Building Effective Cybersecurity Programs: A Security Manager’s Handbook Tari Schreider SSCP, CISM, C|CISO, ITIL Foundation Kristen Noakes-Fry, ABCI, Editor ISBN 978-1-944480-51-6 PDF ISBN 978-1-944480-50-9 EPUB Brookfield, Connecticut USA 203.740.7400 info@rothstein.com www.rothstein.com Keep informed about Rothstein Publishing: COPYRIGHT ©2018, Rothstein Associates Inc All Rights Reserved No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein Local laws, standards, regulations, and building codes should always be consulted first before considering any advice offered in this book ISBN 978-1-944480-51-6 PDF ISBN 978-1-944480-50-9 EPUB 203.740.7400 info@rothstein.com www.rothstein.com Dedication For my daughters, Vanessa and Whitney - my greatest fans and the ones who always keep me humble They were always understanding during the times I was away helping others improve their cybersecurity programs Acknowledgments To Thomas Caulfield, former publisher of Systems User Magazine Tom mentored me in writing and published my first article over 30 years ago He set the bar for doing the right thing, being a gentleman, and always having humility I only wish he were still with us to see this book published Preface Few companies today could survive without the Internet; either you are part of the digital economy, or you are reliant upon those who are I am hard-pressed to find someone today who does not interact with some aspect of the Internet to perform all or some of his or her work duties IT professionals and managers alike need to be cybersecurity-savvy to compete in today’s job market You must accept that you are or will be working for an organization that takes cybersecurity seriously To ensure you not become one of those managers you read about who lets the cyber aggressors in the backdoor, you must also take cybersecurity seriously as well Whether you are a new manager or a current manager involved in your organization’s cybersecurity program, I am confident this book will answer many questions you have about what is involved in building a program You will be able to get up to speed quickly on program development practices and have a roadmap to follow in building or improving your organization’s cybersecurity program Even if you are new to cybersecurity, in the short period of time it will take you to read this book, you can be the smartest person in the room grasping the complexities of your organization’s cybersecurity program If you are already involved in your organization’s cybersecurity program, you have much to gain from reading this book This book will become your go-to field manual to guide or affirm your program decisions After 30 years of experience in the trenches, designing and building cybersecurity programs throughout the world, I wrote this book to help the process go more smoothly for you In creating this roadmap for you, I was motivated by what I see as a systemic lack of experience and resources in those tasked with designing and building cybersecurity programs First, many managers have never had to build a cybersecurity program from the ground up, resulting in cybersecurity programs based on insular opinions guiding program development rather than sound architecture and design principles Managers involved in cybersecurity can expect an average tenure in their role of approximately two years, which means they are inheriting cybersecurity programs serially throughout their careers This leaves little time to forge experience gained through building a program of their own design In addition, few of these managers graduated from a cybersecurity degree program that teaches architecture and design Second, we not have a generation of managers equipped to build cybersecurity programs By many accounts, there are over one million cybersecurity jobs open in the US According to the US Bureau of Labor Statistics, this industry will grow by 37% through 2022 Who will fill these roles? Only the recently graduated or certified are available to fill these open positions, but neither group has the experience necessary to build a cybersecurity program Certifications and degrees may not always be a true measure of the skills required to build today’s programs, since there is no substitute for experience Third, inexperienced managers have difficulty separating fact from what I call “security theater.” A multibillion-dollar industry of thousands of cybersecurity vendors and consultants driven by their own self-interest can easily lead managers astray Managers with little experience can fall under their spell, succumbing to their cybersecurity technologies and becoming locked in to proprietary program maturity models I have seen many led down a perilous path of cybersecurity programs crammed with technologies that promise to protect their information and assets from hackers but offer little in the way of basic blocking and tackling This book is intended to give you the knowledge and guidance that will allow you to choose wisely and avoid the pitfalls I have described above My experience working with hundreds of companies will serve as your roadmap to step you through building your own cybersecurity program In writing this book, I analyzed over 150 cybersecurity architectures, frameworks, models, etc., so that you would not have to I have called out those that I felt were great