January 16, 2014 by

Infosec Strategy in 1

blog-feature-image

This was originally posted on blogger here.

Target, Neiman Marcus, Microsoft, and many, many more...

Corporate America has a huge security problem.  And it's not compromises.  It's a lack of strategic vision in cyber security.

With a never-ending litany of massive breaches, organizations are spending so much time trying to put fingers in the dikes, that no-one is stepping back to look at the whole levee.  Websites being compromised?  Buy WAFs.  Point of sale being compromised?  Put more tools on the PCI LAN. China hacking people?  Get a cyber intelligence feed.  PHI/PII being leaked to pastebin?  Get DLP.  No-one stops to ask the question, "Do these fit together?"  And when you don't, your infosec defense looks like this:
Friday’s Friendly Funny by Dave Blazek is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.
Before thinking about point solutions, an organization must come up with a strategy.  I would suggest a Strategy Statement such as:
Delay threat actors from realizing risks until they give up or are detected and responded to.  Respond effectively.  Degrade gracefully and remediate effectively when threat actors realize risks.
The above single statement sum up an entire infosec program, laying out specific steps that can be used to plan and measure the program.  Yours doesn't need to be the same, but it needs to be a clear and concise statement you can make measurable progress against.  This one lays out base truths:

  • That the program will be operations driven.
  • That risk is a fundamental element of the security program (You can read some of my views on risk here, here, here, and here.)
  • That the fundamental measurement of effectiveness is Delay vs Detection & Response.
  • That the organization should expect to operate in and recover from a compromised environment.
It also establishes the stages of incident life-cycle that drive the strategy:
  1. Delay
  2. Detect
  3. Respond
  4. Remediate
Calling the first step Delay is meant to be a bit controversial.  I think normally it would be 'deny', 'protect', 'deter', or something else.  However, as a community, we need to get out of the idea that if we just build it secure enough, the threat will go away and never come back.  Obviously, not all threats will stick with their attack, however we need to plan our strategy for the ones that do and those are the cases where all we are doing is delaying.

This is a statement we can easily track progress against in one, easy to read, table:
Infosec Defense Execution Strategy

You can download the Infosec Defense Execution Strategy spreadsheet including an example. We also add reporting and after action review to the stages.  The states can easily be modified to meet an organization's process.  The Defensive Execution Strategy also breaks each step out into discrete levels of completion:

  1. Define (Document what you want to do)
  2. Build (Create anything you need to do it)
  3. Train (Practice doing it)
  4. Grade (Measure how well you do it)
  5. (There is an implicit 5th step that, if you find any deficiencies in your grading you feed the measurement back into improving the step where the deficiency can be rectified.)
Within the levels of completion we define two specific things:  Who and What.  Without who, it is unclear as to who will actually get the work done.  If an organization doesn't know who will get the work done, you can almost guarantee no-one will do it.  A good model to use is RACI: Responsible, Accountable, Consulted, Informed.

'What' is also critical to tracking the strategy.  There needs to be deliverables which clearly show that a step has been performed. Managing based on deliverables significantly simplifies tracking of progress.  In the same vain, you need to know what products need to exist prior to starting a step.  If you don't, you have no way of measuring if you are ready to begin or not.  Ultimately the topic of management by deliverables could fill a book.

From this one table of levels of completion above, all information security projects can be planned.  This also helps keep the organization focused on more than just the 'build' step.  

And each stage can be decomposed.  Delay may be broken down into:
  1. Preventing incidents
  2. Operating in a compromised environment
Detection may be broken down into:
  1. Internal awareness
  2. External intelligence
  3. Prioritizing potential malice to investigate
  4. Facilitating correlation of prioritized information
(As an aside, #3 and #4 above are a fundamentally new way of looking at DFIR that is not yet widely adopted and deserves it's own post.)

All projects and all security requirements should be traceable to the Strategy Statement through the Infosec Defense Execution Strategy and the various levels of decomposition.  With this as a starting point, organizations can see how all of their projects and requirements fit together, identify gaps, and form a unified defense that looks less like the first picture and more like this:
Image by Hao Wei, licensed licensed under the Creative Commons Attribution 2.0 Generic license.



