CHAPTER-2: An Enterprise Architecture Strategy

You need to understand the pre-requisites prior entering into the security infrastructure operations

The role of enterprise architecture is to help organizations align their technology strategy with their overall business objectives. Enterprise architects design and implement a technology architecture that can support the organization’s goals and objectives, while also ensuring that all technology systems and applications work together seamlessly.

Some of the responsibilities of enterprise architects are:

• Envisioning, communicating, and evolving the organization’s enterprise architecture.
• Establishing the portfolio’s technology vision, strategy, and roadmap.
• Researching and evaluating new and innovative technologies and trends.
• Collaborating and coordinating with other stakeholders and architects across the organization.
• Providing guidance and governance for the development and implementation of IT projects and solutions.
• Measuring and assessing the outcomes and impact of the IT deliverables.

Lastly, a well architected infrastructure platform will pay you forever, some benefits are:

1.?????? SOC would love to have minimized events per seconds/minutes. The better the infrastructure the easier it is to connect to the SOC.

2.?????? SOC or your ASM (Attack Surface Management) team will find problems on the networked devices, application flaws, API flaws, access configuration flaws and will generate reports to mediate, these change request can generate a cascade of failures, and a hefty amount of CR charges.

3.?????? Framework based platform will produce lesser challenges should it go through device replacements and contracted device replacements after 3yrs running periods, insurances for cost minimizations etc.

4.?????? Integration throughout the infrastructure will be easier for log shipping, and different portals for visibilities.

It is somewhat out of context for the study of SOC for this chapter, but if you want to learn more about the role of enterprise architecture, you can check out some of these resources (look for the BoK at the end of this book):

• Enterprise Architecture Roles and Responsibilities
• What is an enterprise architect? A vital role for IT operations
• Enterprise Architect - Scaled Agile Framework

Azure Well Architected Frameworks

The?Azure Well-Architected Framework (WAF)?encompasses five essential tenets that guide solution architects in building robust and efficient workloads on?Microsoft Azure:

1. Reliability: Ensures that your workload meets?uptime and recovery targets?by incorporating redundancy and resiliency at scale. Key considerations include?high availability,?fault tolerance, and?disaster recovery?strategies.
2. Security: Safeguards your workload from attacks by maintaining?confidentiality?and?data integrity. Focus areas include?identity and access management (IAM),?encryption, and?network security.
3. Cost Optimization: Encourages an?optimization mindset?at organizational, architectural, and tactical levels. Strategies involve?right-sizing resources, leveraging?reserved instances, and optimizing spending within budget.
4. Operational Excellence: Aims to reduce issues in production by building?holistic observability?and?automated systems. Consider?monitoring,?logging, and?automation?practices.
5. Performance Efficiency: Allows your workload to adapt to changing demands through?horizontal scaling?and?testing?changes before deployment. Optimize resource usage and performance.

These tenets collectively provide a strong foundation for designing and operating workloads on Azure, ensuring they deliver business value over time. Whether you’re hosting Oracle databases, optimizing SAP workloads, or building mission-critical applications, adhering to these principles contributes to a successful cloud journey!

Source: Azure Well-Architected Framework - Microsoft Azure Well-Architected Framework | Microsoft Learn

Let’s explore how you can implement the?five tenets?of the?Azure Well-Architected Framework (WAF)?in your architecture:

1. Reliability: High Availability: Design your workload to run across multiple?Azure Availability Zones?for redundancy. Use?Azure Load Balancer?to distribute traffic. Fault Tolerance: Implement?Azure Application Gateway?with multiple instances to handle failures gracefully. Disaster Recovery: Set up?Azure Site Recovery?for seamless failover to a secondary region.
2. Security: Identity and Access Management (IAM): Use?Azure Active Directory (AD)?for user authentication and authorization. Encryption: Encrypt data at rest using?Azure Disk Encryption?or?Azure Storage Service Encryption. Network Security: Configure?Azure Network Security Groups (NSGs)?to control inbound and outbound traffic.
3. Cost Optimization: Resource Sizing: Right-size your VMs and databases based on workload requirements. Reserved Instances: Leverage?Azure Reserved VM Instances?for predictable workloads. Monitoring and Cost Analysis: Use?Azure Cost Management and Billing?to track spending.
4. Operational Excellence: Monitoring and Logging: Set up?Azure Monitor?for real-time insights into performance and issues. Automation: Use?Azure Logic Apps?or?Azure Functions?for automated tasks. Change Management: Implement?Azure DevOps?for continuous integration and deployment.
5. Performance Efficiency: Horizontal Scaling: Use?Azure Autoscale?to dynamically adjust resources based on demand. Testing and Optimization: Load test your application using?Azure Application Insights. Content Delivery: Utilize?Azure Content Delivery Network (CDN)?for efficient content distribution.

