Extracting value from the interconnected network of risk management
From the CISO to the SOC operator, defenders struggle to maintain complete situational awareness. Holistic approaches to risk management require the implementation of a manageable number of policies and procedures but are tied to an often unmanageable and misunderstood ecosystem of tooling and controls. These inefficiencies are laid bare in frequent public breach reports and are the result of a threat landscape that is increasing in volume, complexity, and novelty.
We fail to leverage the natural relationships between cyber risk capability areas by segmenting – rather than fusing – activities in sense-making to their individual domains.
Our organizations and the information environments within them are living, breathing organisms; the network is their nervous system. Just as the fingers cannot type without a signaling pathway between the brain and hands, an attacker cannot remotely exploit a system without a network that connects the two. The network presents our best opportunity to understand the interactions which link our application of risk management strategy. Our ability to protect, detect and respond is less about strict controls enforcement or monitoring capabilities and more about the advantages in decision making they afford.
Whether in the heat of an incident or during the churn of daily operations, decisions on what to do, what to implement, or what to prioritize are crucial to maturing cyber posture and cyber resilience. Properly leveraged network evidence can serve as the merging point for tactical, operational, and strategic decision making.
To help guide this decision-making process, there are several key questions and concrete steps that team leads can explore.
Do I understand the network structure and underlying activities that support my threat model?
In order to know what systems you are working with, the CISA Cyber Essentials handbook advises that teams must first “learn what’s on your network.” Threat modeling is well-defined, and the primary means of selecting protection and detection mechanisms, but controls are focused on individual systems or components and the last-hop entry point. A comprehensive step-by-step approach must be fully inclusive of the path from the network:
Step 1: Baseline common activities associated with your systems and asset inventories. Go deeper than traffic volume or port level activity and identify specific interactions. For example, HTTP POST activity against URI target(X) with a post body length between 500 and 700 bytes and includes user agent(s) {a,b…} that ties to threat model entries{1.1, 1.3, …}.
Step 2: Create a library of activities and associate it with every risk management initiative that touches the in-scope resources.
Step 3: Develop an audit capability which gives decision makers a persona-like lens tied to risk and allows iterative learning as new information becomes available.
Be wary of efforts and vendors that do not provide the data flexibility required to develop and mature this end-to-end capability.
Can I measure impact within the protect, detect, respond maturity cycle?
Activity personas, or baselines, that include complete context across the threat model, relevant visibility, and expected controls can enable threat hunters to test informed, comprehensive hypotheses and deconflict threat intelligence.
Step 1: Measure the conversion of threat hunting activity to protective and detective controls. Focus on maturation rather than volume.
Step 2: Create a feedback mechanism between threat hunting, alerting and incident response and pressure test it through audit. Use the outputs as a decision driver to accelerate maturity.
Step 3: Be wary of vendors who become difficult to integrate or contextualize within this cycle.
Can I measure the accuracy, effectiveness, and impact of my controls?
Controls act as protective mechanisms but also behave as sensors. Combining sensor outputs (also known as fusion) provides insight on the accuracy, effectiveness, and overall confidence in “truth.” The network provides value in three ways:
1. Combination and correlation
Step 1: Identify opportunities to map control output to the relevant network baselines, add additional context to controls via baseline, or build new baselines.
Step 2: Measure the accuracy of established baselines by comparing true positive and false positive alerts.
Step 3: Merge network-centric outputs with risk management activities related to the specific control (vulnerability management, asset management, configuration management, etc.)
Step 4: Create a mechanism that refines baselines or refines controls based on outputs.
2. Controls validation
Step 1: Measure the effectiveness of control implementation with respect to activity persona (number of baselines, volumes of traffic in personas, variance in personas against threat model).
Step 2: Merge network-centric outputs with risk management activities related to specific control (vulnerability management, asset management, configuration management, etc.)
3. Identification of controls regression
Step 1: Create new persona baseline and alert on anomaly/pervious persona baseline to immediately identify regression.
Step 2: Merge network-centric outputs with change control workflows.
Do I have complete context around transitive risk?
Once an attacker establishes a foothold, interactions move from unknown origin to trusted identity in a heartbeat. Maintaining activity profiles and baselines are critical in assessing, understanding, and making leveraged decisions. Identifying how changes in the trusted entities associated with activity profiles impacts the threat model and their relevant risk areas is one example of understanding and contextualizing transitive risk. Finally, identifying the decision levers available for mitigation is also critical in the event transitive risk becomes realized.
Can I mechanize the translation of learning into institutional memory?
Culture, decisions, and the policies which guide them are the DNA of an organization and it is imperative that we purposefully weave in the knowledge created by our application of risk management. Security awareness and training, secure design (SDLC), security intelligence and governance, risk and compliance (GRC) initiatives represent just a few of the levers available.
We have witnessed a dramatic evolution in the monitoring and analysis of the network, however its leveraged use beyond specific detection use-cases has lagged woefully. Given a rich source of policy agnostic, network-derived data as presented by Zeek, the opportunity to coalesce around the network for decision-making across the risk management portfolio is ripe for the picking.
Gaining advantage over our attackers requires that we take new, comprehensive approaches to risk management centered on decision making, and create forums for socializing new approaches, and their learnings, as well as eliciting feedback and maturing the mental model for cyber defense. The network is our launchpad.