by: Nicholas Trisel
The title of this entry is hardly innovative, but its relevance still rings true. Bing “Security is a process, not a product” and up will pop several articles referencing this guiding principle. Despite the wealth of articles on the topic, I am still approached by business leaders who are focused on comparing various security controls available on the market. Typically, those decisions come down to two key criteria: 1. Feature/functionality and 2. Cost. Even though they’ve heard, and most IT professionals would agree that: “Security is a process, not a product”, we still see a large population of decision makers focusing on the product as opposed to the process.
Terry Bradley, President of Mile High Cyber and former NSA team leader was quoted for this blog as saying, “We tend to focus almost exclusively on prevention even though we know our best security protections often fail to work as envisioned. Detection is woefully lacking, and response is seldom considered until it’s too late.”. There are many security frameworks available to leverage as a guiding principle when it comes to securing information like: CSC, ISO, FAIR, and MITRE. For the sake of this article we will focus on NIST published by the US National Institute of Standards and Technology in 2014.
The NIST framework is a widely recognized framework that is used as a standard when it comes to information security. There are 5 primary functions of the NIST Framework Core. Let us think of NIST through the lens of a fighter jet in sortie. The first and second function of the NIST framework is Identify and Protect. We must identify the threat landscape so that we may understand the type of jet and payload best suited for the threat and environment. If we do not understand the threat or the environment, the pilot, aircraft, and the mission could already be at jeopardy. Once we have assessed the environment and identified the threat, we can choose the best jet and payload to enter the sortie to protect our interest.
Think of this jet and its payload as your operator carrying your security controls. One of the objectives of the jet in this sortie is to Detect; the third function of the NIST framework. Once the jet enters the sortie, a pilot will need to detect the threat, like an incoming missile. Once the pilot has detected the threat, the fourth function of NIST is Respond. He or she may choose to respond by deploying a series of countermeasures, like chaff, to avoid the threat. This “chaff” is meant to intercept and confuse the missile into thinking that the “chaff” is its target as opposed to the jet.
Security products work in a similar fashion – most of the time, “chaff” may work but eventually adversaries overcome the countermeasure and, as a result, the jet and its pilot take a hit.
Cybersecurity threats will always evolve to challenge countermeasures and countermeasures will have to -in that same way- continuously evolve and be deployed as means to stop attacks. Implementing a “defense in depth” strategy is a step in the right direction when approaching security. A fighter jet may not solely rely on chaff to respond while defending itself in combat. Depending on the role of the fighter jet, various countermeasures could be available to the pilot to deploy when evading an attacker.
Security will never be perfect, but security protections need to help make the risks manageable. The fifth and final component of the NIST framework is Recover. At the beginning of the article, I mentioned the importance of Identify and Protect, the first two functions in the framework. Because we did our due diligence, our fighter jet is equipped with a variety of tools to detect and respond to the threat so the pilot may ensure the threat is contained.
As I was researching for this article, a gentleman by the name of Bruce Schneier came to mind. Bruce is a fellow at the Berkman Center for Internet & Society at Harvard Law and a program fellow at the New America Foundation’s Open Technology Institute. He worked for IBM since they acquired Resilient Systems where Schneier was CTO and a proponent of full disclosure. Bruce published his first book in 1994 called, “Applied Cryptology” followed by two more books, “Protect Your Mcintosh” and “Email Security”. Fun random fact about Bruce – starting in 2006, he has an annual contest to create the most fantastic movie-plot threat.
In 2000, Bruce wrote an essay called, “The Process of Security“. In that article, Bruce said, “My primary fear about cyberspace is that people don’t understand the risks, and they’re putting too much faith in technology’s ability to obviate them. Products alone can’t solve security problems.”. Bruce goes on to say that security processes are not a replacement of products but rather a way of using those products effectively.
To put it simply, we cannot completely avoid threats, but we can do our best to understand them, have a process in place to recover from them and mitigate risk to an acceptable level via a thoughtful process. Michael P. Wood, VP & CISO of INTEGRIS Health, the largest not for profit health care system in Oklahoma, says, “Good security or being secure is also an emergent property and the result of consistently good choices over time.”.
As you can see, the question isn’t “what products can I buy to protect my data?”, the question should be “what processes should I put in place that helps to mitigate risks?”. Once the processes have been established leveraging a security framework, we can better understand how we mitigate the risk through staff and security controls.
To offer guidance and help mitigate risks we have compiled a list of resources that link the five main high-level functions of stage 1: identify to Microsoft technology services. This will be volume 1 out of 5 in which we will identify resources linked to the other 4 stages of the NIST framework. To receive this first volume, please fill out the following form:
Download our eBook