You are previewing Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats.
O'Reilly logo
Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats

Book Description

Enterprise Cybersecurity empowers organizations of all sizes to defend themselves with next-generation cybersecurity programs against the escalating threat of modern targeted cyberattacks. This book presents a comprehensive framework for managing all aspects of an enterprise cybersecurity program. It enables an enterprise to architect, design, implement, and operate a coherent cybersecurity program that is seamlessly coordinated with policy, programmatics, IT life cycle, and assessment.

Fail-safe cyberdefense is a pipe dream. Given sufficient time, an intelligent attacker can eventually defeat defensive measures protecting an enterprise’s computer systems and IT networks.

To prevail, an enterprise cybersecurity program must manage risk by detecting attacks early enough and delaying them long enough that the defenders have time to respond effectively. Enterprise Cybersecurity shows players at all levels of responsibility how to unify their organization’s people, budgets, technologies, and processes into a cost-efficient cybersecurity program capable of countering advanced cyberattacks and containing damage in the event of a breach.

The authors of Enterprise Cybersecurity explain at both strategic and tactical levels how to accomplish the mission of leading, designing, deploying, operating, managing, and supporting cybersecurity capabilities in an enterprise environment. The authors are recognized experts and thought leaders in this rapidly evolving field, drawing on decades of collective experience in cybersecurity and IT. In capacities ranging from executive strategist to systems architect to cybercombatant, Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, and Abdul Aslam have fought on the front lines of cybersecurity against advanced persistent threats to government, military, and business entities.