examples to assist you along your journey This alone will save you hundreds of hours attempting to conduct the research necessary to identify all the components of a cybersecurity program My best wishes as you follow the roadmap to create an effective cybersecurity program for your organization! Atlanta, Georgia September 2017 Table of Contents Cover Title page Copyright Dedication Acknowledgments Preface Introduction Foreword Chapter 1: Designing a Cybersecurity Program 1.1 Cybersecurity Program Design Methodology 1.1.1 Need for a Design to Attract the Best Personnel 1.1.2 A Recommended Design Approach: ADDIOI Model™ 1.1.3 The Six Phases of the ADDIOI Model™ 1.2 Defining Architectures, Frameworks, and Models 1.2.1 Program Design Guide 1.3 Design Principles 1.4 Good Practice vs Best Practice 1.5 Adjust Your Design Perspective 1.6 Architectural Views 1.7 Cybersecurity Program Blueprint 1.8 Program Structure 1.8.1 Office of the CISO 1.8.2 Security Engineering 1.8.3 Security Operations 1.8.4 Cyber Threat Intelligence 1.8.5 Cyber Incident Response 1.8.6 Physical Security 1.8.7 Recovery Operations 1.9 Cybersecurity Program Frameworks and Models 1.9.1 HITRUST CSF 1.9.2 Information Security Forum (ISF) Framework 1.9.3 ISO/IEC 27001/27002 Information Security Management (ISMS) 1.9.4 NIST Cybersecurity Framework 1.10 Maturing Cybersecurity Programs 1.11 Cybersecurity Program Design Checklist References Chapter 2: Establishing a Foundation of Governance 2.1 Governance Overview 2.2 Cybersecurity Governance Playbook 2.3 Selecting a Governance Framework 2.3.1 COBIT® 5: Framework for Information Technology Governance and Control 2.3.2 COSO 2013 Internal Control - Integrated Framework 2.3.3 Information Governance Reference Model (IGRM) 2.3.4 Information Coalition - Information Governance Model 2.3.5 OCEG GRC Capability Model™ 3.0 (Red Book) 2.4 Governance Oversight Board 2.5 Cybersecurity Policy Model 2.5.1 Cybersecurity Policy Management 2.5.2 Cybersecurity Policy Management Software 2.6 Governance, Risk, and Compliance (GRC) Software 2.7 Key Cybersecurity Program Management Disciplines 2.8 Creating a Culture of Cybersecurity 2.9 Governance Foundation Checklist References Chapter 3: Building a Cyber Threat, Vulnerability Detection, and Intelligence Capability 3.1 Cyber Threats and Vulnerabilities 3.1.1 Threats, Vulnerability, and Intelligence Model 3.2 Cyber Threats 3.2.1 Lesson from the Honeybees 3.2.2 Cyber Threat Categories 3.2.3 Threat Taxonomies 3.2.3.1 Threat Taxonomy Sources 3.2.4 Cyber Threat Actors 3.2.5 Cyber Threat-Hunting 3.2.5.1 Cyber Threat-Hunting Tools 3.2.6 Cyber Threat-Modeling 3.2.6.1 Cyber Threat Analysis and Modeling (TAM) Products 3.2.7 Cyber Threat Detection Solutions 3.2.8 Cyber Threat Metrics 3.2.8.1 Example Cyber Threat Metrics 3.3 Vulnerability Management 3.3.1 Vulnerability Scanning 3.3.2 Patch Management 3.3.2.1 Virtual Patch Management 3.4 Attack Surface 3.4.1 Attack Surface Mapping 3.4.2 Shadow IT Attack Surface 3.4.3 Attack Surface Classification 3.5 Cyber Threat Intelligence 3.5.1 Cyber Threat Intelligence Services 3.5.2 Cyber Threat Intelligence Program Use Cases 3.6 Cyber Kill Chain 3.7 Cyber Threat, Vulnerability Detection, and Intelligence Checklist References Chapter 4: Building a Cyber Risk Management Capability 4.1 Cyber Risk 4.1.1 Cyber Risk Landscape 4.1.2 Risk Types 4.1.3 Cyber Risk Appetite 4.1.3.1 Risk Appetite Statement 4.1.4 Risk Tolerance 4.1.5 Risk Threshold 4.1.6 Risk Acceptance 4.1.6.1 Risk Acceptance Statement 4.1.7 Inherent Risk 4.1.8 Residual Risk 4.1.9 Annualized Loss Expectancy (ALE) 4.1.10 Return on Investment (ROI) 4.2 Cyber Risk Assessments 4.2.1 Business Impact Assessment (BIA) 4.2.2 Calculating Risk 4.2.2.1 Risk Calculation Software 4.2.3 Risk Registry 4.3 Cyber Risk Standards 4.4 Cyber Risk Management Lifecycle 4.5 Cyber Risk Treatment 4.6 Risk Monitoring 4.7 Risk Reporting 4.8 Risk Management Frameworks 4.9 Risk Maturity Models 4.10 Third-Party Risk Management (TPRM) 4.10.1 TPRM Program Structure 4.10.2 Third-Party Attestation Services 4.11 Cyber Black Swans 4.12 Cyber Risk Cassandras 4.13 Cyber Risk Management Checklist References Chapter 5: Implementing a Defense-in-Depth Strategy 5.1 Defense-in-Depth 5.1.1 Industry Perception 5.1.2 Defense-in-Depth Models 5.1.3 Origin of Contemporary Defense-in-Depth Models 5.1.4 Defense-in-Depth Layer Categorization 5.1.5 Defense-in-Depth Criticism 5.1.6 Defensive Layers 5.2 Improving the Effectiveness of Defense-in-Depth 5.2.1 Governance, Risk and, Compliance (GRC) Domain 5.2.2 Threat and Vulnerability Management (TVM) Domain 5.2.3 Application, Database, and Software Protection (ADS) Domain 5.2.4 Security Operations (SecOps) Domain 5.2.5 Device and Data Protection (DDP) Domain ... Solutions Table A- 11 Threat Intelligence Services Table A- 12 Data Breach and Threats Reports Table A- 13 Managed Security Service Providers (MSSP) Table A- 14 Cybersecurity Automation and Orchestration... Threat Metrics 3.3 Vulnerability Management 3.3.1 Vulnerability Scanning 3.3.2 Patch Management 3.3.2.1 Virtual Patch Management 3.4 Attack Surface 3.4.1 Attack Surface Mapping 3.4.2 Shadow IT Attack... Threat Fusion Platforms Table A- 3 Cybersecurity Maturity Models Table A- 4 Policy Management Software Table A- 5 Governance, Risk, and Compliance (GRC) Program Software Products Table A- 6 Vulnerability