Dedication …………………………………………………………………………………………………………………….. iii
Acknowledgments………………………………………………………………………………………………………….. iii
Preface ………………………………………………………………………………………………………………………….. iv
Why a Second Edition? ………………………………………………………………………………………………….. vii
Foreword ………………………………………………………………………………………………………………………. ix
Contents ……………………………………………………………………………………………………………………….. xi
Introduction ……………………………………………………………………………………………………………………. 1
Chapter 1 Designing a Cybersecurity Program …………………………………………………………………. 5
Chapter 1 Roadmap …………………………………………………………………………………………………………. 6
1.1 Cybersecurity Program Design Methodology ……………………………………………………………….. 9
1.1.1 Need for a Design to Attract the Best Personnel ……………………………………………… 9
1.1.2 A Recommended Design Approach: ADDIOI Model™ …………………………………. 10
1.1.3 The Six Phases of the ADDIOI Model™ ……………………………………………………… 11
1.2 Defining Architectures, Frameworks, and Models ……………………………………………………….. 13
1.2.1 Program Design Guide ……………………………………………………………………………….. 15
1.3 Design Principles …………………………………………………………………………………………………….. 16
1.4 Intersection of Privacy and Cybersecurity …………………………………………………………………… 17
1.5 Good Practice vs. Best Practice …………………………………………………………………………………. 17
1.6 Adjust Your Design Perspective ………………………………………………………………………………… 18
1.7 Architectural Views …………………………………………………………………………………………………. 19
1.8 Cybersecurity Program Blueprint ………………………………………………………………………………. 20
1.9 Program Structure ……………………………………………………………………………………………………. 23
1.9.1 Office of the CISO ………………………………………………………………………………………….. 23
1.9.2 Security Engineering ………………………………………………………………………………………. 25

1.9.3 Security Operations ………………………………………………………………………………………… 26
1.9.4 Cyber Threat Intelligence ………………………………………………………………………………… 28
1.9.5 Cyber Incident Response …………………………………………………………………………………. 29
1.9.6 Physical Security ……………………………………………………………………………………………. 30
1.9.7 Recovery Operations ………………………………………………………………………………………. 31
1.10 Cybersecurity Program Frameworks and Models ……………………………………………………….. 32
1.10.1 HITRUST® CSF® ……………………………………………………………………………………….. 33
1.10.2 Information Security Forum (ISF) Framework …………………………………………………. 36
1.10.3 ISO/IEC 27001/27002 Information Security Management System (ISMS) ………….. 39
1.10.4 NIST Cybersecurity Framework …………………………………………………………………….. 42
1.11 Cybersecurity Program Technologies ……………………………………………………………………….. 44
1.11.1 Application security ………………………………………………………………………………………. 45
1.11.2 Authentication ……………………………………………………………………………………………… 47
1.11.3 Cloud security ………………………………………………………………………………………………. 47
1.11.4 Container security …………………………………………………………………………………………. 48
1.11.5 Data Loss Prevention (DLP)…………………………………………………………………………… 48
1.11.6 Digital forensics ……………………………………………………………………………………………. 49
1.11.7 Distributed Denial of Service (DDoS) Mitigation ……………………………………………… 49
1.11.8 Deception technology ……………………………………………………………………………………. 49
1.11.9 Domain Name Services (DNS) Attack Security ………………………………………………… 50
1.11.10 Encryption …………………………………………………………………………………………………. 50
1.11.11 Endpoint Protection Platform (EPP) ………………………………………………………………. 51
1.11.12 Firewalls (FW) ……………………………………………………………………………………………. 52
1.11.13 Identity and Access Management (IDAM) …………………………………………………….. 52
1.11.14 Internet of Things (IoT) Security…………………………………………………………………… 52
1.11.15 Intrusion Protection Systems (IPS)………………………………………………………………… 53
1.11.16 Network Access Control (NAC)……………………………………………………………………. 53
1.11.17 Privileged Account Management (PAM) ……………………………………………………….. 54
1.11.18 Security Information and Event Management (SIEM) ……………………………………… 54
1.11.19 Security Orchestration, Automation and Response (SOAR) ……………………………… 55

