Cybersecurity First Principles

Calling all cyber defenders.  Here is an up to date  handbook for setting up your cyber defense.  You may not agree with or need everything, but it will give you a great starting point and more.  The book is focused on security technology and risk and how to use the former to reduce the latter.

Use cases I can think of are any cybersecurity education program (my use case); guidebook for cyber defenders; handbook for startups trying to figure out how to position their new offering; and others I haven’t thought of.

The starting point is the “Cybersecurity First Principle”.  You might think it is CIA, or compliance with the NIST Cybersecurity Framework.  But those don’t cut it; Mr. Howard’s more basic first principle is: “Reduce the probability of material impact due to a cyber event over the next three years”. What I like about this is:  it is simple; it describes the CISO’s task—reduce the probability; it includes the business benefit—material impact; and it includes a disclaimer—over the next three years.  The rest of the book is devoted to ways to achieve this goal, again largely technical in scope.

The principles are organized into five strategies and principal supporting tactics as follows:

1. Zero trust
   1. Vulnerability management
   2. SBOM
   3. IAM
   4. Identity Governance and Administration
   5. PIM
   6. PAM
2. Intrusion Kill Chain Prevention
   1. SOC
   2. Security Orchestration
   3. Threat Intelligence
   4. Adversary Playbooks
3. Resilience
   1. Crisis Planning
   2. Backups
   3. Incident Response
   4. Chaos Engineering
   5. Encryption
4. Risk Forecasting
5. Automation
   1. DevSecOps

Compliance is described as a tactic supporting all of the strategies.  Some heavily regulated industries may choose to consider it a strategy.  Other businesses may choose to use compliance as a base strategy for their security program.

In this book Zero Trust is treated as a kind of “cyber hygiene”, covering best technical practices to stay secure.  This is an interesting approach, especially given that zero trust has been expropriated by pretty much every security vendor!  Defining it as a strategy takes it away from the vendors and is in alignment with a recent presentation by John Kindervag[1].

Going beyond zero trust includes looking at the intrusion kill chain, i.e. who is most likely to attack you and how.  Fortune 100 firms need to know this cold; others should rely on threat intelligence from other security vendors to supplement internal resources.

I liked the discussion around resilience as a key strategy, built around technology but also process and people.  If you don’t have a tested process for restoring backups, you will not survive a ransomware attack, even if you have backups.  After the pandemic hit resilience is top of mind at the board level, and security practitioners should take advantage of this mindset to advance their programs.

The discussion on risk forecasting is extremely interesting.  It starts with a look at overall risk likelihood, based on industry statistics.  These statistics were generated by Cyentia in their “Information Risk Insights Study, 2020”.[2]  These result in numbers like one in four Fortune 1000 companies being hit by a breach every year.  The newer Cyentia report IRIS 2022 (Information Risks Insights Study) has more granular numbers worth comprehending by all security practitioners:

Clearly bigger firms have a bigger attack surface.  Another estimate is 32% breach likelihood, based on IC3 data.  These are the back of the envelope or Fermi calculations and are a good starting point for any risk assessment.  You need to know what is going on in your industry and for your size of organization.  Then you can provide real information on mitigation costs and benefits to management.  In many cases these estimates are sufficient to plan your cybersecurity budget.

The last chapter of Cybersecurity First Principles discusses automation, one of the five strategies supporting the Cybersecurity First Principle.  Automation can help minimize the shortage of security professionals and help deal with increasing system complexity.  In my mind, automation for small and medium firms may imply outsourcing security functions to firms that offer automated processes.

Cybersecurity First Principles (CFP) offers a very comprehensive overview of most of the security technologies in use today.  My expectation is that these strategies and tactics will continue to be foundational; but we can expect other tactics to be added to the playbook.  The only tactic I might add now is “application security”.  If you are developing systems, you will need a strategy and tactics to do this securely.

The conclusion of CFP isn’t a conclusion, but a summation.  Very appropriate, given that our industry is too new for a conclusion.  Readers can choose their own conclusion from the offerings in the book and their own needs.

[1] https://www.youtube.com/watch?v=uibhYVKrm98&t=6s

[2] www.cyentia.com