43 comments captured from original post on Blogger

Parag Deodhar said on 2014-01-18

Excellent post! It is important to understand the business, do a thorough risk assessment and have a comprehensive strategy covering people, process and technology solutions.

Gabe said on 2014-01-20

I didn’t mention it in this post, however I know the military has a concept called DOTMLPF (http://en.wikipedia.org/wiki/DOTMLPF). (I think there is a DOTMLPF-P where the extra P is ‘Policy’.) Any organization should be using all of the mitigation options in the DOTMLPF-P list rather than just the M (which is usually the go-to solution).

golden said on 2018-01-13

Totally epigrammatic. Everything is expressed so fluently and without any flaw.paypal hack

Niclov said on 2018-04-17

Being an IT student, I often need help in the matters of IT and believe me dynamix solutions have greatly assisted me in this regard.

Amyy Silva said on 2018-04-18

This is the establishment for your ITSM program business case and sanction that will be separated into venture and operational prerequisites.pdf to ppt converter

Jennet said on 2018-12-02

The effects of information technology and electronic trade on plans of action, business, advertise structure, working environment, work showcase, instruction, private life and society overall. Freelance Automation QA Engineer

prad said on 2018-12-09

Great Article Information Security Projects for CSE Students Project Centers in Chennai JavaScript Training in Chennai JavaScript Training in Chennai

YK Agency said on 2019-01-02

Live Online cybersecurity training This is just the information I am finding everywhere. Thanks for your blog, I just subscribe your blog. This is a nice blog..

jorick228 said on 2019-02-01

Want to play casino? Come and do not expect a miracle, only here you can really get up I checked myself) best free online gambling Win in the best casino of the century.

Robert Kyle said on 2019-02-01

A variety of open source testing tools are available for various types of testing like the functional, UAT, regression, performance and etc. Selenium Automation Training London

Taylor said on 2019-04-21

The quicker the info can be requested and conveyed, the less the requirement for a huge stock. Klik hier

Taylor said on 2019-06-05

Another incredible way telephone call examination can expand your business is through inside utilization of these applications. https://callgear.com/

Richard H. Black said on 2019-07-31

You delivered such an impressive piece to read, giving every subject enlightenment for us to gain information. Thanks for sharing such information with us due to which my several concepts have been cleared. Integriti Access Control Melbourne

markson said on 2019-08-28

The thought behind this is Google’s AI can comprehend an assortment of inquiries on different subjects and give legitimate reactions. ai courses

Usama LaDLa said on 2019-09-12

I like viewing web sites which comprehend the price of delivering the excellent useful resource free of charge. I truly adored reading your posting. Thank you! security company

Usama LaDLa said on 2019-09-12

I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post. security guards

Jennet said on 2019-09-12

This specific understudy whose name is Nichole says that she doesn’t possess a PC yet shares a family PC. top reason to know why your business needs customized software

for ict 99 said on 2019-10-20

Great Article Information Security Projects for CSE Students Project Centers in Chennai for CSE JavaScript Training in Chennai JavaScript Training in Chennai

play said on 2019-11-11

A particular threat is the unlawful use of such drones for espionage, provocation or even criminal and terrorist purposes. Drone Jammer

play said on 2019-11-11

Complete frequency range – 6 RF frequency bands (0.8GHz, 0.9GHz, 1.4GHz, 1.6GHz, 2.4GHz and 5.8GHz) to ensure complete effectiveness across drone models. Counter Drone

Sarah said on 2019-12-19

One can contend that increasingly accessible data makes our lives progressively productive, more secure and more extravagant. While the other contention is that the extremely same data that gives these advantages is additionally our achilles recuperate because of the security ramifications of unapproved invasion. information technology

Taylor said on 2020-01-13

A significant segment of utilizing SMS as a promoting apparatus is a customer database. SMS API Service

