“Defense in Layers” - The Exercise

Tap, Tap, Tap. ”Excuse me. Your perceived security posture is not what you think it is….” WHAT?? How DARE you.? We spend at least 10% of our IT budget on security.? We must be protected…..Right!….Right?”

There are two ways we typically respond….

Option 1, ’Buy more tools.’? ?

Option 2, ’Be curious and continuously evaluate your cybersecurity posture.’

Buying more tools to pump executives with swag and meaningless statistics doesn’t solve root problems. If you are like me, you’ll get curious.? What are we missing?? Is it really tools?? Where are the security holes in our cybersecurity posture?

This statement, “Your perceived security posture is not what you think it is,” got me thinking.? How can I use what I know to improve my enterprises’ cybersecurity posture today?? Can I leverage what I know now to perform a self-assessment without making a substantial corporate initiative?

I reflected back on the Six Cybersecurity Postures that need to be monitored across the enterprise.? These postures were a start but lacked depth.? To provide depth, I reconstructed the postures to reflect the five layers of security (perimeter, network, endpoint, application, and data).? Now that we have a framework described in “The ‘Defense in Layers’ Enterprise Framework,” the hard part begins.

The “Defense in Layers” framework is a product-inspired approach to evaluating cybersecurity coverage by mapping your enterprise cybersecurity capabilities to the intersections of the ‘Six Cybersecurity Postures’ and the ‘Five Layers of Security.’? I like to think of it as a game of security BINGO. To play this game, you need one cross-functional team, a list of enterprise perceived security capabilities, and a lot of internal networking and discovery.

In this article, I will walk through the steps of performing a ‘Defense in Layers’ exercise that I used to evaluate the effectiveness of monitoring the ‘Six Cybersecurity Postures.’

Form Yet Another Cross-Functional Workgroup, But Better.

I don’t know about you, but another cross-functional weekly team meeting is one of the last things I want.? However, with a distributed workforce, it’s imperative to make communication a habit.? One thing I see is that companies honestly struggle to communicate internally.

Communication frameworks are highly personal and continuously evolving.? To make things simple, I identified two major groups I needed to bring together.

The first group is a Core Team to discover the cybersecurity capabilities and organize them into the appropriate layer and posture in the ‘Defense in Layers’ framework.? This team is a collection of subject matter experts, evangelists, and practitioners that ‘know’ institutional knowledge of security teams and processes that exist in the enterprise.? The core team is responsible for creating the outcomes and completing the exercise.

The second group is the Executive Stakeholders responsible for reviewing the outcomes and ensuring the core team stays on mission.? The executive stakeholder team is usually comprised of decision-makers that can use the ‘Defense in Layers’ outcomes to make business decisions and sponsor related cybersecurity initiatives.

In addition to the teams, it is essential to have a framework and cadence.? The core team I built was interested in meeting weekly, enough to keep traction but not so much that it detracts from their day job.? So the core team would have accomplished enough to have a meaningful discussion, the stakeholder review cycle was determined to be two months.? Creating the team cadence isn’t an exact science.? As with all good things, it depends.? Setting the rhythm should be up to the team to decide and agree upon, as long as the core team understands they need to provide outcomes they will work towards.

Finally, the core team needs to agree upon the outcomes of the ‘Defense in Layers’ framework exercise before they start.? It can be a simple outcome such as filling out the framework and presenting your findings to the stakeholder group.? It can also be a more meaningful collection of works such as continuously evaluating your security capabilities, producing an internal catalog of product security capabilities, and mapping all of the cybersecurity capabilities to enterprise security standards and policies.

Start With Your Cybersecurity Capabilities List

Start with what you know.? Think of the capabilities your cybersecurity team delivers as a product offering.? What capabilities do you provide to your application security, network, cloud, identity, device management, and data analytics teams? ? Another way to start is to use the capabilities I have in my Six Categories of Cybersecurity Posture.? The goal is to begin speaking corporate speak.? Use? the terminology that is relevant in your company to your executives.

Another excellent source for starting your capabilities list is the business and technical capabilities from a ‘Defense in Depth’ program. ? If you are one of the lucky few, you might be part of a team that has already mapped security capabilities -> controls -> policy & standards.? This is another treasure trove of potential capabilities your cybersecurity team offers.

The BINGO Game - Mapping Capabilities to the ‘Defense in Layers’ Framework as a Team

Once you have the capabilities list, then the hard part begins.? Your six security postures start and end with the people that monitor them. ? Each posture will require that you reach out and talk to operations, engineering, and subject matter experts who own or run entire systems.? Start talking to other teams and get their feedback.? This is where you learn what you don’t know.? I created a list of high-priority contacts and had one-on-one meetings to demo our ‘Defense in Layers.’? From this small audience, they not only provided helpful feedback but also gave me leads to more people I should be talking to.

For each capability, you need to assign it to a security posture and a security layer.? I found it easier to assign each capability a posture first.? Once I knew the posture, I could quickly work backward and see what security layer it belonged in.? ?

Filling out the ‘Defense in Layers’ framework is a real game of security bingo.? Starting with a blank card, put each capability into the appropriate square.? Often more than one capability will reside in a single square, and that’s all right. As you reach the end of your capabilities list, expect to see areas of concentration or blank spaces.

Once the ‘Game of BINGO’ is complete, socialize again.? Believe it or not, most security people work better once they see the visual representation.? Start walking through your findings with critical resources.? In addition to one-on-one meetings, it’s time to start workshops for broader audiences.? It’s in these workshops where in addition to feedback, you will begin to hear individual analyses of the visual representation.? It may be in the form of a question, such as “Why does the data posture not have any capabilities?”? Write down these observations; they are golden.? Your collective posture will have positives and negatives.? Duplication of capabilities leads to potential cost savings initiatives.? Missing capabilities lead to security roadmap items for the following year.

Three Outcomes for Your Stakeholders

An exercise is only useful if it produces results.? I found it helpful to focus on three outcomes for my stakeholders in this case.

The ‘Defense in Layers’ completed framework: ? The secret is that the ‘Defense in Layers’ framework is never complete.? However, just like software, you eventually have to ship it, even with bugs.? My recommendation is to get into a cadence of publishing quarterly.? A quarterly cadence keeps the framework updated and relevant to the business.? It also acts as a great tool to add items to your cybersecurity product roadmap.

Your Story: Even with the visual of ‘Defense In Layers,’ you will need to develop a story of how you filled out the framework, what you learned from the experience, and most importantly, what actions you can take away from the exercise.

Near and Long-Term Initiatives: A story and a picture are not enough.? The entire point of doing this exercise was to learn about your security posture.? From those learnings, I found it necessary to include several actionable initiatives.? These short- and long-term initiatives should align with your product roadmap and drive changes to future iterations of your ‘Defense in Layers’ framework.

Continuously Concluding with Outcomes

Cybersecurity practices need to be continuously evaluating their maturity across many security categories.? One essential tool that helps enterprises keep parity with cyber threats is seeking feedback and implementing change.

Many enterprises have a cadence of internal and external evaluations.? Internal evaluations only require time and resources to execute, but many of the results are subjective.? External evaluations require a budget and produce results with many holes due to missing experiences and institutional knowledge.

A ‘Defense in Layers’ exercise can be quick and impactful.? What it lacks in depth, it makes up in visualization.? On the journey of shifting to product-led cybersecurity, building a ‘Defense In Layers’ framework helps product leaders evaluate continuously.? A good ‘Defense in Layers’ exercise leads to actionable initiatives that improve your cybersecurity posture.

Next, I’ll discuss how to use the "Defense in Layers" framework to monitor "Zero Trust."