Now that we all carry supercomputers complete with real-time GPS mapping in our pockets, a reference to physical maps may feel a bit antiquated. You know the ones I’m talking about; you can still find them at many malls or theme parks, and even some downtown city streets. It’s usually a backlit map on a pillar with a little arrow marking “you are here.” It’s designed to give you a sense of where you are and how to get where you're going. While that physical map may feel a bit dated, at least it’s still effective. That’s more than I can say for many of the InfoSec practices, products, and procedures we find at companies of all shapes and sizes.
That security gap is really not surprising though. Organizations and individuals alike are becoming more and more connected, while information and assets are becoming more and more digital. At the same time, the bad guys are becoming more and more organized and sophisticated. It feels like new threats, vulnerabilities, and breaches are announced every day. To keep pace, vendors seem to announce new products every week, not to mention all the new companies that are constantly popping up. As security professionals, we are left trying to sort out the mess. Which InfoSec tools provide defense in depth, and which are just causing duplication? How do I even compare competing products and the protections they provide?
Luckily there are some models, frameworks, and best practices available to help us figure it all out.
Three of the most widely known and referenced are ISACA COBIT, ISO 27002, and NIST CSF:
- COBIT is a "business framework for the governance and management of enterprise IT” published by the Information Systems Audit and Control Association (ISACA). Governance is the key word there; this is a high-level framework to help executives execute policies and procedures. It’s the widest in scope, is best used for aligning business objectives with IT and security goals, and can be thought of as a strategic base for the ISO and NIST frameworks.
- ISO 27002 is a set of best practice recommendations for implementing an Information Security Management System (ISMS) published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is essentially a list of checklists for operational controls that are used in conjunction with the requirements laid out in ISO 27001 to help ensure that your approach is comprehensive.
- The Cyber Security Framework (CSF) published by the US National Institute for Science and Technology (NIST) is much more tactical in nature. Its most recognizable aspect is called the “Framework Core,” which includes five functions: Identify, Protect, Detect, Respond, and Recover. It also includes “Implementation Tiers” and “Profiles” to help you define your current risk management abilities and future/target goals within each of the functions.
A couple additional frameworks that are less well known but worth reviewing are RMIAS and ATT&CK:
- RMIAS stands for Reference Model for Information Assurance & Security. This model "endeavors to address the recent trends in the IAS evolution, namely diversification and deperimeterization.” It describes four dimensions (security development lifecycle, information taxonomy, security goals, and security countermeasures) and incorporates them into a methodology that helps to ensure completeness, risk analysis, cost-effectiveness/efficiency, and consistency in your IAS practice.
- ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge. It "is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.” In other words, it contains deep knowledge about how and where the bad guys are known to attack. Provided by MITRE, a non-profit R&D organization, it is gaining wide acceptance among practitioners and vendors alike as a common language and reference.
Of course, there are also a growing list of industry specific frameworks, models, and regulations like HIPAA, HITRUST, FEDRAMP, PCI-DSS, SOC, CIS, and more. While all of this is great, I’m still left with those same questions: Which tools provide defense in depth, and which are just causing duplication? How do I even compare competing InfoSec products and the protections they provide?
What we require is a more practical model of the specific InfoSec technologies needed to secure our organizations.
Through the remainder of this series, I will introduce and describe a reference model of IT infrastructure security that aims to fill this gap. Over the next four posts I will illustrate four technology domains (perimeter, endpoint & application, identity & access, and visibility & control), including the current drivers and the specific categories within each. Then, in the final post, I will describe how this model fits within the broader ecosystem of cybersecurity countermeasures and provide some advice on how to put it all into practice.