[BreachExchange] Achieving holistic cybersecurity

[Audrey McNeil]

https://fcw.com/articles/2016/05/12/comment-holistic-cybersecurity.aspx

No longer can security programs rely on an "if it's not broke, don't fix
it" approach -- adversaries could already be inside systems, stealing data
or probing for weaknesses. Too many CIOs and CISOs have thought their
systems and data were secure when in fact they were anything but.

Security programs need effective protection of valuable information and
systems to prevent data breaches, and to comply with the ever-increasing
federal compliance requirements. Among others, there are the Federal
Information Security Management Act (FISMA), the Privacy Act, policy and
guidance from the Office of Management and Budget and the National
Institute for Standards and Technology, the General Services
Administration's Federal Risk Authorization and Management (FedRAMP)
program, and the Federal Acquisition Regulation to be considered.

To be effective, CIOs and CISOs need timely cyber security insights to take
proactive actions, because today's security challenges are greater than
ever.

With massive increases in data, mobile devices and connections, security
challenges are increasing in number and scope. The aftermath of a breach
can be devastating to an organization in terms of both reputational and
monetary damages, and can be experienced through three major categories of
security challenges: external threats, internal threats and compliance
requirements.

External threats

The nation faces a proliferation of external attacks against major
companies and government organizations. In the past, these threats have
largely come from individuals working independently. However, these attacks
have become increasingly more coordinated, and are being launched by groups
ranging from criminal enterprises to organized collections of hackers to
state-sponsored entities. Attackers' motivations can include profit,
prestige, or espionage.


These attacks target ever-more critical organizational assets, including
customer databases, intellectual property and even physical assets that are
driven by information systems. They have significant consequences,
resulting in IT, legal and regulatory costs, not to mention loss of
reputation. Many of these attacks take place slowly over time, masked as
normal activity. The vector known as Advanced Persistent Threat requires
specialized continuous monitoring methods to detect threats and
vulnerabilities prior to breaches or loss of sensitive data.

Internal threats

In many situations, breaches come not from external parties, but from
insiders. Insiders today can be employees, contractors, consultants and
even partners and service providers. The causes range from careless
behavior and administrative mistakes (such as giving away passwords to
others, losing back-up tapes or laptops, or inadvertently releasing
sensitive information) to deliberate actions taken by disgruntled
employees. The resulting dangers can easily equal or surpass those from
external attacks.

A strong security program must include capabilities to predict both
external and internal threats and assess their mission impacts, validated
by cognitive technology and cybersecurity experts serving mission operators.

Compliance Requirements and Effective Protection

Public sector enterprises face a steadily increasing number of federal,
industry and local mandates related to security, each of which have their
own standards and reporting requirements. In addition to the federal
requirements noted above, there are sector-specific requirements like the
Health Insurance Portability and Accountability Act and the Health
Information Technology for Economic and Clinical Health Act (HIPAA/HITECH)
for health information and Sarbanes-Oxley for financial information. And
then there are state privacy/data breach laws, Control Objectives for
Information and Related Technology (COBIT), and various international
standards and privacy directives. Complying with these and other
requirements often takes a significant amount of time and effort to
prioritize issues, develop appropriate policies and controls, and monitor
compliance.

To address external, internal, and compliance challenges through a
proactive approach, mission-oriented cognitive cybersecurity capability is
needed. To achieve such capability, four key areas must be addressed:

Security architecture effectiveness. Agencies must focus on rapidly
accessing vulnerabilities in the security architecture and developing a
prioritized road map to strengthen cyber protection that plugs security
gaps and meets policy expectations. Ensuring the identity of users and
their access rights, and reducing the number of privileged users, is
critically important to effective security architecture.

Critical data protection. Agencies must focus on rapidly accessing the data
architecture, and shortfalls in tracking and protecting critical data.
Prioritized action plans can reshape data architecture for more focused
security protection and improved continuous monitoring.

Security compliance. Agencies must focus on rapidly accessing compliance
gaps and establishing a roadmap to prioritize issues, develop appropriate
policies and controls, and achieve compliance.

