How to find and better rationalize cybersecurity spend: threat/exposure approach

TL;DR Evaluating cyber risk through empirical threat analysis and business exposure to threats.

Today I like to summarize my many-year thinking about the reasons why the compliance-based approach in cybersecurity not only has limitations, but why those limitations cannot be fixed by doing more of the same, and what we can/shall do to do it better.

That's my vision of the cyber defense development in the future.

First, what any compliance framework model fundamentally does is mandating a large set of security requirements as necessary. However, the necessary security requirements cannot be falsified in principle (1) because you can not prove security positive - i.e. we will never know or can ever prove whether the necessity actually holds true - with all the (non)scientific implications.

Second, this model cannot make reliable predictions in principle beyond narrative fallacies on whether the compliant system is actually secure, leaving us with an unknown gap between the former and the latter (i.e. between conformance and safety). Perhaps as big gap as between a valid argument and the sound one.

Moreover, we have already observed that adversary does not make decisions to attack based on the compliance posture. We also observe different classes of adversaries opportunistic and motivated, including those actors who create vulnerabilities if none found. We observe as well that adversary’s skills always commensurate to the level of our defenses. In addition, we also observe that the adversary learns in time of peace whilst defender – in time of war, making the time spent for learning asymmetrical, hence the average level of skills. Check my previous articles on this topic.

What can we do in this situation?

Always, once the problem is clear – the solution comes naturally: do not act on the narrative fallacies but on empirical observations. It is long overdue in our industry for making sound arguments, not just valid ones. The premise ought to be true! To do so, you need to refocus from imposing necessary requirements to identifying the sufficient ones.

And that is now easy! For that, you need to learn your business and the threats your business is exposed to. You can do it by looking at your industry, your location, geopolitical development, competition, technical advances, etc. Once the threats are identified (including friendly ones) and you learn about their motivations, tactics, tools, and procedures, learn about the exposure your business might have to those threats. For example, exposure to the audit is noncompliance, and here is where compliance can be sufficiently handy indeed ;). History of science teaches us that having an old model to be a subset of the new is a good sign we might be on the right track.

Now you are equipped with verifiable evidence and knowledge to determine what capabilities you need in order to have sufficient defenses. The capabilities can be chosen from your enterprise cybersecurity reference architecture (if you do not have one - use the one I developed: adjust and improve as you see fit). And you can now measure the progress by the maturity of those capabilities driven by the architecture roadmaps (vs compliance to controls driven by the audit findings and benchmarking).

You now have empirical evidence to justify and rationalize your security spend. You do not rely on the speculations of what the likelihood of a cyber event would be because no one has a slightest clue! You do not need to trust me on that - ask the cyber insurance underwriters. Therefore, your risk model can also be improved, as it is possible to demonstrate (in)sufficiency of the defense capability by direct tests or analysis (vs inability in principle to demonstrate the necessity of thereof). And remember: no threat - no risk even if wide opened, no exposure - no risk even if the enemy is at the gate. It is that simple.

To conclude: re-focus on finding a small set of capabilities, sufficient to counter the threats identified based on threat analysis and exposure of the business to the threats, seems as will give us an evidence-based advantage over using a large set of mandatory controls measured by compliance and applied everywhere spreading thin scarce resources. Does not it somewhat remind a Colonel Blotto game - its strategies have been well studied and can be re-used?

Furthermore, if you have not spotted it yet - the risk on the left is just a useful recalibration of that on the right with the advantage of using the empirical evidence vs a pure guess of the likelihood. Again, the new model is connected to the old one - a good sign again.

And, how predictive the new model is? Well, we can test insufficiency (and never necessity), therefore this threat/exposure model has a better predictive power compared to the compliance one. Yet another good sign in favor.

There is an important by-product of this approach. As, by definition, the capability (2) is a combination of mutually-reinforcing security controls (3), you need to choose the latter carefully. How many times have you made a conflict analysis of the individual controls using a framework compliance approach? How many times have you implemented controls that were at odds with each other? What a waste (how many people do you think we could have fed and provided shelter to otherwise?)!

So, it seems like the last bit is the desired simplification for free - a cherry on the wedding cake at the marriage of the common sense and the better methodology.

I like to thank many of my friends and colleagues across the globe who have been for years patiently listening to my at first unclear thinking and my annoying questions, challenged me along the way without mercy, encouraged but never abandoned - from all of you I learned a lot.

References:

1. The Unfalsifiability of Security Claims, by Cormac Herley, Microsoft MSR-TR-2015-72, May 2016, https://www.microsoft.com/en-us/research/publication/unfalsifiability-security-claims/
2. Capability - A combination of mutually-reinforcing security controls implemented by technical, physical, and procedural means. https://csrc.nist.gov/glossary/
3. Control - A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. https://csrc.nist.gov/glossary/
4. Colonel Blotto game and strategies, https://scholar.google.co.uk/scholar?q=Colonel+Blotto+game and https://scholar.google.com/scholar?q=Colonel+Blotto+game+strategy
5. Enterprise Cyber Security Reference Architecture - What does CISO (your Board and you) need to know about the breadth of Cyber?, https://www.dhirubhai.net/pulse/what-does-ciso-your-board-you-need-know-breadth-cyber-boris-taratine/
6. Boris Taratine on LinkedIn, https://www.dhirubhai.net/in/taratine/detail/recent-activity/posts/
7. "Why "Cyber Threat Intelligence-Informed Services" Should Be Part of Your Cyber Security Strategy", 24 May 2020, https://correlatedsecurity.com/why-cyber-threat-intelligence-informed-security-operations-is-important/ - added on 2020-05-25

2019-09-21 13:07:36

#cybersecurity #cyberresilience #cyberthreat #cyberrisk #cyberawareness