1.11.20 Threat Intelligence Platform (TIP) ………………………………………………………………… 55
1.11.21 User and Entity Behavior Analysis (UEBA) …………………………………………………… 56
1.11.22 Virtualization security …………………………………………………………………………………. 56
1.11.23 Vulnerability management …………………………………………………………………………… 57
1.11.24 Web filtering ………………………………………………………………………………………………. 57
1.11.25 Whitelisting ……………………………………………………………………………………………….. 57
1.12 Security Training Program ………………………………………………………………………………………. 58
1.12.1 Awareness Training ………………………………………………………………………………………. 58
1.12.2 Phishing Attack Training ……………………………………………………………………………….. 59
1.12.3 Ransomware Attack Simulations…………………………………………………………………….. 59
1.13 Maturing Cybersecurity Programs ……………………………………………………………………………. 60
1.13.1 Security Ratings ……………………………………………………………………………………………. 64
1.14 Cybersecurity Program Design Checklist ………………………………………………………………….. 64
Chapter 2 Establishing a Foundation of Governance ………………………………………………………… 71
Chapter 2 Roadmap ……………………………………………………………………………………………………….. 72
2.1 Governance Overview ……………………………………………………………………………………………… 74
2.2 Cybersecurity Governance Playbook ………………………………………………………………………….. 75
2.3 Selecting a Governance Framework …………………………………………………………………………… 78
2.3.1 COBIT® 5: Framework for Information Technology Governance and Control ………. 79
2.3.2 COSO 2013 Internal Control – Integrated Framework ………………………………………… 82
2.3.3 Information Governance Reference Model (IGRM) ……………………………………………. 86
2.3.4 ARMA – Information Coalition – Information Governance Model ………………………. 89
2.3.5 OCEG GRC Capability Model™ 3.0 (Red Book) ………………………………………………. 91
2.4 Governance Oversight Board …………………………………………………………………………………….. 94
2.5 Cybersecurity Policy Model ……………………………………………………………………………………… 95
2.5.1 Cybersecurity Policy Management ……………………………………………………………………. 96
2.5.2 Cybersecurity Policy Management Software ……………………………………………………… 98
2.6 Governance, Risk, and Compliance (GRC) Software …………………………………………………… 98
2.7 Key Cybersecurity Program Management Disciplines ………………………………………………….. 99

2.8 Security Talent Development ………………………………………………………………………………….. 101
2.8.1 Training ………………………………………………………………………………………………………. 101
2.8.2 Certifications ……………………………………………………………………………………………….. 102
2.9 Creating a Culture of Cybersecurity …………………………………………………………………………. 102
2.10 Cybersecurity Insurance ………………………………………………………………………………………… 103
2.11 Governance Foundation Checklist ………………………………………………………………………….. 104
Chapter 3 Building a Cyber Threat, Vulnerability Detection, and Intelligence Capability ……. 111
Chapter 3 Roadmap ……………………………………………………………………………………………………… 112
3.1 Cyber Threats and Vulnerabilities ……………………………………………………………………………. 115
3.1.1 Threats, Vulnerability, and Intelligence Model …………………………………………………. 116
3.2 Cyber Threats ………………………………………………………………………………………………………… 118
3.2.1 Lesson from the Honeybees …………………………………………………………………………… 118
3.2.2 Cyber Threat Categories ………………………………………………………………………………… 119
3.2.3 Threat Taxonomies ……………………………………………………………………………………….. 122
3.2.4 Cyber Threat Actors ……………………………………………………………………………………… 125
3.2.5 Cyber Threat-Hunting……………………………………………………………………………………. 128
3.2.6 Cyber Threat-Modeling …………………………………………………………………………………. 130
3.2.7 Cyber Threat Detection Solutions …………………………………………………………………… 133
3.2.8 Cyber Threat Metrics …………………………………………………………………………………….. 137
3.2.9 Cybersecurity Threat Maps ……………………………………………………………………………. 138
3.3 Adversary Profile …………………………………………………………………………………………………… 141
3.4 Vulnerability Management ……………………………………………………………………………………… 142
3.4.1 Vulnerability Scanning ………………………………………………………………………………….. 143
3.4.2 Patch Management ……………………………………………………………………………………….. 144
3.5 Security Testing …………………………………………………………………………………………………….. 145
3.5.1 Penetration Testing ……………………………………………………………………………………….. 146
3.5.2 Red Teams …………………………………………………………………………………………………… 147
3.5.3 Blue Teams ………………………………………………………………………………………………….. 147
3.5.4 Purple Teams ……………………………………………………………………………………………….. 148

