[BreachExchange] Network security - Stick to the plan

Fri Aug 19 16:00:54 EDT 2016

http://www.scmagazineuk.com/network-security--stick-to-
the-plan/article/514840/

Every so often I see interesting new products from network and security
vendors, which provide innovative answers to particular security issues.
When a security product receives a positive reaction from a customer, they
are often found to have to build a case for its inclusion in their budget.
The thought process can often be: “Here's a good product, can I justify the
budget and deploy it into my environment?”

This seems very different from routing and switching where customers often
have a planned strategy and budget to increase capacity and performance.

Return on investment

Justification for a planned capacity or performance upgrade is relatively
simple if you factor in the potential return on increased revenues or
productivity. This “speculate to accumulate” approach is pretty much the
opposite for security planning.

This is starting to change as more businesses insure against breach and
loss. As more companies look at insuring against loss, there is a direct
and immediate link between the insurance premium, maximum indemnity and the
security posture of an organisation. We have reached a point where we can
more easily demonstrate that an improved security posture can deliver a
return on investment.

>From the top

Ultimately, the CEO is responsible and information security sits on the
risk register with all the other high-level considerations such as physical
theft, service availability and staffing etc. When dealing with the
likelihood of a breach, the questions should be:

1.    1. What are the threats facing the business?

2.    2. How comprehensive is the security strategy in dealing with and
preventing these risks?

The immediate technical/physical impact of a breach can be determined as
hard fact but the knowledge that customer data has been exfiltrated has
greater implications. The eventual cost of reputational damage and customer
shift are far more subjective, but the certain pain of those factors should
be clear enough to ask:

1.     1. What are the potential immediate financial costs of a breach?

2.     2. What are the long-term financial costs from information and
reputation losses?

The responses to these questions may well justify the expense and effort of
a comprehensive security audit to develop a security plan.

The security risk management framework

Depending on the size of the organisation, responsibility for developing
and implementing the security strategy might fall to the one IT head or the
CISO. Either way, the security strategy will vary greatly not just with
company size but with the nature of the business.

There are several options for companies looking to adopt a formal risk
management approach and many organisations use the ISO/IEC 27001:2013
standard both as a framework for risk management and a formal
accreditation. There are alternatives for security accreditation including
the government backed Cyber-Security Essentials scheme.

The key requirement is to investigate and fully understand the big three
issues:

1.     1. What are the key assets?

2.     2. What are the vulnerabilities?

3.     3. What are the threats?

Once you have answered those questions, you can begin to define a security
strategy making the best use of the resources at hand.

The security strategy

The comprehensive risk assessment should identify the overall security
posture of the organisation and identify the greatest areas of concern. At
this point, the top down strategy can begin with direction from C-level on
the budget, scope and priorities for the organisation's security strategy.

The security strategy should identify business priorities, the intended
security position the organisation wishes to achieve at a given point, and
the way in which that should be achieved.

The security plan

The goal of the security plan is to achieve the aims of the security
strategy and provide the most effective risk mitigation with the given
resources. With as many as possible of the risks identified and
prioritised, the security plan defines how each risk is mitigated. Against
each asset and the relevant vulnerabilities, control measures and
mitigation techniques are planned for implementation and periodic review.

Conclusion

It is a given that total security is simply not possible, so the aim of an
organisation should simply be to present a harder target which is
ultimately more expensive to breach.

Too much emphasis on one area to the detriment of another leaves an
organisation just as exposed, with the risk shifted to a different part of
the attack surface. To maximise the effectiveness of the budget and
resources, security operations and investment should ideally be done within
the scope of a security plan.

At this point, when evaluating a range of technology options, it is simpler
to match the value of a particular product or solution against the
requirements of the security plan. If the value is there, the business case
is already half made. If you are looking at using a large part of the
budget on a new platform, coverage of a major part of the security plan may
provide a better justification than “it's a great logging platform!”

References

Cyber-Risk in 10 Critical Areas

https://www.cesg.gov.uk/10-steps-cyber-security

Common Cyber-Attacks

https://www.cesg.gov.uk/content/files/protected_files/
guidance_files/common_cyber_attacks_2016.pdf

Cyber Essentials Scheme

https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

Cert Best Practices

https://www.cert.gov.uk/resources/best-practices/

Guide for developing security plans

http://www.mcafee.com/uk/resources/white-papers/foundstone/wp-key-comp-risk-
base-security-plan.pdf

http://csrc.nist.gov/publications/nistpubs/800-18-
Rev1/sp800-18-Rev1-final.pdf

Cyber-Security Planning Guide

https://www.dhs.gov/sites/default/files/publications/FCC%20Cybersecurity%
20Planning%20Guide_1.pdf

ISO 27001 information

www.iso.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160819/b096c499/attachment.html>