I was recently in a very high-cost (around $6K), one-week security course in San Francisco. You can infer the institution. The instructor was dynamic, and the topic was focused on technical hacking. A how-to for breaking into computers, detecting the break-in, etc. At the end of the week there was a little ‘capture the flag’ exercise that I missed due to a really fun head cold that hit me the day before.
The instructor was a smart guy – very much so. But he made a few statements that were unsettling to me.
The first was basically that all security vendor products are worthless. Nobody makes good gear, it can all be broken into, and why not focus on just securing your high value targets. Hmmmm. A) that is a very nice but how do you propose to do this, and, b) with what will you do to accomplish this….an army of techies staring at screens of….what? He did back off a little at one point and say there were some products that were pretty good. I had to assume those were the ones his company sells.
He also stated that documented processes were useless for securing organizations. He went on to talk about diagrams, flow charts, Word documents, etc., that are used to demonstrate processes which have absolutely no value. At this point I started flushing half of what he said. Although a very fast and dynamic speaker, I felt like some weird Kool-Aid was being shoved in my face. You simply cannot run a security program using chaos theory.
It felt like I was being confronted by a Sith Lord…all black-and-white absolutes and a limited view of how things really are supposed to be. Which, incidentally, is all peaceful and happy-like. Well. Maybe not necessarily for us security types in general. But you get what I mean.
The last thing he said was that frameworks and standards are useless, just toss them. According to him, just put your defensive resources on the high risk targets and you will be fine.
Was he right about any of these? What about that last one? Do we simply pile resources on what we think needs defended?
Probably not. Technical acumen aside, he would simply be laughed out of an organization if he came through the door with these three ideas as the primary tenets of how the security show was going to be run. First off….how do you define what the high value targets are? Throw a dart at a taped up network diagram? No…you use a risk management approach and methodology, which uses…umm…clearly defined processes and metrics. Also, you can’t arm a few folks with sticks and tell them to defend the network. It requires technology that is usually supplied by…ummmmmmm…vendors. You simply can’t keep up without having the necessary security boxes and applications deployed within infrastructure.
All obvious stuff. But let’s talk about frameworks and standards, try to determine if they have any value. This is worth taking on as a discussion versus the other two ludicrous ideas.
First we need a common point of reference so we have a foundation…let’s run through how the security program is organized.
Portfolios, Programs and Projects.
The following is based on ‘typically’. Not all security organizations are well staffed and funded to allow for all of the following, but this is generally how the world looks. By the way, when I inject ‘CISO’ I mean a Chief Information Security Officer (CISO) or a Chief Security Officer (CSO). The difference between them is basically that the CISO only has responsibility for information security, whereas the CSO has broader responsibilities, such as securing physical property or executive protection management. For the purposes of this article I will use the term CISO.
When a CISO is handed people, money, and time to create a protective environment, she will basically either make a (or maintain an existing) broad-reaching security organization. This is often referred to as the portfolio. This portfolio is determined by how the organization chart is laid out for that security organization. Maybe the other way around. Chicken and egg time. Anyways…there are technical and non-technical pieces within the portfolio.
Those pieces are called programs. One example is the risk management program, which is usually considered non-technical in nature. Someone within the security organization is tasked to manage and perform risk assessments of business units, new implementations, post-incident remediation, and other items as deemed necessary by the program charter or policies and standards. Another program example is a threat and vulnerability management capability, which is a little more technical. Someone has the responsibility to scan systems for vulnerabilities and manage the output. A couple of highly technical program examples would include staffing and managing a Security Operations Center (SOC) or Computer Security Incident Response Team (CSIRT). Think of programs as the bigger pieces of the CISO’s portfolio.
Within each program there are usually projects. Yes, it is exactly as it sounds. Projects are typically implemented with each program to improve that program’s operational capabilities or change them in some fashion. Think of adding a new Security Incident and Event Management tool to the SOC as a project within the SOC program.
So when a CISO has to manage the portfolio, it usually involves either directly managing or having the staff to manage programs. Within each program there are projects that need attention. It all rolls up to the portfolio, of which the CISO has responsibility.
Frameworks – Finally
Pretty simple, so far. All is fine. But where and how do you allocate your resources to effectively manage the broader portfolio? You have finite money, people, and time.
You could use a framework to guide your efforts. One interesting thing about any framework: the primary focus is to allow organizations to be proactive about risk management. I’ll have a bit to say about framework versus risk management as far as their individual values toward the end of this article.
Back to frameworks. They typically tie into the programs within a portfolio, e.g., how to create and manage an incident response team. A couple of the most popular ones include The ISO/IEC 27000 series and NIST. We’ll start with a brief overview of NIST first.
NIST Cybersecurity Framework
Basically the NIST Cybersecurity Framework is a set of recommendations that are categorized or organized logically to assist CISOs in improving the organization’s ability to prevent, detect, and manage attacks within the IT infrastructure. Think of NIST as a way to organize that security portfolio we talked about earlier, which represents a taxonomy of services and technologies used to protect the organization. The primary focus when it was released was to assist those responsible for securing US critical infrastructure. Now it is broadly used throughout many different types of organizations and industries.
NIST is popular for a couple of reasons. The primary one is that it is free. Anyone can download and use the NIST framework, or apply it as they see fit.
The second reason is due to its completeness. There is a ton of material behind this document, and you can literally drill down to individual control objectives as they relate to the rated criticality of an asset. You can build out a very complete set of a portfolio’s programs using various NIST documents as a guide.