3.5.5 Bug Bounties ……………………………………………………………………………………………….. 148
3.5.6 War Gaming ………………………………………………………………………………………………… 148
3.5.7 Tabletop Exercises (TTX) ……………………………………………………………………………… 149
3.6 Attack Surface ……………………………………………………………………………………………………….. 149
3.6.1 Attack Surface Mapping ………………………………………………………………………………… 153
3.6.2 Shadow IT Attack Surface ……………………………………………………………………………… 154
3.6.3 Attack Surface Classification …………………………………………………………………………. 155
3.6.4 Attack Surface Management (ASM) ……………………………………………………………….. 156
3.7 Cyber Threat Intelligence ……………………………………………………………………………………….. 157
3.7.1 Cyber Threat Intelligence Services ………………………………………………………………….. 158
3.7.2 Cyber Threat Intelligence Program Use Cases ………………………………………………….. 158
3.8 Cyber Kill Chain ……………………………………………………………………………………………………. 159
3.9 Threat Frameworks ………………………………………………………………………………………………… 161
3.10 Assumption of Breach…………………………………………………………………………………………… 163
3.11 Cyber Threat, Vulnerability Detection, and Intelligence Checklist ……………………………… 163
Chapter 4 Building a Cyber Risk Management Capability ………………………………………………. 169
Chapter 4 Roadmap ……………………………………………………………………………………………………… 170
4.1 Cyber Risk ……………………………………………………………………………………………………………. 173
4.1.1 Cyber Risk Landscape …………………………………………………………………………………… 174
4.1.2 Risk Types …………………………………………………………………………………………………… 175
4.1.3 Cyber Risk Appetite ……………………………………………………………………………………… 176
4.1.4 Risk Tolerance ……………………………………………………………………………………………… 178
4.1.5 Risk Threshold ……………………………………………………………………………………………… 179
4.1.6 Risk Acceptance …………………………………………………………………………………………… 180
4.1.7 Inherent Risk………………………………………………………………………………………………… 181
4.1.8 Residual Risk ……………………………………………………………………………………………….. 181
4.1.9 Annualized Loss Expectancy (ALE) ……………………………………………………………….. 182
4.1.10 Return on Investment (ROI) …………………………………………………………………………. 183
4.2 Cyber Risk Assessments …………………………………………………………………………………………. 185

4.2.1 Business Impact Assessment (BIA) ………………………………………………………………… 188
4.2.2 Calculating Risk …………………………………………………………………………………………… 189
4.2.3 Risk Registry ……………………………………………………………………………………………….. 191
4.3 Cyber Risk Standards ……………………………………………………………………………………………… 194
4.4 Cyber Risk Management Lifecycle ………………………………………………………………………….. 196
4.5 Cyber Risk Treatment …………………………………………………………………………………………….. 199
4.6 Risk Monitoring …………………………………………………………………………………………………….. 199
4.7 Risk Reporting ………………………………………………………………………………………………………. 200
4.8 Risk Management Frameworks ……………………………………………………………………………….. 201
4.9 Risk Maturity Models …………………………………………………………………………………………….. 202
4.10 Third-Party Risk Management (TPRM) ………………………………………………………………….. 204
4.10.1 TPRM Program Structure …………………………………………………………………………….. 205
4.10.2 Third-Party Attestation Services …………………………………………………………………… 206
4.11 Cyber Black Swans ………………………………………………………………………………………………. 208
4.12 Cyber Risk Cassandras …………………………………………………………………………………………. 209
4.13 Cyber Risk Management Checklist ………………………………………………………………………… 210
Chapter 5 Implementing a Defense-in-Depth Strategy …………………………………………………….. 217
Chapter 5 Roadmap ……………………………………………………………………………………………………… 218
5.1 Defense-in-Depth …………………………………………………………………………………………………… 220
5.1.1 Industry Perception ……………………………………………………………………………………….. 222
5.1.2 Defense-in-Depth Models ………………………………………………………………………………. 223
5.1.3 Origin of Contemporary Defense-in-Depth Models …………………………………………… 224
5.1.4 Defense-in-Depth Layer Categorization …………………………………………………………… 227
5.1.5 Defense-in-Depth Criticism ……………………………………………………………………………. 231
5.1.6 Defensive Layers ………………………………………………………………………………………….. 232
5.2 Improving the Effectiveness of Defense-in-Depth ……………………………………………………… 232
5.2.1 Governance, Risk and, Compliance (GRC) Domain ………………………………………….. 235
5.2.2 Threat and Vulnerability Management (TVM) Domain …………………………………….. 238
5.2.3 Application, Database, and Software Protection (ADS) Domain ………………………… 240