Example: E-Commerce Application

1. Reliability: High Availability: Design your application to run across multiple?Azure Availability Zones?for redundancy. Use?Azure Load Balancer?to distribute traffic. Fault Tolerance: Implement?Azure Application Gateway?with multiple instances to handle failures gracefully. Disaster Recovery: Set up?Azure Site Recovery?for seamless failover to a secondary region.
2. Security: Identity and Access Management (IAM): Use?Azure Active Directory (AD)?for user authentication and authorization. Encryption: Encrypt data at rest using?Azure Disk Encryption?or?Azure Storage Service Encryption. Network Security: Configure?Azure Network Security Groups (NSGs)?to control inbound and outbound traffic.
3. Cost Optimization: Resource Sizing: Right-size your VMs and databases based on workload requirements. Reserved Instances: Leverage?Azure Reserved VM Instances?for predictable workloads. Monitoring and Cost Analysis: Use?Azure Cost Management and Billing?to track spending.
4. Operational Excellence: Monitoring and Logging: Set up?Azure Monitor?for real-time insights into performance and issues. Automation: Use?Azure Logic Apps?or?Azure Functions?for automated tasks. Change Management: Implement?Azure DevOps?for continuous integration and deployment.
5. Performance Efficiency: Horizontal Scaling: Use?Azure Autoscale?to dynamically adjust resources based on demand. Testing and Optimization: Load test your application using?Azure Application Insights. Content Delivery: Utilize?Azure Content Delivery Network (CDN)?for efficient content distribution.

Partner Tools with Azure Monitor Integration

Routing your monitoring data to an event hub with Azure Monitor enables you to easily integrate with external SIEM and monitoring tools. The following table lists examples of tools with Azure Monitor integration.

ASIM and the Open Source Security Events Metadata (OSSEM)

OSSEM is a community-led project that focuses primarily on the documentation and standardization of security event logs from diverse data sources and operating systems. The project also provides a Common Information Model (CIM) that can be used for data engineers during data normalization procedures to allow security analysts to query and analyze data across diverse data sources.

ASIM aligns with the?Open Source Security Events Metadata (OSSEM) ?common information model, allowing for predictable entities correlation across normalized tables.

ASIM Components

The following image shows how non-normalized data can be translated into normalized content and used in Microsoft Sentinel. For example, you can start with a custom, product-specific, non-normalized table, and use a parser and a normalization schema to convert that table to normalized data. Use your normalized data in both Microsoft and custom analytics, rules, workbooks, queries, and more.

Source: Normalization and the Advanced Security Information Model (ASIM) | Microsoft Learn

ASIM includes the following components:

Normalized Schemas

Normalized schemas cover standard sets of predictable event types that you can use when building unified capabilities. Each schema defines the fields that represent an event, a normalized column naming convention, and a standard format for the field values.

ASIM currently defines the following schemas:

·???????? Audit Event

·???????? Authentication Event

·???????? DHCP Activity

·???????? DNS Activity

·???????? File Activity

·???????? Network Session

·???????? Process Event

·???????? Registry Event

·???????? User Management

·???????? Web Session

Azure Sentinel in other hand is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tool. Azure Sentinel’s role is to ingest data from different data sources and perform data correlation across these data sources. On top of that, Azure Sentinel leverages intelligent security analytics and threat intelligence to help with alert detection, threat visibility, proactive hunting, and threat response. The diagram below shows how Azure Sentinel is positioned across different data sources:

Source: Integrating Azure Security Center with Azure Sentinel - Microsoft Community Hub

Integrating Security Center with Azure Sentinel

When you configure this integration, the?Security Alerts?generated by Security Center will be streamed to Azure Sentinel. You only need to follow a few steps to configure this integration, and you can follow those steps by reading?this article . Once the integration is configured, the alerts generated by Security Center will start appearing in Azure Sentinel.

End-to-end visibility

One advantage of using Azure Sentinel as your SIEM is the capability to have?data correlation ?across data sources, which enables you to have an end-to-end visibility of the security related events, as shown in the diagram below:

Source: Integrating Azure Security Center with Azure Sentinel - Microsoft Community Hub

In this example, Azure Sentinel created a?case ?based on data correlation that is coming from different Microsoft products.?

AWS Well Architected Frameworks

The?AWS Well-Architected Framework?is a comprehensive set of guidelines and best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the?Amazon Web Services (AWS) cloud. Let’s delve into the details:?

