Developing your own infrastructure protection solutionThe era of
governments protecting business and citizens from serious attacks, including
from foreign adversaries, may have already passed – at least in the context of cybersecurity.
That is, while it remains reasonable to expect government protect against
physical attacks such as from bombs and missiles, as a general matter, today
governments generally lack the authorities, capabilities, and resources to do something
similar thing in cyber domain. As a result,
every organization must develop its own plan and associated solution for
infrastructure protection and must leverage the external capabilities that a
government might once have brought to bear. The good news is that this plan and
solution can be constructed using existing enterprise security programs as a
base. That is, the types of functional, procedural, and policy decisions made
to stop enterprise-grade threats represent the correct underlying security base
on which to build a foundational model for dealing with larger threats. The challenge, of course, is that truly
taking on this mission will require taking the overall SOC and cyberdefense culture
of sharing information and making that a rubric for the whole
organization.
What attributes must be present for organizations to succeed in a cooperative?Three attributes
must be met by an organization before cyber risks to critical infrastructure
can be properly addressed via a cooperative sharing group. These attributes
line up directly with the belief structure of the key stakeholders and
decision-makers in the information technology, infrastructure, and cybersecurity
groups, as well as at the corporate leadership and board level. These are not
attributes that can simply be imposed on an organization. Rather, they must be
closely held by the relevant principals:
Risk
Acknowledgement – An
organization must acknowledge the nature and scale of security risk to their infrastructure
and to their overall corporate health. If the belief exists that
vulnerabilities are minor and that infrastructure cannot be seriously degraded
via cyberthreats, or that such efforts won’t materially affect the corporate
bottom-line, then participation in a cooperative group won’t likely be
successful. Organizations must be willing to acknowledge the presence of significant
risk that needs to be mitigated aggressively before joining any collective
sharing group.
Willingness
to Share – An
individual organization considering joining a collective defense group must
also recognize and be willing to participate in the bidirectional nature of
information sharing. That is, joining a cooperative cannot be done solely to
collect data from others. Rather, just like in any trusting relationship, it
must include an open willingness to share information with other members of the
group. Anonymous, non-attributed sharing mechanisms can be helpful, but
willingness to share (and to share broadly) is essential.
Desire to
Mitigate –
The purpose of any cooperative sharing group is to provide a rich source of
information, from which actionable intelligence can be derived. Involvement in
the group should therefore be predicated on the desire to actually mitigate cybersecurity
risk, rather than to simply meet some compliance obligation.
Figure 5-1. Three Attributes Required to Succeed in a Cooperative These three
conditions must be met honestly by each individual organization participating a
collective defense system, and are listed here to help make the collective
involvement successful. Any organization that doesn’t fully accept the presence
of cyber risk, doesn’t plan on sharing relevant information with others, and
has no intention to use the shared data as the basis for real security mitigation
and response, are probably best advised to invest their time and efforts into
other types of security approaches.It is worth
mentioning that some organizations join information sharing groups to collect
information relevant to executive and board presentations. Board members, in
particular, like to be provided context around cyberthreats, including
malicious actor attribution, so sharing often helps to obtain this information
across a given industry or across multiple sectors. So long as the ultimate
purpose in educating board members is to improve the overall security posture
of the organization, this motivation for joining a collective seems acceptable.What are the parameters for establishing trust in a cooperative?The concept
of trust between participants in any cyber cooperative is influenced by a
couple of factors. First, there is the business or government sector between
participants. It is not a stretch to assume that participants in a common
sector may tend to be more trusting of information being ingested, simply
because the vantage point will be similar. Two banks, for example, will tend to
trust their relative interpretations of some vulnerability and its consequence.Second, the
relative size and expertise of sharing participants will influence mutual
trust. A general rule is that most organizations will tend to trust information
from larger or peer groups, but will be more tentative about information coming
from smaller participants or non-peers. Size of an organization and trust in
the value of the information being is not a perfectly correlated, because a
large bank might trust information coming from a small, but expert advisory
group. In general, however, peer or larger organizations tend to be assigned
more confidence in the information being shared.These two
factors – sector and size – can be merged into a so-called measure of peer correlation that can be useful in
analyzing the potential effectiveness of a given cooperative. By creating a
simple grid on these two factors, we can depict the degree to which participants
will tend to view the level of correlation for information being shared
generally. Two large banks, for example, might find some shared data highly correlative,
whereas a small retail shop might find the same data less applicable. Figure 5-2. Peer Correlation in a Cyber CooperativeIt is worth
noting that competitive forces will clearly influence the willingness of a
given organization to share information with a cooperative group. While it is
true that many industries tend to not differentiate based on relative security
capability, there are some industries where this is less accurate. Cooperatives
that include entities competing on cyber-related capability will have to work
harder to maintain mutual trust; as a result, sharing both within sector and
across multiple sectors, is key.Third, the
interdependency of organizations will influence trust. Few organizations today
are vertically and horizontally integrated.