5.2.4 Security Operations (SecOps) Domain …………………………………………………………….. 244
5.2.5 Device and Data Protection (DDP) Domain ……………………………………………………… 248
5.2.6 Cloud Service and Infrastructure Protection (CIP) Domain ………………………………… 253
5.3 Zero Trust ……………………………………………………………………………………………………………… 257
5.4 Defense-in-Depth Model Schema …………………………………………………………………………….. 260
5.5 Open Source Software Protection …………………………………………………………………………….. 260
5.6 Defense-in-Depth Checklist …………………………………………………………………………………….. 262
Chapter 6 Applying Service Management to Cybersecurity Programs ………………………………. 269
Chapter 6 Roadmap ……………………………………………………………………………………………………… 270
6.1 Information Technology Service Management (ITSM) ………………………………………………. 272
6.1.1 Brief History of ITSM and ITIL ……………………………………………………………………… 272
6.2 Cybersecurity Service Management …………………………………………………………………………. 273
6.2.1 Cybersecurity Service Management Approach …………………………………………………. 273
6.3 Service Management Catalog ………………………………………………………………………………….. 281
6.4 Cybersecurity Program Personnel …………………………………………………………………………….. 283
6.4.1 Applying the RACI-V Model to Cybersecurity Program Staffing ……………………….. 283
6.4.2 Applying the Kanban Method to Cybersecurity Program Staff Workflow ……………. 289
6.4.3 Bimodal IT Environments ……………………………………………………………………………… 289
6.5 Cybersecurity Operations Center (C-SOC) ……………………………………………………………….. 290
6.6 Incident Management ……………………………………………………………………………………………… 291
6.6.1 Incident Response Management Products ………………………………………………………… 293
6.7 Security Automation and Orchestration (SAO) ………………………………………………………….. 294
6.8 DevSecOps ……………………………………………………………………………………………………………. 297
6.8.1 Rugged DevOps ……………………………………………………………………………………………. 298
6.8.2 DevSecOps Factory Model™ …………………………………………………………………………. 299
6.9 Software-Defined Security (SDSec) …………………………………………………………………………. 308
6.10 Emerging Cybersecurity Technologies ……………………………………………………………………. 309
6.10.1 Artificial Intelligence …………………………………………………………………………………… 310
6.10.2 Augmented Reality (AR) ……………………………………………………………………………… 312

6.10.3 Blockchain …………………………………………………………………………………………………. 312
6.10.4 Machine Learning (ML) ………………………………………………………………………………. 312
6.11 Cybersecurity Program Operationalization Checklist ……………………………………………….. 313
Chapter 7 Cybersecurity Program Design Toolkit …………………………………………………………… 319
7.1 Overview ………………………………………………………………………………………………………. 320
7.2 Gap Assessment …………………………………………………………………………………………….. 322
7.3 Security Stories ……………………………………………………………………………………………… 323
7.4 SWOT Matrix ………………………………………………………………………………………………… 324
7.5 RACI-V Diagram …………………………………………………………………………………………… 325
7.6 Organization Chart …………………………………………………………………………………………. 326
7.7 Cybersecurity Software Inventory ……………………………………………………………………. 327
7.8 Data Classification Schema ……………………………………………………………………………… 328
7.9 Compliance Requirements ………………………………………………………………………………. 330
7.10 SIPOC Diagram……………………………………………………………………………………………… 330
7.11 Service Design Package (SDP) ………………………………………………………………………… 331
7.12 Metrics ………………………………………………………………………………………………………….. 332
7.13 Risk/Issue Log ……………………………………………………………………………………………….. 333
7.14 In/Out Matrix …………………………………………………………………………………………………. 334
7.15 Notice of Decision (NoD) ……………………………………………………………………………….. 334
7.16 Kanban Board ………………………………………………………………………………………………… 335
7.17 Requirements Traceability Matrix (RTM) …………………………………………………………. 336
7.18 Design Requirements Manual (DRM) ………………………………………………………………. 337
Appendix A Useful Checklists and Information ……………………………………………………………… 343
Index……………………………………………………………………………………………367
Credits ……………………………………………………………………………………………………………………….. 384
About the Author ………………………………………………………………………………………………………… 386

 

Tari Schreider, C|CISO, CRISC, ITIL® Foundation, MCRP, SSCP is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.

Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the world’s largest oil and gas companies, an NERC CIP compliance program for one of Canada’s largest electric utility companies, an integrated security control management program for one of the largest 911 systems in the US and designed a cybersecurity service architecture for one of the largest retailers in the US. He has advised organizations worldwide including Brazil, China, India and South Africa on how to improve their cybersecurity programs.

Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected during the 1992 Los Angeles riots and 1993 World Trade Center bombing. His most unique experience came during the Gulf War helping a New York financial institution recover after becoming separated from its data center in Kuwait.

Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines, including Business Week, New York Times, SC Magazine, The Wall Street Journal and many others. He is the author of The Manager’s Guide to Cybersecurity Law (Rothstein Publishing, 2017) and is a co-author of the US patent Method for Analyzing Risk.

He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:

• American College of Forensic Examiners, CHS-III
• Certified CISO (C|CISO)
• Certified in Risk and Information Systems Control (CRISC)
• ITIL™ v3 Foundation Certified
• System Security Certified Practitioner (SSCP)
• Member of the Business Continuity Institute (MBCI)
• University of Richmond – Master Certified Recovery Planner (MCRP)

Few companies today could survive without the Internet; either you are part of the digital economy, or you are reliant upon those who are. I am hard-pressed to find someone today who does not interact with some aspect of the Internet to perform all or some of his or her work duties. IT professionals and managers alike need to be cybersecurity-savvy to compete in today’s job market. You must accept that you are or will be working for an organization that takes cybersecurity seriously. To ensure you do not become one of those managers you read about who lets the cyber aggressors in the backdoor, you must also take cybersecurity seriously as well.

Whether you are a new manager, or a current manager involved in your organization’s cybersecurity program, I am confident this book will answer many questions you have about what is involved in building a program. You will be able to get up to speed quickly on program development practices and have a roadmap to follow in building or improving your organization’s cybersecurity program.

• Even if you are new to cybersecurity, in the short period of time it will take you to read this book, you can be the smartest person in the room grasping the complexities of your organization’s cybersecurity program.
• If you are already involved in your organization’s cybersecurity program, you have much to gain from reading this book. This book will become your go-to field manual to guide or affirm your program decisions.

After 30 years of experience in the trenches, designing and building cybersecurity programs throughout the world, I wrote this book to help the process go more smoothly for you. In creating this roadmap for you, I was motivated by what I see as a systemic lack of experience and resources in those tasked with designing and building cybersecurity programs.

First, many managers have never had to build a cybersecurity program from the ground up, resulting in cybersecurity programs based on insular opinions guiding program development rather than sound architecture and design principles.

• Managers involved in cybersecurity can expect an average tenure in their role of approximately two years, which means they are inheriting cybersecurity programs serially throughout their careers. This leaves little time to forge experience gained through building a program of their own design.
• In addition, few of these managers graduated from a cybersecurity degree program that teaches architecture and design.

Second, we do not have a generation of managers equipped to build cybersecurity programs.

• By many accounts, there are over one million cybersecurity jobs open in the US. According to the US Bureau of Labor Statistics, this industry will grow by 37% through 2022. Who will fill these roles? Only the recently graduated or certified are available to fill these open positions, but neither group has the experience necessary to build a cybersecurity program.
• Certifications and degrees may not always be a true measure of the skills required to build today’s programs, since there is no substitute for experience.

Third, inexperienced managers have difficulty separating fact from what I call “security theater.”

• A multibillion-dollar industry of thousands of cybersecurity vendors and consultants driven by their own self-interest can easily lead managers astray. Managers with little experience can fall under their spell, succumbing to their cybersecurity technologies and becoming locked into proprietary program maturity models.
• I have seen many led down a perilous path of cybersecurity programs crammed with technologies that promise to protect their information and assets from hackers but offer little in the way of basic blocking and tackling.