1. Purpose and Benefits: The framework helps you understand the?pros and cons?of decisions you make while building systems on AWS. It provides a consistent approach to?evaluate and improve?your architectures against cloud qualities. By following the framework, you can enhance the likelihood of business success.
2. Key Aspects: Foundational Questions: The framework includes a set of foundational questions that help you assess if a specific architecture aligns well with cloud best practices. Qualities: It evaluates systems against the qualities expected from modern cloud-based systems (reliability, security, efficiency, cost-effectiveness, and sustainability). Constructive Conversation: Reviewing an architecture is a constructive conversation about architectural decisions, not an audit. AWS Solutions Architects: These experts have years of experience architecting solutions across various business verticals and use cases.
3. Who Should Use It?: The framework is intended for technology roles such as?CTOs, architects, developers, and operations team members. It provides valuable insights and recommendations for anyone involved in the lifecycle of a workload.
4. Additional Resources: AWS Well-Architected Tool: A service in the cloud that reviews and measures your architecture using the framework, providing recommendations for improvement. AWS Well-Architected Labs: Hands-on experience implementing best practices.

the five pillars of AWS Well-Architected Framework

The?five pillars?of the?AWS Well-Architected Framework?are:

1. Operational Excellence: Focuses on running and monitoring systems to deliver business value. Key areas include managing workloads, automating processes, and improving operational procedures.
2. Security: Ensures that systems are secure and protected. Covers areas such as identity and access management, data protection, and infrastructure security.
3. Reliability: Aims to prevent and recover from failures. Includes strategies for fault tolerance, disaster recovery, and scaling.
4. Performance Efficiency: Optimizes resource usage and cost. Addresses aspects like selecting the right instance types, monitoring performance, and efficient data storage.
5. Cost Optimization: Focuses on minimizing costs while maintaining performance. Involves analyzing spending patterns, using cost-effective resources, and optimizing workloads.

example of a well-architected system on AWS

Example: E-Commerce Application

1. Operational Excellence: Automation: The application uses?AWS Lambda?for serverless functions, automatically scaling based on demand. Monitoring:?Amazon CloudWatch?monitors performance metrics, and alarms trigger notifications for any anomalies. Change Management:?AWS CodePipeline?automates code deployment, ensuring consistent updates.
2. Security: Identity and Access Management (IAM): Fine-grained permissions control access to resources. Encryption: Data at rest is encrypted using?Amazon S3?and?AWS Key Management Service (KMS). Network Security:?Amazon VPC?isolates resources, and security groups restrict inbound traffic.
3. Reliability: Multi-AZ Deployment: The application runs across multiple availability zones for high availability. Auto Scaling:?Amazon EC2 Auto Scaling?adjusts capacity based on traffic fluctuations. Backup and Recovery: Regular snapshots of databases are stored in?Amazon RDS.
4. Performance Efficiency: Caching:?Amazon ElastiCache?accelerates frequently accessed data. Content Delivery:?Amazon CloudFront?serves static content globally, reducing latency. Database Optimization: Properly sized?Amazon RDS?instances optimize performance.
5. Cost Optimization: Reserved Instances: The application uses reserved instances for predictable workloads. Spot Instances: Non-critical batch processing runs on?Amazon EC2 Spot Instances. Right-Sizing: Regular analysis ensures resources match workload requirements.

So How Do You Build a Rightly Sized Architecture?

Primarily I will just outline some of the core things that required for competitive advantage (you should engage a professional organization to do these activities & mapping, it is impossible to do this even by an internal team, suggested for companies like Deloitte, EY, PWC engagements – they already have these ready to deliver with clients engagements, and they have been doing it for a long time, and perfected those documents with an astounding amount of research, but everything has a cost attached to it, they don’t come cheap):

·???????? Business requirements: business strategy, capability maps, market stakeholders, distribution channels, people/process/technology mapping, corporate strategy (mission & vision), business architecture, data architecture, technology architecture, application architecture, total solution architecture, project management by PMO?etc.

·???????? Roles in the organizational structure: organizational need for business and technology drivers, strategic directions, PESTLE analysis, SWOT, challenges, tactical advantage over market players, external interested parties etc.

·???????? EA Scope (roadmap for industry – government future guidelines): EA principles, CIA triad, AAA services, goals and objectives, agile, EA principles outline, EA operating model & governance, capability model, start of authority, limits of authority, stakeholder communication plan, required outcomes, degree of centralization and decentralization, DevSecFinOps, stakeholder strength & power map etc.

·???????? Technology target state: service requirements, ITIL, 5W1H, measurements of time and cost reductions, reworks decreased, risk reduction etc.