Rather many organizations rely on an interdependent web of organizations
to build, distribute, or deliver their solutions or capabilities. Sectors such
as banking, today rely on the energy sector to ensure a ready source of power
and the telecommunication sector to interact with other banks and their
customers. Other sectors, such as aerospace, rely on complex supply chains of
hundreds of component makers to bring their products to market. Finding groups
of interconnected organizations can help identify entities that are likely to be
willing to work collaboratively given their existing economic alignments.Are there any legal or privacy issues associated with joining a trusted sharing group?Joining an
information sharing group will introduce a myriad of management questions from
the legal and privacy teams in any organization, especially in larger organizations
with significant regulatory overlays and potential attack consequence. These
questions are best addressed well before the decision has been made to join a
sharing group, so as to avoid the costs of unraveling entry. The biggest issues
that tend to require consideration when joining any cybersecurity cooperative
are the following:
Protecting
Information – By
sharing information with a cooperative, the organization introduces the
possibility, however potentially small, that sensitive data could be mishandled
and leaked. To deal with this issue, cooperatives must include mechanisms for
protecting data both in storage and at rest, including the robust use of strong
encryption.
Working with
Competitors – If
a cooperative includes competitors, even given the provisions of CISA in the
United States that squarely address these issues, legal teams will likely want agreement
on the basic procedures for sharing, especially regulated industries.
Avoiding
Unexpected Risk – In
general, enterprise legal, privacy, and security teams will be averse to any
unexpected risk that might emerge as a result of joining a sharing cooperative.
This requires that cooperative cyber sharing groups include solid documentation
of expectations for participants. New risks can always emerge, but surprise
should be minimized.
The best way
to handle these legal and privacy issues is to directly involve staff from
these organizations into the decision-making process around joining or
establishing a group. Many excellent commercial vendors can provide excellent
advice to companies considering use of an information sharing cooperative, and
can help legal, policy, and privacy staff become more knowledgeable and
comfortable around what to expect.Concluding RemarksThe purpose
of this report has been to make the case for cooperative cybersecurity
protection for large-scale infrastructure. The strongly-held belief of the
authors should be obvious from the discussion that organizations should
willingly, aggressively, and openly share in cases where mutual benefit can be
obtained. To this end, it becomes the obligation of all participants in the
security ecosystem – business, government, and vendors – to support this
objective.As should
also be obvious from the discussion, trust is the adhesive that holds
information sharing and meaningful collectives together. Establishment of trust
between organizations is simple when all political, philosophical, business,
societal, and even military objectives align closely. It is more difficult,
however, when one or more of these objectives do not align. In these cases,
more effort is required to establish trusted agreements toward a working
collective.It is the
sincere hope of the authors that the goals of protecting critical
infrastructure should be of paramount importance, especially where cyber
attacks could product negative consequences to the safety and even life of
individuals and groups. The material we have shared here represents our modest
contribution to achieving this goal, and we hope that readers will take our
recommendations into account as they build, operate, and maintain
infrastructure.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
