Originally Published: 11 March 2017
In the last few years Cybersecurity has become a hot domain and as a result there have been a large influx of new people into the field. It is relatively easy to construct a Cybersecurity strategy. There are a significant number of places from which this type of material can be drawn and adapted to individual scenarios. I have seen a number of these strategies produced, of varying quality.
While a solid strategy is important, the far harder part of the problem is developing an ‘executable strategy’ and then implementing it. To achieve an effective execution and outcome a deep understanding of the domain and its nuances is critical. Put another way –
‘What you want to achieve’ and ‘How you achieve it’ are two very different things!
I recently came across the Four Disciplines of Execution (Franklin Covey), also known as 4DX. I could immediately see how aspects of this approach could be applied the execution of a security strategy. While there are four disciplines, it is the first two that can be easily adapted to this domain, with the last two focusing on Accountability and the Leverage which can be gained from the preceding disciplines. I’ll discuss just the first two.
Focus on the Vitally Important (High Impact)
Cybersecurity and Information Security are complex fields. There are many specialised aspects, both technical and operational. While just about every technical security control or operational process will provide some benefit, not all will provide the same impact or are appropriate for all risk profiles. The key here is not just following the status quo. Its about identifying the organisations most significant risks and applying a strategy and the security controls which will provide the highest impact. In other words, what colour is your risk?
There are technologies which can provide the defender a huge advantage over the attacker. Cryptography is an example of one such technology. Although it is now common place, it is a technology which probably provides a million-to-one leverage in favour of the defender. I’m not suggesting this is a silver bullet, just that these sort of ‘force multiplying’ technologies can move the odds in favour of the defender…. a lot!
Measurement and Metrics
Understanding both Leading and Effectiveness metrics is a key part of the 4DX strategy.
Given todays profile and media coverage of Cyber attacks, it amazes me how many organisations have no security visibility…. and this includes some large ones. To be able to understand your security posture, and get any sort of feedback on the effectiveness of a security strategy, you must have some level of security visibility. Unfortunately, it is common place for breach detection times to be in be the months, years or never. The sad part is that in most cases, evidence of those breaches is hiding in plain sight.
Measurement is always a key part of managing anything. If you have no ability to measure, then any form of ongoing improvement is difficult. The 4DX strategy has a focus on Leading Metrics. This is not to say that final results are not important, they are, but a focus on Leading Metrics enables a clear path to that end result through progressive improvement and demonstrate progress towards a goal. Having measures and metrics provides an ability to have conversations at the C-Level in ‘their language’, which in turn can yield better funding for security initiatives.
A path to success will vary based on the many organisationally unique parameters such as the nature of the business, the information assets, the application architecture, risk profile, current maturity levels, etc. So measures and metrics should be crafted on a case-by-case basis.
Goal, Question, Metric (GQM) is a methodology originally developed back in the 70s for quantifying software quality. More recently Carnegie Mellon University have updated this process to GQIM – Goal, Question, Indicator, Metric. These methodologies provides a repeatable process for developing effective metrics, including those used within Cybersecurity.
In a low maturity organisation, I would firstly recommend driving initiatives which provide the establishment of, or improvement to visibility capability. This may include monitoring parameters like password resets, privileged user account usage, IDS/IPS alerts and their severity, blocked connections through firewalls.
Some potential leading measures or metrics focused around general network hygiene could be;
- Number of machines which are below current OS patch level.
- Number of machines which are below current application patch levels.
- Number of machines with critical vulnerabilities.
- Number of machines which are generally out-of-compliance.
- Number of users with unneeded administration privileges.
- Usage of current and secure protocols – TLS. SSH, LDAPS, Valid and strong certificates, etc.
- Usage of Risky applications – i.e. Peer-to-peer file shares, etc.
- Number of users who have not completed security awareness training.
Improving these fundamentals will almost certainly lead to an improvement in the overall security posture, which in turn will likely result in improvements in effectiveness metrics.
If we look at operational security metrics, its all about time. Finding breaches quickly, responding and containing. As such, the following are key metrics which are now commonly used in more mature operational environments;
- Mean time to Detection
- Mean time to Verify
- Mean time to Containment
Continuing on, metrics such as ‘Botnet and Malware infections per employee’ provides a high level measure of overall effectiveness. Metrics such as ‘Average cost per breach’ can quantify operational maturity in financial terms, as we know lower maturity organisations have an exponentially higher costs than more mature ones, usually due to the need for emergency responses when things go bad.
Security is often unfortunately measured when nothing happens and that can make justification and execution ability difficult. By utilising these techniques hopefully we can make it a more winnable game.
_