·???????? Foundational enterprise requirements: business, data architecture, technology, integrations, access types by users (RBAC), application architecture, enterprise principles and methods, capability mapping with business processes, integration architecture etc.

·???????? Security architecture considerations: firewalls, network zoning, SDN based traffic engineering and policy-based traffic prioritization, data that’s getting out of the network is encrypted or not, security standards, policies,

·???????? Physical servers: management from a single console like DELL iDRAC, distribution switch, management switch etc.

·???????? Model: cloud or hybrid, data architecture, application architecture.

·???????? Backup of data and data at rest security, data in transition security etc.

·???????? Enterprise risk management: business & IT strategy, maturity of the EA, agile services, robust and scalable application platform.

·???????? Supply chain services, due delivery and operations.

·???????? Compliance: frameworks, ERM, BCP, DRP, ISMS, QMS, and laws of the land on data privacy, GDPR etc.

Key System Design Fundamentals

Just to keep in mind of the following items when designing a system or a platform (not an exhaustive list) (goes both for networked and application infrastructure):

·???????? Scalability – large scale Availability

·???????? Consistency

·???????? Robustness

·???????? Security architecture & accountability

·???????? Maintainability

·???????? Modularity

·???????? Fault tolerance

·???????? Circuit breaker

·???????? Replica services

·???????? Retrievable Backups

·???????? Sharding

·???????? Code repository

·???????? Efficiency on resource consumption

·???????? Device configuration backups

·???????? MapReduce

·???????? Accessibility

·???????? Reliability engineering

·???????? system architecture

·???????? P2P

You can go through the SAFe site for a better understanding of the Agile Architecture: Advanced Topic - Agile Architecture in SAFe - Scaled Agile Framework

Source: SAFe 6.0 ( scaledagileframework.com )

In some cases, there are more than meets the eye, documenting all the necessary items into a really big picture would help understanding the business processes to develop the:

1.?????? Business architecture: Business strategy map, Business process flows, Value streams, Business capability map, Business model canvas, Service portfolio.

2.?????? Infrastructure architecture: Technology requirements, standards or framework outlines, demographic challenges for datacenters, platform design, full blown network diagram.

3.?????? Application architecture: application design & architecture with all components of the ERP mapped, various types of access requirements, web and mobile app or tablet view requirements, scalable systems for geo-location placements, application capability map or features etc.

4.?????? Data architecture: privacy requirements, data fields encryptions, useability of supplying reserved code to the application for discovering or unencrypting certain data fields like salary or incentive programs for the employees, law of the land, logical and conceptual data model, DB relations, DFD and lifecycle management, live data requirements, data at rest requirements etc.

5.?????? Security architecture: enterprise data security model, application security, transmission security, access security, internal application account security requirements, data processing services etc.

One of such design can be referenced to Dragon1’s EA design:

In an operational perspective, Business Architects are the ones who connects all the dots (stakeholder onboarding – take buy ins and inform them of the architecture, its benefits, usability, dashboards for the senior management to take decisions based on the analytics), where:

1.?????? Business architects would choose key business challenges with business architecture model.

2.?????? Business operators are responsible for: processes, data, infrastructure.

3.?????? Business unit leads are responsible for: sending out their requirements to the business architect where the BA folks would map out infrastructure and application requirements.

4.?????? Experts of different sorts are responsible for business operations, who receive the requirements from business lines, operations, infrastructure development teams etc.

5.?????? Lastly, the business architect will identify strategic business objectives, and would map out your vision and strategy, generate value streams that connects business goals to the organization’s value realization activities which also aligns to business capability requirements.

A business capability map could be something like the below picture from LeanIX:

Source:? Business Capability Map and Model - The Definitive Guide | LeanIX

You can use their freely provided excel worksheet to map yours which also can be mapped to your ERP components as OSS/BSS?or for LoB?application requirements mapping.

Another one from The Open Group (ADM?– Architecture Development Method): Artifacts Associated with the Core Content Metamodel and Extensions @ Architectural Artifacts ( opengroup.org )

This is a wonderful playground if you want to explore designing a business plan to deploy technical services, then this document repo is for you. So, when you say you are an enterprise architect, do keep these in mind.

Some of the things that should be kept in mind is that:

1.?????? Value streams are mapped to business capabilities. At times it may look like too much works are being done for understanding the business rather than focusing what the infrastructure were supposed to be and ended up with nothing, problems cannot be identified, where we did wrong and investors perspective in this regard will be horrible. Rather do it once, assign personnel to keep these documents tracked and always updated, and you should take help using a software.