Table of Contents

  1. Cover
  2. Title
  3. Copyright
  4. Dedication
  5. Contents at a Glance
  6. Contents
  7. Foreword
  8. About the Authors
  9. Acknowledgments
  10. Introduction
  11. Part I: The Cybersecurity Challenge
    1. Chapter 1: Defining the Cybersecurity Challenge
      1. The Cyberattacks of Today
        1. The Sony Pictures Entertainment Breach of 2014
        2. Advanced Persistent Threats
        3. Waves of Malware
      2. Types of Cyberattackers
        1. Commodity Threats
        2. Hacktivists
        3. Organized Crime
        4. Espionage
        5. Cyberwar
      3. The Types of Cyberattacks
        1. Confidentiality: Steal Data
        2. Integrity: Modify Data (Steal Money)
        3. Availability: Deny Access
      4. The Steps of a Cyberintrusion
        1. Attack Trees and Attack Graphs
        2. Lockheed Martin Kill Chain
        3. Mandiant Attack Life Cycle
        4. Enterprise Cybersecurity Attack Sequence
      5. Why Cyberintrusions Succeed
        1. The Explosion in Connectivity
        2. Consolidation of Enterprise IT
        3. Defeat of Preventive Controls
        4. Failure of Detective Controls
        5. Compliance over Capability
        6. The Gap in Cybersecurity Effectiveness
      6. A New Cybersecurity Mindset
      7. An Effective Enterprise Cybersecurity Program
    2. Chapter 2: Meeting the Cybersecurity Challenge
      1. Cybersecurity Frameworks
      2. The Cybersecurity Process
      3. Cybersecurity Challenges
      4. The Risk Management Process
        1. Considering Vulnerabilities, Threats, and Risks
        2. Risk Analysis and Mitigation
      5. Cybersecurity Controls
      6. Cybersecurity Capabilities
      7. Cybersecurity and Enterprise IT
        1. Emplacing Cyberdefenses
        2. How Cyberdefenses Interconnect
      8. An Enterprise Cybersecurity Architecture
  12. Part II: A New Enterprise Cybersecurity Architecture
    1. Chapter 3: Enterprise Cybersecurity Architecture
      1. Systems Administration
        1. Systems Administration: Goal and Objectives
        2. Systems Administration: Threat Vectors
        3. Systems Administration: Capabilities
      2. Network Security
        1. Network Security: Goal and Objectives
        2. Network Security: Threat Vectors
        3. Network Security: Capabilities
      3. Application Security
        1. Application Security: Goal and Objectives
        2. Application Security: Threat Vectors
        3. Application Security: Capabilities
      4. Endpoint, Server, and Device Security
        1. Endpoint, Server, and Device Security: Goal and Objectives
        2. Endpoint, Server, and Device Security: Threat Vectors
        3. Endpoint, Server, and Device Security: Capabilities
      5. Identity, Authentication, and Access Management
        1. Identity, Authentication, and Access Management: Goal and Objectives
        2. Identity, Authentication, and Access Management: Threat Vectors
        3. Identity, Authentication, and Access Management: Capabilities
      6. Data Protection and Cryptography
        1. Data Protection and Cryptography: Goal and Objectives
        2. Data Protection and Cryptography: Threat Vectors
        3. Data Protection and Cryptography: Capabilities
      7. Monitoring, Vulnerability, and Patch Management
        1. Monitoring, Vulnerability, and Patch Management: Goal and Objectives
        2. Monitoring, Vulnerability, and Patch Management: Threat Vectors
        3. Monitoring, Vulnerability, and Patch Management: Capabilities
      8. High Availability, Disaster Recovery, and Physical Protection
        1. High Availability, Disaster Recovery, and Physical Protection: Goal and Objectives
        2. High Availability, Disaster Recovery, and Physical Protection: Threat Vectors
        3. High Availability, Disaster Recovery, and Physical Protection: Capabilities
      9. Incident Response
        1. Incident Response: Goal and Objectives
        2. Incident Response: Threat Vectors
        3. Incident Response: Capabilities
      10. Asset Management and Supply Chain
        1. Asset Management and Supply Chain: Goal and Objectives
        2. Asset Management and Supply Chain: Threat Vectors
        3. Asset Management and Supply Chain: Capabilities
      11. Policy, Audit, E-Discovery, and Training
        1. Policy, Audit, E-Discovery, and Training: Goal and Objectives
        2. Policy, Audit, E-Discovery, and Training: Threat Vectors
        3. Policy, Audit, E-Discovery, and Training: Capabilities
    2. Chapter 4: Implementing Enterprise Cybersecurity
      1. IT Organization
      2. IT System Life Cycle
      3. Defining Security Policies
      4. Defining Security Scopes
        1. The Eight Types of Security Scopes
        2. Considerations in Selecting Security Scopes
      5. Identifying Security Scopes
        1. Security Scopes for the Typical Enterprise
        2. Considerations in Selecting Security Scopes
      6. Selecting Security Controls
      7. Selecting Security Capabilities
      8. Selecting Security Technologies
      9. Considering Security Effectiveness
    3. Chapter 5: Operating Enterprise Cybersecurity
      1. Operational Responsibilities
        1. Business (CIO, customers)
        2. Security (Cybersecurity)
        3. (IT) Strategy/Architecture
        4. (IT) Engineering
        5. (IT) Operations
      2. High-Level IT and Cybersecurity Processes
        1. IT Operational Process
        2. Risk Management Process
        3. Vulnerability Management and Incident Response Process
        4. Auditing and Deficiency Tracking Process
      3. Operational Processes and Information Systems
        1. Cybersecurity Operational Processes
        2. Supporting Information Systems
      4. Functional Area Operational Objectives
        1. Systems Administration
        2. Network Security
        3. Application Security
        4. Endpoint, Server, and Device Security
        5. Identity, Authentication, and Access Management
        6. Data Protection and Cryptography
        7. Monitoring, Vulnerability, and Patch Management
        8. High Availability, Disaster Recovery, and Physical Protection
        9. Incident Response
        10. Asset Management and Supply Chain
        11. Policy, Audit, E-Discovery, and Training
    4. Chapter 6: Enterprise Cybersecurity and the Cloud
      1. Introducing the Cloud
      2. Cloud Protection Challenges
        1. Developer Operations (DevOps) and Developer Security Operations (DevSecOps)
        2. Scopes and Account Management
        3. Authentication
        4. Data Protection and Key Management