This book is intended to give you the knowledge and guidance that will allow you to choose wisely and avoid the pitfalls I have described above.

My experience working with hundreds of companies will serve as your roadmap to step you through building your own cybersecurity program. In writing this book, I analyzed over 150 cybersecurity architectures, frameworks, models, etc., so that you would not have to. I have called out those that I felt were great examples to assist you along your journey. This alone will save you hundreds of hours attempting to conduct the research necessary to identify all the components of a cybersecurity program.

My best wishes as you follow the roadmap to create an effective cybersecurity program for your organization!

 Tari Schreider

Atlanta, Georgia

September 2019

Think about building your organization’s cybersecurity program as a journey. Do you know what you will need to bring? As with any trip, your purpose can be for either business or pleasure. If it is for business, then there’s a good chance you are inheriting someone else’s program and problems. If it is for pleasure, then you will be able to build your own program from the ground up. In any case, if you are reading this book, there’s a good chance that your purpose is business, and your boss has already told you your next destination – cybersecurity land. A cybersecurity program will represent the completion of your journey.

All trips have one thing in common. You need to prepare. Trips require a roadmap and a guide or Sherpa to make the journey as smooth as possible. Before you begin your trip, at the very least, you look at a map and some travel brochures. The map shows you how to get to your destination, and the brochures point out interesting sites along the way. Even if you find yourself a passenger on your trip to cybersecurity land (HR manager, attorney, etc.), you can still add value to the trip by using this book to ask the right questions.

For our journey in this book, we will follow a map, and I will be your Sherpa. Each chapter will be a stop on your journey to creating a cybersecurity program, providing important references to help you along the way. Your journey will look something like a winding road.

• Your first stop will have you designing your cybersecurity program, after which you will proceed to establishing principles and policies for how your program should be managed.
• The midpoint of your journey involves identifying the highway robbers or hackers and other threats you want your program to protect against.
• Stop four shows you how to assess and manage risk.
• Nearing the end of your journey, your fifth stop will have you define defensive measures required to protect your organization’s assets and information.
• The next to the last stop shows you how to operate your program and ensure you have the right staff doing the right things.
• In the final stop I show you how to unpack all that you have learned.

Chapter 1: Designing a Cybersecurity Program – Whenever you begin a journey, it is best to have your destination in sight. A blueprint does just that, it lets all involved in the program’s construction know what it should look like once completed. To begin your cybersecurity program, you will need a blueprint that outlines the program’s general structure as well as its supporting components. In this chapter, I offer an ideal state example of a cybersecurity program blueprint as well as introduce you to industry leading cybersecurity frameworks. I will also introduce you to leading cybersecurity technologies you should consider adding to your program.

 Chapter 2: Establishing a Foundation of Governance – The way your company is controlled by the people who run it, is called governance. The way your cybersecurity program is controlled is also governance. Governance is all about making the right decisions for the benefit of the organization. For a cybersecurity program to stand the test of time, it must benefit from proper governance. Governance ensures the program adheres to its design principles. In this chapter, I explain what constitutes a governance program as well as the proper governance of a cybersecurity program. An overview of the top information governance frameworks and models will provide you with an understanding of resources available to mature your cybersecurity program’s governance foundation. You will also learn how to automate your governance foundation. I will also discuss how to treat your top cybersecurity talent.

Chapter 3: Building a Threat, Vulnerability Detection and Intelligence Capability – Your next step is to determine what is most important to your organization. This includes classifying your organization’s assets and information by importance and identifying the types of threats and vulnerabilities to which they are exposed. Next, this chapter shows you how to identify the different points of entry an attacker can use to steal your sensitive information. All these points of entry make up your attack surface, as this is what you will be protecting with your program. I will show you how to create a threat intelligence function that leverages your threat inventory and vulnerability detection systems to reduce the exposure to your attack surface. You will also learn how to acquire threat intelligence and how to make it actionable. To ensure everything works, I will walk you through various methods of testing a cybersecurity program.