2.?????? Prioritization of value streams and identify and map its capabilities, do it one by one as pre-requisites will be there, and complete the design with mapped requirements to the infrastructure. Select key priorities that need to be in place for a year, then plan for the next year. You can take advantage of the “BLUE OCEAN STRATEGY” for your business perspective as well.

3.?????? Align the business objectives of your organization to your value streams.

4.?????? A single capability may support multiple value stages in the stream.

5.?????? Build a business architecture for the prioritized value stream with a map of business capabilities.

6.?????? Business value realization

The Service Integration Layer

The Service Integration Layer (SIL) emerges as a pivotal solution, providing a unified platform to seamlessly integrate, manage, and optimize services across an organization. Let’s delve into the foundational aspects, benefits, and implementation strategies of the Service Integration Layer.

Background

As organizations adopt an increasing number of specialized services and applications, the need for a cohesive framework to integrate these disparate elements becomes paramount. The Service Integration Layer acts as an intermediary, facilitating communication and data flow between different services, systems, and applications. This layer is instrumental in achieving interoperability, reducing redundancy, and streamlining processes.

Key Components of the Service Integration Layer

API Gateway:

1. Acts as the entry point for external applications and services.
2. Enforces security policies, manages access control, and ensures efficient routing of requests.

Message Broker:

1. Facilitates asynchronous communication between services.
2. Manages message queues, ensuring reliable delivery and decoupling of services.

Data Integration Hub:

1. Synchronizes and manages data flow between disparate databases and data sources.
2. Supports data transformation, validation, and enrichment processes.

Event Processing Engine:

1. Monitors and processes real-time events, enabling quick response to changing conditions.
2. Supports event-driven architectures, fostering agility and responsiveness.

Workflow Orchestration:

1. Coordinates the execution of business processes across multiple services.
2. Manages the flow of tasks, dependencies, and error handling in complex workflows.

Benefits of the Service Integration Layer

Improved Interoperability:

1. Enables seamless communication between diverse applications and services, fostering interoperability and reducing integration challenges.

Enhanced Agility:

1. Facilitates a modular and scalable architecture, allowing organizations to quickly adapt to changing business requirements.

Optimized Resource Utilization:

1. Reduces redundancy and optimizes resource utilization by avoiding duplicated efforts and data storage.

Increased Scalability:

1. Provides a scalable infrastructure that can easily accommodate the addition of new services and adapt to growing workloads.

Streamlined Maintenance:

1. Centralizes management and monitoring, simplifying the maintenance and troubleshooting of integrated services.

Implementation Strategies

Assessment of Current Infrastructure:

1. Conduct a thorough analysis of existing applications, services, and data sources to identify integration points and requirements.

Selection of Integration Technologies:

1. Choose appropriate technologies for each component of the Service Integration Layer based on the organization’s needs and existing infrastructure.

Development of Integration Standards:

1. Establish standardized protocols, data formats, and communication patterns to ensure consistency and compatibility across integrated services.

Security Measures:

1. Implement robust security measures, including encryption, authentication, and authorization, to safeguard the integrity and confidentiality of data flowing through the Service Integration Layer.

Testing and Validation:

1. Conduct comprehensive testing to validate the functionality, performance, and reliability of the Service Integration Layer before deployment.

Case Studies

E-commerce Platform:

1. Scenario:?An e-commerce platform integrates order processing, inventory management, and payment processing systems.
2. Outcome:?The Service Integration Layer streamlines the order fulfillment process, reduces errors, and enhances customer satisfaction.

Healthcare System Integration:

1. Scenario:?A healthcare organization integrates electronic health records, billing systems, and diagnostic services.
2. Outcome:?The Service Integration Layer enables real-time access to patient data, improves billing accuracy, and enhances overall healthcare delivery.

By providing a unified platform for seamless communication and data flow, the Service Integration Layer contributes to improved interoperability, enhanced agility, and streamlined resource utilization. Organizations that strategically implement and leverage the Service Integration Layer are better equipped to navigate the complexities of the digital landscape, fostering innovation and competitiveness in today’s dynamic business environment.

Popular OMG.ORG Standards

Please download the specifications if you want to learn more about why and how they have planned and designed the architecture and integrations. These are the specifications that were mostly adopted and expanded as required:

Source: OMG Standards Introduction | Object Management Group

Source: OMG Standards Introduction | Object Management Group

Another Architecture Mapping (BPM)

Business Process Management:(BPM)

This one is also mapped to business requirements, but by all means, do map your as per your organizational requirements (the ppt file is also provided in the job aids), and when options are available, do use ArchiMate or Dragon1 or LeanIX to develop yours:

?Before you jump into developing your own SOC program, I would strongly recommend that you assess the current infrastructure either using NIST, CISECURITY, or Homeland Security’s CRR framework (Developed by Carnegie Melon University, shared from CISA’s site) (also provided in the job aids folder named “1_CRR_v4.0_Self-Assessment-Reader_April_2020.pdf”).