Farhan.Jee said on 2020-01-31

Taking the Bar exam is much different than taking an exam in law school. cursos de ti

Aruna Ram said on 2020-02-17

Nice to learn something different about this topic from this article.  Thanks for your valuable information, it is very easy to learn and understand.Social Media Marketing Courses in ChennaiSocial Media Marketing CoursesOracle Training in ChennaiTableau Training in ChennaiAdvanced Excel Training in ChennaiPower BI Training in ChennaiPega Training in ChennaiEmbedded System Course ChennaiSocial Media Marketing Courses in VelacherySocial Media Marketing Courses in Vadapalani

James said on 2020-03-30

training for the upcoming ball game and even social events that are, let’s face, a whole lot more fun. Helphub Review

Jennet said on 2020-05-08

the useful use of information particularly in a specific region: building 2 best streaming microphone

Taylor said on 2020-05-09

Identifying planned accomplices and customers https://topcatbreeds.com/

Cho co said on 2020-07-06

The real task of a data scientist is to design high performing prediction engines. 360DigiTMG data science training in hyderabad

kenwood said on 2020-08-26

Once your glitter makeup is set, you’ll be sure to shine as brightly as the midnight stars with your touch of glitz and glamour. As the ball drops in Times Square and the champagne pours, you will be ringing in the New Year with sparkle in your eyes. Buy glitter in bulk

Data Science Training said on 2020-08-29

Thanks for the Information.Interesting stuff to read.Great Article.I enjoyed reading your post, very nice share.Data Science Course Training in Hyderabad

shane lee said on 2020-09-06

Their black and white appearances make them different from other bears. The nose, ears, eyes, legs and shoulders are covered by black fur, while the rest of the body is wrapped up with white fur. Due to their unique color combinations, it is difficult to spot them in the jungle. panda teddy bear

SHAHZAIB said on 2020-11-19

If you are looking for more information about flat rate locksmith Las Vegas check that right away. شبکه های اجتماعی

・TeamAzPlayer said on 2020-11-19

I just want to let you know that I just check out your site and I find it very interesting and informative.. house security

Sarah said on 2020-11-19

Digitized items can cross the fringe continuously, purchasers can shop 24 hours per day, seven days per week, and firms are progressively confronted with worldwide online rivalry. The Internet is assisting with extending existing business sectors by slicing through huge numbers of the dissemination and promoting hindrances that can keep firms from accessing unfamiliar business sectors. Internet business brings down data and exchange costs for working on abroad business sectors and gives a modest and productive approach to reinforce client provider relations. It likewise urges organizations to create imaginative methods of publicizing, conveying and supporting their item and administrations. Alfresco Course

EXCELR said on 2020-11-24

Amazing Article,Really useful information to all So, I hope you will share more information to be check and share here.data science courses

EXCELR said on 2020-12-08

"Thanks for the Information.Interesting stuff to read.Great Article.I enjoyed reading your post, very nice share.data science training"

Devi said on 2020-12-10

Your blog is so impressive to us. I appreciate the way of delivering the concepts.importance of pythonhighest paid technology in software industrybest way to learn pythonhadoop architecturej2ee interview questions

Excelr Tuhin said on 2020-12-20

I’ve read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it! data science certification

Optimus Prime said on 2021-01-04

A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. ip camera

CheaterSyko said on 2021-01-22

Huge organizations have greater prerequisites for the Information technology offices with IT consulting services greater duties in information stockpiling, information assurance, information preparing, information transmission, and even information recovery.

Flora said on 2021-02-03

Great blog! I am really getting ready to read your article. It gives valuable information.importance of artificial intelligenceapplication of .net technologyuses of hadoopdevops automation toolsselenium automation framework interview questions and answersdigital marketing interview questions and answers pdf

Ramesh Sampangi said on 2021-11-25

Thanks for sharing this awesome blog. Keep sharing more blogs with us. Thank you.Data Science Courses

pdfguide said on 2022-01-04

Thanks you very much for sharing these links. Will definitely check this out.. Extract images from pdf

LET’S WORK TOGETHER