Another reason for the popularity is the fact that it is publically distributed for comment and input. Think of it as a framework that is akin to open source code. There are a lot of eyes on it to make sure it is sufficient and complete. Yes, that can be a bad thing due to the potential for ever-increasing complexity and padded functionality, but hey. Free. Hello.
Basically NIST is broken into a cyclical, 5 part methodology. The main parts (called categories) are:
- Identify (what you have and the attack surface)
- Protect (what you identified as worthy)
- Detect (the bad guys or other bad events)
- Respond (to those bad guys or events)
- Recover (from the damage)
You start with Identify. You end up at Recover. Then you Identify again. Lather, rinse, repeat. Obviously that’s why it takes me a whole bottle of shampoo to support one unit of shower. Rest assured, however, you will not run out of NIST.
There are a total of 98 sub-categories under the 5 categories. It provides pretty detailed guidance when it comes down to it. If you wonder how you generally stack up against the NIST framework there is a relatively simple self-assessment. There are six areas of focus:
- Measurement, analysis and knowledge management
There is also a results section, which collects the self-assessment and tells you how well (or poorly) you line up to the NIST framework. It basically tells you where to focus efforts.
There are also associated controls, which are quite exhaustive in nature. Thorough can be good or bad, I’ll let you decide. My point is that you simply do not have a high-level ‘you should do this’ type of approach with NIST. It is very complete and will give you lots of ideas and recommendations throughout.
ISO/IEC 27000 Series
These documents are published jointly by the International Organization for Standardization and the International Electrotechnical Commission. They provide general best practices and recommendations for security portfolio management with the goal of managing…once again…risk. More on that in a bit.
The ISO/IEC 27000 series is basically focused on creating an Information Security Management System (ISMS). Think security portfolio and the programs under it. Poe TAY toe, poe TAH toe. ISMS usually sounds sexier but it is basically the portfolio.
There are a lot of ISOs out there, such as ISO 9000 (quality assurance) or ISO 14000 (environmental protection). Within each major series (27000 being security) there are guidelines to get certified as being in compliance with the ISO. And yes, there are organizations out there that will independently certify you as worthy to have the ISO Certified moniker. That, in and of itself, will not protect you from being successfully attacked. But it is a certification of an international standard and besides…being certified looks nice on the wall.
ISO/IEC 27001 basically originated as British Standard 1999. Since then it has gone through a few flips and turns, but the core concept of 1999 remained throughout, resulting in today’s series.
There are around 45 individual standards within the ISO/IEC 27000 series. They cover things such as risk management (27005), document redaction (27039), incident investigation (27043) and a host (well…42 to be exact) of others.
The primary document most CISOs are familiar with is ISO/IEC 27001. It gives 14 ‘big pieces’ of an ISMS and within each of those 14 chapters are the associated security controls. The 14 chapters are:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Physical and environmental security
- Operation Security
- Communication security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
The controls are pretty broad as far as scope and detail, and really amount to guidance and suggestions. One stated reason for that is so the ISO can be used by any size or type of organization.
One thing to keep in mind is that the ISOs are a pay-for-play proposition as opposed to the free NIST documents. ISOs require a subscription in order to use them.
Value of a framework.
Frameworks are good for providing a guide as to how to organize the security operation or portfolio. They will also provide ideas as to what should be done within each program. Think of them as a CISO’s checklist-o-life. It helps to review the framework and see what you are missing.
Frameworks also provide an organized method of letting your boss or the broader organization know what you are doing. They can be used to describe your efforts within the portfolio in a manner that makes sense to the ones paying for it. Frameworks can be used as great visual tools for displaying the value and work that goes into managing the portfolio. Not all bosses will understand what you are saying in regards to the security program, which, at times, is not necessarily a bad thing.
Frameworks can also be used to organize and manage your organization according to the business environment or what works best for you. Pick and choose the pieces you are responsible for, or rearrange the framework to suit your particular conditions. Take what you need from them.
Problems with Frameworks
One issue with frameworks is that they basically tell you to do everything. If, as a CISO, you tell your boss you are going to align your portfolio to a framework things could get interesting. You might be questioned as to what you are doing in the area of ____ or asked why this one is not being done yet. We typically don’t have the resources to do it all, and certainly not all at once.
Frameworks can be very generic in nature. You exist in a specific industry. With very specific regulations. And very specific business goals. The alignment might be a little difficult. Frameworks might not adequately address your specific situation as far as what you really need to focus on.
Frameworks all point themselves back to a risk-based approach. If you adopt a framework it will not absolve you (nor, as a CISO, should it ever) from managing the portfolio according to risk. Business pressures and how risk is managed, accepted, or ignored should be the cornerstone of every CISO’s portfolio. Frameworks are fine but risk-centric management is essential.
Frameworks have their purpose. Primarily they are useful for organizing the portfolio and communicating to the broader organization (up and down) what the portfolio does and why it is organized as it is.
Free is good. Then again, internationally certified might be one of your goals or a performance metric. You could even choose to create your own framework or security portfolio methodology. I have friends who have done that – tailored it to their specific needs. You choose what is right for you. Earn that CISO pay.
Frameworks have their limitations. They can be too general in nature causing you to get questioned a lot, or so specific that you simply can’t do it all.
You still need to run the business of security, which should always be focused on effective risk management. Be organized while you do that, possibly using a framework to guide you.
About the Author
About Keith Rayle