This effort will provide you with a holistic view of the readiness of your infrastructure, and a chance to fix whatever is necessary to define your SOC’s operational activities.

But do browse the web for different architecture patterns and their service lineups, and learn to develop your own as you observe having an ERP in place. Find out the modules listed in the ERP and map them to your line of business requirements, soon you will have a map that provides an outline for the BPM, aka, Business Process Management. Reverse engineering!

CIS also provides a spreadsheet for their assessment, and a summary picture of the screenshot is provided below (this file is provided in the job aids named “CIS-8_Cybersecurity Posture Assessment.xlsx”):

Enterprise Architecture in Cybersecurity

Enterprise architecture in cybersecurity is the practice of designing and implementing a holistic and integrated security strategy for an organization. It aligns the security objectives and capabilities with the business goals and needs, and covers all aspects of the enterprise, such as people, processes, technology, and data. Enterprise architecture in cybersecurity helps to protect the organization from cyber threats, optimize the use of resources, and create value for IT investments.

Security architecture is part of enterprise architecture, which also includes connected networks, remote sites, business continuity plans and disaster recovery plans. It should be designed in the network planning phase, not later, to meet both security and business needs. Enterprise architecture designs specify the type of applications required, type of workstations (standardized) and device portals that connect to the network, and their limitations. They may not cover network configurations, but they do cover infrastructure that provides security and productivity, and the processes for making and keeping architecture flowcharts and diagrams. The enterprise architecture team tells the security operations team about the increased attack surface when new networks are set up or devices are replaced with newer lines or their firmware’s are upgraded. In all cases, the security team is protecting the organizational data, the better architected the network, the better and easier visibility the SOC can provide.

Source: Best Practices for Setting Up a Cybersecurity Operations Center ( isaca.org )

For the SOC to carry out its functions successfully, critical enablers must be in place. The SOC must protect the entire enterprise, have a clear mission and charter, and be integrated into the business of the enterprise.

?

Source: Best Practices for Setting Up a Cybersecurity Operations Center ( isaca.org )

??

?Source: Best Practices for Setting Up a Cybersecurity Operations Center ( isaca.org )

The sad part of the cybersecurity is that the activity domains are not clear, lack of frameworks, the knowledgebase is not clear, scarcity of the mentor is not available to follow, or people are not open to things they know, where appropriate tools are not grouped together for performing a set of activities and so on. But rest assured, amongst all these problems we still have tons of tools available, bits and pieces of information is scattered across the web, and its troublesome to the extent of a Rubik’s cube.

Nonetheless, we have problems at hand that needs to be solved, and that’s not going to be solved at one go, but millions of people across the globe joint forces against the attackers, and because of them we have tools that’s freely available to us, and from the bottom of my heart, I thank them for their selfless efforts. And because of them we get to know how these tools work and the knowledge is priceless, which is also scattered the globe, if all of us can be grouped together and share their knowledge, what a wonderful world it could be.

Enterprise Security Risk Management

Enterprise Security Risk Management (ESRM)?is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally established and accepted risk management principles. The process of ESRM?involves identifying risks and threats, determining how to mitigate them, and documenting policies and best practices to address future occurrences proactively and reactively.

There is no easy way to put it as vast as the topic goes, but most comprehensive area coverage is derived by frameworks, but none the less, a combined picture is produced by Tony Ridley:

?C2, C4ISR amp; C4ISTAR

C2 (Wikipedia): Command and control often called as C2?is a "set of organizational and technical attributes and processes ... that employs human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or enterprise, according to a 2015 definition by military scientists Marius Vassiliou, David S. Alberts, and Jonathan R. Agre. The term often refers to a military system.

C4ISR may refer to:

·???????? The C4ISR concept of Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance, the U.S. term for C4ISTAR

·???????? The C4ISR architectural framework (C4ISR AF), now known as Department of Defense Architecture Framework (DoDAF)

New concepts of operations and approaches to Command and Control are able to provide significantly increased capabilities to deal with these challenges.

