Welcome to the world of Information Security. With 100s of product categories and 100s of vendors each claiming to solve all problems, it is a tough job figuring out what does and does not make sense. Organizations invest in 10-15 products from different vendors and are not sure if products yield desired results. With new pseudo layers being added and with new products being launched, chaos prevails.
Security requirements need to be understood holistically in the context of the entire IT environment. Products and tools need to effectively address requirements without contributing to chaos. Budgets and human resources are limited and need to be applied for maximum benefit. To help with this, Information Assurance and Security models can be used to visualize cyber security objectives.
Information Assurance models depict,
- Information Characteristics: Confidentiality, Integrity, Availability and Non-Repudiation
- Information States: Security during Transmission, Storage and Processing
- Counter Measures: Applied through technology, policy and people
However, there is no layered framework to help identify tools required to meet the cyber security objectives.
Let’s look at other mature sciences for inspiration.
Resilience and defense-in-depth are concepts we can borrow from the military. A similar mechanism exists in biology and the human body. The human body has multiple layers of skin to protect from harmful things, such as germs and toxic substances. For example, eyebrows and tear glands offer additional layers of security for different parts of the body. Immune systems offer a multi-layered defense system to prevent pathogens such as viruses and bacteria from creating damage.
If we categorize these security measures based on the role each perform, we get 3 layers.
- Built-in mechanisms: Layers of skin, foreign body authentication
- Continuous risk monitoring and mitigation: Detect symptoms, strengthen immunity, take precaution to prevent attack, eat healthy, stay fit, patch a wound.
- Detect external threats and respond: Immune system, eye lid, tear glands, ability to sense danger and react.
Resilience and defense-in-depth are concepts from the military. The same three layers can be used to outline resilience:
- Deploy mechanisms to protect from adversaries.
- Continuously look out for weaknesses and threats and implement measures to strengthen.
- Monitor and detect attacks and respond to attacks.
However, in the military there is an additional layer for offensive capabilities. It serves two purposes, to build a psychological deterrent and to attack if needed.
Layers for Cyber Resilience Framework
A resilient cyber security framework must encompass these layers,
- Layer 1 – Security by Design
- Layer 2 – Cyber Hygiene
- Layer 3 – Surveillance and Reconnaissance
- Layer 4 – Offensive Capabilities (Optional)
Layer 1 - Security by Design
Basic measures implemented to address Information Characteristics need to provide confidentiality, assure integrity, ensure availability, and address non-repudiation claims.
These tools include,
- Storage Encryption
- Digital Certificates and SSL
- Identity and Access Management
- Digital Rights Management
- Security Policy Management
- Secure File Transfer
Layer 2 - Cyber Hygiene: Continuous Visibility, Risk Assessment and Mitigation
A good cyber hygiene requires continuous assessment and management of IT assets (Desktops, laptops, servers, mobile devices, IoT devices, storage devices, routers, cloud, containers…) inside a virtual perimeter. Continuous identification of risks, threats and loopholes that could lead to an exploit need to be understood and actions need to be taken to strengthen the posture of assets.
These measures include,
- Vulnerability Management
- Patch Management
- Configuration Compliance
- Asset Visibility and Management
- Continuous Monitoring
- Application and Device Control
- Data Discovery
- Cloud, Container, Hypervisor Hygiene
- Network Admission Control
- File Integrity Monitoring
- Penetration Testing
Layer 3 - Surveillance and Reconnaissance: Monitoring, Detection, Response and Recovery
Attack attempts that evade the prevention-based layers need to be caught and responded to in this last layer of the cyber resilience framework. The IT assets must continuously detect threats, attacks and exploit attempts and respond to disable the attack attempts.
The tools include,
- Endpoint Protection, Anti-virus/Anti-malware
- Perimeter Firewall
- DDoS Protection
- Threat Analytics, BigData, Threat Hunting
- Endpoint Threat Detection and Response
- Data Loss Prevention
- Messaging security
- Forensic Analysis
- Identity Theft and Fraud Detection
Layer 4 – Offensive Capabilities
As Nation States build cyber capabilities and connect critical infrastructure components, capability to attack ‘enemy’ nations would be more prominently needed, whether they are actively used or not. These capabilities would be required for attacks, counter-attack, and for pro-active defense.
- Data Gathering Tools
- Vulnerability Database
- Exploit Kits
- Packet Crafting Tools
- Payload and Exploit repositories