS, etc.)
Detective Controls like IDS, SIEM and others
Administrative controls like policies, awareness programs
The important thing is to make sure that controls are (a) adequate and (b) effective. A firewall may be present but may not be properly configured. Similarly you may be using encryption but not managing keys properly. These are the examples where controls exist but not effective.
Step 4 – Is protection sufficient?
Based upon adequacy and evaluation of existing controls, you can estimate residual risk of a breach that may include a sum of multiple risk factors, including but not limited to:
Business interruption risk
Regulatory fines from different government agencies (e.g. Federal Trade Commission and SEC) or industry groups like PCI.
Risk of data loss
Impact to brand value
Step 5: How do I justify cost?
Creating a business case is one of the best ways to justify investment in Cybersecurity. Why you need funding? It may be for one of the following purposes:
Add a new control because none exists
Improve effectiveness of an existing control
Replace an existing control with a better one
While there are many templates and recommendations about building business cases, one simple way is to focus on cost of doing it vs. cost of not doing it. There is a cost in both ways and if your cost of doing it is lower, only then it makes sense to request for funding. One template that I like is 9-stage business model by Chris Luxford.
How to use this approach?
I use this process in the form of a workshop, three to four hours long. My recommendation is that the exercise should be carried out throughout the year, may be once a month or at least every quarter, selecting a different digital asset each time or picking a different scenario for the same digital asset.
Verizon security recently published a white paper titled “CISO’s Guide to Cloud Security: What to know and what to ask before you buy” that points out five steps to help decision making on purchasing Cloud products and services. For each step, the white paper also provides recommendations to consider. This is a summary of this white paper.
Step 1: Assess your situation
According to Forrester research, 28% of enterprises have already moved to public Cloud, 44% are actively building private clouds. When you assess your situation, consider:
Where are you in the process of migrating to Cloud
What is your Cloud strategy? Cloud-first or Cloud-only?
Is this right time for you to move to Cloud?
Are you ready to move to Cloud?
Step 2: Define your requirements
To make sound decisions, defining security requirements and making sure the selected Cloud platform meets these requirements is essential. Following are recommendations from this white paper.
Scalability – Will the Cloud solution grow as your needs grow?
Extensibility – Does the platform offers APIs and other means to extend it?
Automation – Will you be able to automate routine security tasks in the Cloud?
Intelligence – Can you get contextual information for analysts and threat hunters?
Ease of Use – Is the user interface easy to use?
Step 3: Identify Use Cases
Legacy products may not be effective in Cloud environment. Adding new products for Cloud may not a good idea either. The recommendation is to identify use cases and consider the following:
IDS/IPS – Consider products that provide machine learning, full packet capture capability, passive visibility and help in investigations.
SIEM and Analytics – Consider capability in terms of your requirements mentioned in step 2 and support of new types of logs including IoT and support for 5G.
Incident Response – Responding to Cloud incidents brings new challenges in terms of visibility and ownership.
Threat Hunting – Consider speed, visualization, contextual data and packet capture capability.
Step 4: Define Success Metrics
How would you prove success of any Cloud security product or service? Consider building success metrics and dashboard with the following in mind:
Reduction in false alarms
Improvement in threat detection
Reduction in time for detection, deployment and dwell time
Increase in visibility and network coverage
Step 5: Evaluate your options
The white papers provides a sample table for evaluating different solutions that you can modify based upon your needs defined in steps 2 to 4 above.
When it comes to making purchase decisions for Cloud security products and services, this white paper provides a systematic approach for planning, evaluation, and decision making. The approach is not limited to a particular product or service and can be applied universally to any Cloud solution.
Winning the perpetual fight against crime by building a modern Security Operations Center
I am happy to announce that first three chapters of my book “Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center” are available for download and your review. I am interested in getting your feedback on these chapters.
The initial three chapters are primarily focused on SOC planning, business case development, and making decisions about scope of log collection. You can download draft version from by clicking here.
Collecting and processing security logs is one of the primary function of any SOC. Log sources vary widely, starting from security device logs, network components, applications, servers and many others. Collecting logs also needs significant investment in log storage and processing infrastructure. You want to prioritize log sources that bring the most value from security monitoring perspective. For these reasons, you should start with a small subset of log sources and expand the scope of log collection over time (in future phases of the project). While defining the scope of log collection for each phase, you can consider the following:
Many security vendors are published their threat reports and making recommendations to CISOs and other leaders for better protection of security assets. After reading many of these reports, following is a summary of major risks identified by these reports and strategies to mitigate these.
RISK – Ransomware is a form of malware that disables systems by encrypting data. The attackers demand ransom money to provide keys to decrypt data. Many organizations in diverse industry sectors have fallen victim to these attacks.
Verifiable backup and mock exercise for timely restoration of systems
Patching for vulnerabilities to avoid infection by Ransomware
Monitoring network traffic for command and control centers activity and timely response to attacks
Network segmentation to stop lateral propagation
RISK – Verizon Data Breach Investigations Report (DBIR) shows that phishing emails are one of the major point of entry for Cyberattacks. Employees fall victim to these emails and click on embedded URLs causing installation of a malware, creation of backdoors, or exfiltration of confidential information to attackers.
Robust awareness program
Web and Email content filtering
Include executive leadership in tabletop exercises (executives are being targeted more, per DBIR)
RISK – Verizon DBIR and other industry reports show that Espionage is a real threat and accounts for 23% of data breaches, overall. Some industry sectors and public organizations with intellectual property are larger targets for espionage activity compared to others.
Understanding and document your risk profile and potential attackers
Build threat hunting and dark web investigations practice
Active monitoring of threats on networks and network segmentation
Effective awareness program
Move to Cloud
RISK – Most organizations are moving to Cloud or have a Cloud strategy. However, many organization have low skills to fully understand and implement controls for Cloud infrastructures (both at network and app levels) resulting in data breaches due to errors and misconfigurations.
Better integration of network with Cloud virtual environment
Monitoring Cloud environment for potential misconfiguration issues
Implement Cloud security strategy and controls such as Cloud Access Security Broker (CASB)
Security of Emerging Technologies
Risk – Emerging technologies such as machine learning, blockchain, IoT, and others are bringing new opportunities and at the same time creating additional attack surface.
Create internal expertise and a learning culture for these new technologies
Proactively create policies and procedures for security of emerging technologies
Engage with internal teams who are planning for using these technologies for better collaborative strategies
Just published first chapter draft of the my latest book: “CyberSecurity Arm Wrestling: Winning the perpetual fight against crime by building a modernSecurity Operations Center“. This chapter is available for immediate download by clicking here. The chapter covers the following topics:
What is a Security Operations Center (SOC)?
What is a Modern SOC
What this Book is not about
Purpose:Why Build SOC?
SOC Business Models
What it takes to build a SOC
SOC Implementation: Incremental or Big Bang?
SOC Lifecycle Phases
Who are the stakeholders
The next chapters will be coming soon. Please download the chapter and provide your feedback.