Some of the most common variations are:

·???????? AC2 - Aviation command & control

·???????? C2I – Command, control & intelligence

·???????? C2I – command, control & information (a less common usage)

·???????? R2C2I - rapid advanced manufacturing, command, control & intelligence [developed by SICDRONE]

·???????? C2IS – command and control information systems

·???????? C2ISR – C2I plus surveillance and reconnaissance

·???????? C2ISTAR – C2 plus ISTAR (intelligence, surveillance, target acquisition, and reconnaissance)

·???????? C3 – command, control & communication (human activity focus)

·???????? C3 – command, control & communications (technology focus)

·???????? C3 – consultation, command, and control [NATO]

·???????? C3I – 4 possibilities; the most common is command, control, communications and intelligence

·???????? C3ISTAR – C3 plus ISTAR

·???????? C3ISREW – C2ISR plus communications plus electronic warfare (technology focus)

·???????? C3MS - cyber command and control mission system

·???????? C3/SA - C3 plus situational awareness

·???????? C4, C4I, C4ISR, C4ISTAR, C4ISREW, C4ISTAREW – plus computers (technology focus) or computing (human activity focus)

·???????? C4I2 – command, control, communications, computers, intelligence, and interoperability

·???????? C5I – command, control, communications, computers, collaboration and intelligence

·???????? C5I – command, control, communications, computers, cyber and intelligence (US Army)

·???????? C6ISR – command, control, communications, computers, cyber-defense and combat systems and intelligence, surveillance, and reconnaissance

·???????? MDC2 - multi-domain command and control

·???????? NC2 ? nuclear command and control

·???????? NC3 ? nuclear command and control and communications

C4ISR Defense in Depth Core Function Descriptions

More specifically, as mentioned above, the CIOC?(DoD- Cyber Intelligence Operation Center) is the cyber battle management function that manages the multiple attack vectors against an organization’s vital assets through the CIOC?management of the organization’s security management posture.? Specific actions behaviors required for the defense in depth concept and functional management include:

Predict attacks on an organization’s assets:

·???????? Serious consideration of the results of the ongoing intelligence reports generated by the CIOC?intelligence analyses and report team.

·???????? Analyses of internal vulnerabilities, risks and exposures and the likelihood that specific exposures can be realized against the organization due unmitigated exposures.

·???????? Review SIEM?and all other awareness dashboards that you might have at least twice a day.

·???????? Constant analyses of the types of attacks that happen every day on the organization that might provide indications and warnings (I&W) of site enumeration.

·???????? The introduction of new technologies that could cause a disruption of current processes and procedures. Cloud adoption could be considered a disruptive technology that could present new exposures non mitigated exposure.

·???????? High vigilance to Cyber Open-Source Intelligence?(COSI) information and intelligence sources to include multiple information security magazines, blogs, threat reports.

·???????? Get feedback from other teams like network engineering on possible Indications and warnings you can integrate into you Prediction Strategy

·???????? Relationships with local law enforcement.

Prevent attacks on an organization’s assets:

·???????? Define and build a state of the art security architecture that is aligned with an organizations risk profile.

·???????? Build excellent security architecture documents.

·???????? Tune all tools such as firewalls, access control functions, logging and alerting systems for maximum efficiency and regularly test the same.

·???????? Write process and procedures for all major procedures such as patch management, vulnerability management, Intelligence development, incident response and etc.

·???????? Ensure that security is aggressively built into the enterprise architecture and requirements documents.

·???????? Base security management on IT governance such as ITIL.

·???????? Define security standards and policies.

·???????? Ensure the basic security blocking and tackling is done before implementing.

Advanced tools and procedures:

·???????? Use change control for all things that could affect the IT environment.

·???????? Harden all platforms and applications against attack.

·???????? Select a control environment such as SANS Top 20, FISMA, NIST 800-53, ISO 27000 series.

·???????? Implement a superb patch management process that sets metric for current patch status at 95 per cent for all platforms, end points, data bases, applications, network devices and etc.

·???????? Strictly limit administrative access and manage with privilege management tools.

·???????? Monitor access in real time.

·???????? Implement robust static and in transit data loss protection plans (DLP).

·???????? Implement a robust secure software development program.

·???????? 100 per cent compliance to government regulation and business compliance requirements like PCI.

·???????? Conduct regular internal scans and pen tests using anyone of the host vulnerability assessment tools for platform and applications exposures.

·???????? Implement a ongoing security training program that is not given once a year .

·???????? Invest in training the security staff.

·???????? Build robust security metrics briefed by the CISO to executives once a month to C level and once a quarter to Board level executives.

·???????? Lead your staff and all organization personnel in data protection.

Detect attacks on an organization’s assets:

·???????? Prevent incidents from happening in the first place.

·???????? Ensure a 24 X 7 detection capability is available.

·???????? Deploy state of the art static and dynamic detection tools that your organization can fund.

·???????? Define real time detection processes.

·???????? Ensure employees are aware of how to report suspicious end point, platform and network intrusions.

·???????? Extend detection to all BYOD?and external systems.