Chapter 4: Building a Cyber Risk Management Capability – Now that you know the threats and vulnerabilities your organization is exposed; a risk profile can be determined. Your risk profile is your organization’s willingness to take risks in comparison to the threats faced. In this chapter, I show you how to leverage industry-leading risk assessment frameworks and calculators to derive your organization’s risk score. I will show you how to organize and manage your risks with a risk register. A register is an inventory of your organization’s risk by order of criticality. Each risk is assigned an owner and a corresponding plan to mitigate or manage the risk. Importantly, the topic of risk extends past your organization to third-parties, allowing you to close an often-exploited loophole that could allow unauthorized access to your organization’s critical information.

Chapter 5: Implementing a Defense-in-Depth Strategy – Up to this point in the journey your focus has been building the foundation and structure of the cybersecurity program. Now that’s done, we must populate our program with services and in order to readily find and manage those services we need to put them in a central place, a catalog. The countermeasures service catalog is a repository with a parking space for every one of your program services. Each parking space will include the documents, controls, artifacts and product descriptions that describe the purpose and benefit of each service. The catalog is where you will go to make service enhancements, add new services or retire old services.

Chapter 6: Applying Service Management to Cybersecurity Programs – Your next stop of your journey shows you everything that you will need to do to operate your program according to its design and governance principles. Many reported security breaches occurred when organizations did not implement their cybersecurity countermeasures properly. These breaches take place because many managers stop just short of their destination. They fail to implement their program’s countermeasures to ensure they operate efficiently and effectively. In this chapter, I show you how to deliver and support your cybersecurity countermeasures, managing them in a continuous improvement lifecycle. I will give real-world examples of best practices for service management.

 Chapter 7: Cybersecurity Program Design Toolkit – Your last stop on the journey is the creation of your cybersecurity program design guide. Here I provide templates for baselining your existing program, designing the new or revised program and documenting how your program is built. How you complete these templates is covered in the previous chapters. Through these forms, I show you how to determine what is usable in a current program, what can be saved as well as what should be improved to provide maximum protection of information and assets.

Cybersecurity programs are complex, requiring a methodical approach to their design and construction. When setting out on a journey to build a cybersecurity program, my advice is to start at the beginning, resist hopscotching stops, and stay true to the journey. This book is a process, emphasizing the benefits of basic preparatory steps that are often overlooked. Your journey begins with creating a blueprint of what you are going to build, and it will end with ensuring your program operates as a mature service organization.

First off, let me start by saying that I’ve worked with Tari Schreider for over 10 years. During this time, we have developed a friendship based on a shared passion for Information Security. Tari has been a key part of helping me build Information Security programs, and I have been able to take that body of knowledge with me wherever I go as I help other companies build their security programs.

After I took on security leadership for an organization early in my career, Tari and I worked together to develop the Information Security program using the ISO 27001 framework. With Tari’s help, I was able to perform a gap analysis of our existing program, align our current policies, standards, and controls, and build a multi-year roadmap for addressing the greatest threats and highest risks to the organization and closing program gaps. Using the ISO 27001 framework and the concepts that Tari outlines in this book, I could demonstrate to senior management, the Board, and our regulators that our program was organized and comprehensive.

Since that time, I have used that experience to build security programs for several companies where I led security teams. Much has evolved with organizations since we first worked together. Companies have become more risk aware, have integrated security into software development, and have started to use artificial intelligence to assist in analyzing user behavior.

Tari’s book is like a compendium of his knowledge that he’s imparted on me and many others in the industry over the years. It’s based on established frameworks and models and, more importantly, practical experience. While I wish I had this book when I first started, I was fortunate to able to work directly with Tari. However, I know that for those who won’t be so lucky, I plan to make this one of the books I gift to my staff and security friends.

This book truly is a go-to field guide for designing, building, and maintaining an Information Security program. It’s perfect both for someone new to the field and the seasoned professional alike. I know it’s a book that I’ll be referencing often, and I think that you will, too.

Michael Speas

VP, Chief Information Security Officer

Western & Southern Life

August 2019

 

3.7 Cyber Threat Intelligence

Organizations ready to move to the next level of threat management can turn to external intelligence services to aid in their threat decision-making process. Actionable intelligence is key to guiding threat management investments. Dedicating personnel to scour the Internet looking for threat intelligence or gleaning threat data from information sharing and analysis center (ISAC) alerts has proven ineffective. Check out the National Council of ISACS at: //www.nationalisacs.org/. The alternative is to outsource threat intelligence gathering to companies specializing in sourcing threat information.