A holistic security program. Effectively implementing the first three areas
above enables agencies to lay the foundation of a program that addresses
risk management and IT governance at the enterprise level. Organizations
can then identify risks to critical business processes that are most
important to mission success, as well as threats and vulnerabilities that
can impact critical business processes. They can also craft appropriate IT
governance, which is a key enabler of successful cybersecurity protection.
IT governance provides the "tone at the top," emphasizing that ensuring
security and privacy is the responsibility of all staff. In addition,
consistent and standardized security protocols, privacy processes and
technology configurations support protection at a lower cost.

Making a holistic program actionable

A holistic security program focuses on protection through continuous
monitoring of systems and data. This involves moving from the traditional
defensive-reactive approach to a defensive-proactive (predictive) approach,
using cyber analytics to foster "security intelligence" that also protects
privacy.

Continuous monitoring is now required by OMB and NIST mandates, and it can
be supplemented using cyber analytics to proactively highlight risks and
identify, monitor and address threats. As enterprises bolster their
security defenses, predictive analytics plays an increasingly important
role. Enterprises can conduct sophisticated correlations to detect advanced
persistent threats, while implementing IT governance and automated
enterprise risk processes– critical building blocks for enabling security
intelligence.

This includes the ability to:

identify previous breach patterns and outside threats to predict potential
areas of attack;
analyze insider behavior to identify patterns of potential misuse; and
monitor the external environment for potential security threats.

Continuous monitoring, when combined with cyber analytics via security
intelligence, can provide key cybersecurity capabilities. Along with
analysis of cyberthreat related data sources (e.g., through DNS, Netflow,
or query results), continuous monitoring provides the needed context for
fusion of data -- data that can be analyzed using tools that produce
actionable, meaningful and timely information for CISOs and CIOs to address
the most important issues affecting their agency and deter and prevent
cyber threats.

Even basic cyber analytics can be used to proactively highlight risks, and
to identify, monitor, and address threats and vulnerabilities, helping
agencies achieve predictive and preventive cybersecurity capabilities.
However, cyber analytics can be greatly enhanced by cognitive-based systems
-- which can build knowledge and learn, understand natural language and
reason and interact more naturally with human beings. Cognitive-based
systems can also put content into context with confidence-weighted
responses and supporting evidence, and can quickly identify new patterns
and insights.


Specifically, cognitive solutions have three critical capabilities that are
needed to achieve security intelligence:

Engagement: These systems provide expert assistance by developing deep
domain insights and presenting the information in a timely, natural and
usable way.
Decision: These systems have decision-making capabilities. Decisions made
by cognitive systems are evidence-based and continually evolve based on new
information, outcomes and actions.
Discovery: These systems can discover insights that could not be discovered
otherwise. Discovery involves finding insights and connections and
understanding the vast amounts of information available.

By using such systems, agency executives involved in cybersecurity can move
from a basic to an optimized level of security intelligence as depicted
below.

Optimized:

Governance, risk and compliance
Advanced correlation and deep analysis

Role-based analytics
Privileged user control

Data flow analytics
Data governance

Secure application development
Fraud detection

Advanced network monitoring/forensics
Secure systems

Proficient:

Identity management
Strong authentication

Activity monitoring
Data loss prevention

Application firewall
Source code scanning

Asset management
Endpoint/network security management

Basic:

Passwords and user IDs

Encryption
Access control

Vulnerability scanning

Perimeter security
Anti-virus

Achieving cybersecurity protection preserves mission success while
achieving key objectives for agencies' security program. By developing true
security intelligence, government can move from a basic (manual and
reactive) to an optimized (automated and proactive) posture to secure
critical systems and the valuable information they house.

Achieving cybersecurity protection preserves mission success while
achieving key objectives for agencies' security program. By developing true
security intelligence, government can move from a basic (manual and
reactive) to an optimized (automated and proactive) posture to secure
critical systems and the valuable information they house.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160512/9fc9c9e7/attachment.html>