·???????? Mange threat detection in all cloud based services.

·???????? Define SLAs for responding to threats.

·???????? Determine which security systems should be in your DR and BC planning.

·???????? Ensure you have managed out as many false positives and false negatives as possible.

·???????? Use the CWE tools whenever possible https://cwe.mitre.org/ .? CWE is tuned to application security but it is an excellent but complex framework..

Respond to attacks on an organization’s assets:

·???????? Determine what the company’s appetite for incident response is.? Is it willing to accept automated shut down of business processes and network segments.

·???????? Determine if you want to hire a DDoS threat mitigation service.

·???????? Create and practice detailed incident repose process.

·???????? Define response thresholds based on the attack areas and magnitude of same.

·???????? Ensure global partners and external business customers are aware of incident response processes.

·???????? Define escalation process.

·???????? Conduct table top exercises to train entire staff on incident response and cyber crises management.

·???????? Contract with external forensics investigator.

·???????? Ensure two incident management lines are established, one for executives and one for those doing the work to manage and terminate the incident.

·???????? Develop and train on the RACI?chart for incident management.? Platform security incidents could possibly be managed by the platform manager.

·???????? Train internal staff for forensics investigations.

·???????? Conduct prior planning with all technical and CxO level staff.

·???????? Know obligations and response procedures for such laws concerning a data breech.? Let legal and marketing work the customer notification obligations.

·???????? Ensure incident response team is aware of all threat intelligence generated by the SOC.

·???????? Ensure systems are configured to respond to attacks, is your IPS set to deny attacks.

·???????? Oversee and be aware of all preventive measures that should prevent incidents from happening in the first place.

·???????? Ensure that you have proper incident close out processes.

______________________________________________________________________________________

???FREE eBook - 476 Pages

?? Complete Guide to Cyber Security Operation Center??

I’ve recently completed a book on SOC, a project close to my heart, that delves into the exciting realm of Security Automation, Orchestration, and Hyper-automation platforms in the SOC. If you’ve ever found yourself overwhelmed by the multitude of cybersecurity solutions, this post is designed to be your personal guide on developing a fully functional SOC. This eBook comes with plenty of examples and illustrations to help you understand complex concepts, data collection requirements to incident response, automations, playbooks, integrations requirements under the scope of IT, IS and Cybersecurity.

A big shout out to Brad Voris for his review of the book, his insights made this book even richer.

Knowledge Areas Covered

? Enterprise architecture strategy to better formulate your SOC.

? Visibility & data ingress requirements for your SOC

? SOC functions, KPI’s, processes, frameworks, and automation requirements

? Derive your Analyst-JD aligned to international frameworks

? SOC organogram with Red, Blue, Purple team’s maturity, tactics, functions, activities

? SIEM & SOAR architecture design guidelines to achieve more from these integrations.

? Detection engineering with OSINT, CTEM.

? Incident response with CSIRT, DFIR.

? Tabletop exercises explained and operationalized

? Artificial Intelligence & Data Science in SOC

? How to develop your Open-source based SOC, full hardware BoQ, Network Design is provided

? Bonus Chapters: IT Project Management, VA/PT Plan, ITIL Strategy Frameworks, Jurisdiction Assignment Matrix etc.

?? Download the eBook

???Download this eBook (pdf): https://lnkd.in/gTRnhmPp

?? DM me for the DOCX version of the book.

???Join Discord: Please DM me on LinkedIn, I will Send you the link to join.???1000+ Job aids – download extra documentation.

???60 Body of Knowledge (BoK) links.

???1500+ curated list of VA/PT tools as job aids.

???200+ References to support your SOC operations even further.

?? Download all the available documents from here: https://lnkd.in/eNNUm9XW

?? Download Job Aids: https://lnkd.in/gCKq6R-D

If you find it useful and informative, please share/repost the book with your network.

#infosec #cyber #cybersec #cybersecurity #informationsecurity #enterprisearchitect #cybersecurityarchitect #csoc #soc #security #securityoperationcenter #securityoperations #blueteam #redteam #purpleteam #siem #soar #c2 #noc #threatintelligence #stride #iso27001 #cref #mitre #securityanalyst #eql #sigmarules #securitytriage #threathunting #detection #detectionengineering #cti #incidentresponse #ttp #ioc #playbook #runbook #osint #soc #csoc #csirt #dfir #ctem #cspm #tabletop #cognitivebias #opensourcesoc #vulnerabilityassessment #penetrationtesting #forensic #blackbox #greybox #whitebox #datascience #technology #siem #soar #bgdegovcirt #independentuniversity #artificialintelligence #governance #strategy