For over twenty years, companies have offered threat intelligence services to help organizations stay ahead of the threat curve. Early services relied on manually sifting through vendor vulnerability reports. Now, intelligence services are faster, more in-depth, and highly targeted toward advanced persistent threats. Today’s services have solved the relevance problem that plagued this industry for some time. Now, only threat information aligned to an organization’s attack surface or industry makes it to the chief information security officer’s desk.

In the past, companies found themselves with multiple threat feeds or services that resulted in various levels of redundancy. Redundancies caused multiple alerts for the same threat costing valuable research time to sort out the overlap. As a user of several of these services over the years, I was disappointed with how many low-value alerts where rated as high. I also found much of the reporting run-of-the-mill already known threats.

Requirements guide the gathering of threat intelligence and its analysis to make it actionable. Documenting a proper set of requirements will help you:

• Track bad actors targeting your organization.
• Acquire threat information aligned to your attack surface.
• Know which hacktivist organization targets your industry.
• Understand the types of techniques adversaries use to exploit vulnerabilities in your enterprise.

3.7.1 Cyber Threat Intelligence Services

According to Research Report, the threat intelligence market is growing at 18.4% compound annual growth rate (CAGR) and should reach $8.94 billion in 2022. Read the entire report at: //markets.businessinsider.com/news/stocks/threat-intelligence-market-growing-at-a-cagr-of-18-4-during-2017-to-2022-says-a-new-research-at-reportsnreports-1002223536. Presently, there are nearly 30 providers of cybersecurity intelligence services of various flavors. Some services focus on providing intelligence on professional hackers and hacktivists, while others focus reporting on emerging threats and vulnerabilities based on your attack surface. Approaches vary widely from those firms that provide human intelligence harvested from the deep web to others who provide sophisticated platforms that integrate threat intelligence directly as a feed to your security information and event management (SIEM) solution.

A comprehensive list of threat intelligence service providers is available in Appendix A.

3.7.2 Cyber Threat Intelligence Program Use Cases

If you are still wondering how an intelligence capability would benefit your organization, I have highlighted several tactical use cases.

• Countermeasures alignment: Countermeasures rely on rules, filters, and signatures to be effective. Intelligence provides advanced warning of specific threats that countermeasures can address if properly configured. Using high quality intelligence reduces false positives.
• Incident response (IR): The IR team can use threat intelligence to validate indicators that triggered alarms accelerating response time. The intelligence can provide valuable data about a threat’s origin, behavior, and associated adversaries.
• SecOps: Threat intelligence can assist SecOps personnel to triage SIEM alerts through the attachment of risk score tags. Threat intelligence systems can interface directly with the SIEM to automate alert prioritization.
• System hygiene: Patching systems is a significant effort for any organization and knowing what and when to patch can save precious resources, time, and budget. Most organizations operate on a patching backlog and prioritizing patching efforts allows you to focus on your most at-risk systems.

When I was writing the first edition of this book, I knew that certain aspects of it would become dated owing to rapid changes in the cybersecurity industry, threat landscape and providers. Two years later I take full measure of all that has evolved in the cybersecurity world. Increasing zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services all converged to shape where we are today. We have also witnessed some of the world’s largest data breach events, increasingly destructive ransomware attacks and changes in legal and regulatory statutes.

Aside from substantial updates of standards, source links and cybersecurity products here is what’s new in the second edition:

• 50+ callout boxes highlighting cyberattacks and important resources.
• 60 self-study questions to hone your knowledge.
• 25 overviews of cybersecurity technologies.
• Expanded coverage of the intersection of cybersecurity and privacy.
• Expanded coverage of security training strategies.
• A new security talent development section.
• Discussion of cyber insurance policies.
• A new security testing strategies section.
• New adversary profiles.
• Expansion of attack surface discussion.
• Inclusion of new threat frameworks.
• Inclusion of a service management catalog.
• Introduction to emerging cybersecurity technologies.
• 17 powerful templates to document your cybersecurity program.

I have always envisioned keeping this book regularly updated to ensure you would have a reliable cybersecurity reference source. I see this book as a forum to express my views on protecting assets and information. I also see it as a way to share what I learn through teaching Chief Information Security Officers (CISOs). Teaching affords me a platform to learn how some of the largest companies in the world address cybersecurity. I look forward to sharing future updates with you.

Tari Schreider