        5. Logging, Monitoring, and Investigations
        6. Reliability and Disaster Recovery
        7. Scale and Reliability
        8. Contracts and Agreements
      3. Planning Enterprise Cybersecurity for the Cloud
        1. Systems Administration
        2. Network Security
        3. Application Security
        4. Endpoint, Server, and Device Security
        5. Identity, Authentication, and Access Management
        6. Data Protection and Cryptography
        7. Monitoring, Vulnerability, and Patch Management
        8. High Availability, Disaster Recovery, and Physical Protection
        9. Incident Response
        10. Asset Management and Supply Chain
        11. Policy, Audit, E-Discovery, and Training
    5. Chapter 7: Enterprise Cybersecurity for Mobile and BYOD
      1. Introducing Mobile and BYOD
      2. Challenges with Mobile and BYOD
        1. Legal Agreements for Data Protection
        2. Personal Use and Personal Data
        3. The Mobile Platform
        4. Sensors and Location Awareness
        5. Always-On and Always-Connected
        6. Multi-Factor Authentication
        7. Mobile Device Management
      3. Enterprise Cybersecurity for Mobile and BYOD
        1. Systems Administration
        2. Network Security
        3. Application Security
        4. Endpoint, Server, and Device Security
        5. Identity, Authentication, and Access Management
        6. Data Protection and Cryptography
        7. Monitoring, Vulnerability, and Patch Management
        8. High Availability, Disaster Recovery, and Physical Protection
        9. Incident Response
        10. Asset Management and Supply Chain
        11. Policy, Audit, E-Discovery, and Training
  13. Part III: The Art of Cyberdefense
    1. Chapter 8: Building an Effective Defense
      1. Attacks Are as Easy as 1, 2, 3!
      2. The Enterprise Attack Sequence in Detail
        1. Attack Sequence Step 1: Establish Foothold
        2. Attack Sequence Step 2: Command and Control
        3. Attack Sequence Step 3: Escalate Privileges
        4. Attack Sequence Step 4: Move Laterally
        5. Attack Sequence Step 5: Complete the Mission
      3. Why Security Fails Against Advanced Attacks
        1. The Failure of Endpoint Security
        2. The “Inevitability of ‘the Click’” Challenge
        3. Systems Administration Hierarchy
        4. Escalating Attacks and Defenses
      4. Business Challenges to Security
        1. Tension between Security and Productivity
        2. Maximum Allowable Risk
        3. Security Effectiveness over Time
        4. Security Total Cost of Ownership
      5. Philosophy of Effective Defense
        1. Mazes Versus Minefields
        2. Disrupt, Detect, Delay, Defeat
        3. Cybercastles
        4. Nested Defenses
      6. Elements of an Effective Cyberdefense
        1. Network Segmentation
        2. Strong Authentication
        3. Detection
        4. Incident Response
        5. Resiliency
    2. Chapter 9: Responding to Incidents
      1. The Incident Response Process
        1. Incident Response Step 1: Identify the Incident
        2. Incident Response Step 2: Investigate the Incident
        3. Incident Response Step 3: Collect Evidence
        4. Incident Response Step 4: Report the Results
        5. Incident Response Step 5: Contain the Incident
        6. Incident Response Step 6: Repair Gaps or Malfunctions
        7. Incident Response Step 7: Remediate Compromised Accounts, Computers, and Networks
        8. Incident Response Step 8: Validate Remediation and Strengthen Security Controls
        9. Incident Response Step 9: Report the Conclusion of the Incident
        10. Incident Response Step 10: Resume Normal IT Operations
      2. Supporting the Incident Response Process
    3. Chapter 10: Managing a Cybersecurity Crisis
      1. Devastating Cyberattacks and “Falling Off the Cliff”
        1. The Snowballing Incident
        2. Falling Off the Cliff
        3. Reporting to Senior Enterprise Leadership
        4. Calling for Help
      2. Keeping Calm and Carrying On
        1. Playing Baseball in a Hailstorm
        2. Communications Overload
        3. Decision-Making under Stress
        4. Asks Versus Needs: Eliciting Accurate Requirements and Guidance
        5. The Observe Orient Decide Act (OODA) Loop
        6. Establishing an Operational Tempo
        7. Operating in Crisis Mode
      3. Managing the Recovery Process
        1. Cyber Hand-to-Hand Combat
        2. “Throwing Money at Problems”
        3. Identifying Resources and Resource Constraints
        4. Building a Resource-Driven Project Plan
        5. Maximizing Parallelism in Execution
        6. Taking Care of People
      4. Recovering Cybersecurity and IT Capabilities
        1. Building the Bridge While You Cross It
        2. Preparing to Rebuild and Restore
        3. Closing Critical Cybersecurity Gaps
        4. Establishing Interim IT Capabilities
        5. Conducting Prioritized IT Recovery and Cybersecurity Improvements
        6. Establishing Full Operating Capabilities for IT and Cybersecurity
        7. Cybersecurity Versus IT Restoration
        8. Maximum Allowable Risk
      5. Ending the Crisis
        1. Resolving the Crisis
        2. Declaring the Crisis Remediated and Over
        3. After Action Review and Lessons Learned
        4. Establishing a “New Normal” Culture
      6. Being Prepared for the Future
  14. Part IV: Enterprise Cyberdefense Assessment
    1. Chapter 11: Assessing Enterprise Cybersecurity
      1. Cybersecurity Auditing Methodology
        1. The Challenge of Proving Negatives
        2. Cybersecurity Audit Objectives
        3. Cybersecurity Audit Plans
        4. Audit Evidence Collection
        5. Audit Artifacts
        6. Audit Results
        7. Deficiency Tracking
        8. Reporting and Records Retention
      2. Cybersecurity Audit Types
      3. “Audit First” Design Methodology
        1. Threat Analysis
        2. Audit Controls
        3. Forensic Controls
        4. Detective Controls
        5. Preventive Controls
        6. Letting Audits Drive Control Design
      4. Enterprise Cybersecurity Assessments
        1. Level 1 Assessment: Focus on Risk Mitigations
        2. Level 2 Assessment: Focus on Functional Areas
        3. Level 3 Assessment: Focus on Security Capabilities
        4. Level 4 Assessment: Focus on Controls, Technologies, and Processes
      5. Audit Deficiency Management
    2. Chapter 12: Measuring a Cybersecurity Program
      1. Cybersecurity Measurement
      2. Cybersecurity Program Measurement
        1. OM Step 1: Define the Question(s) to Be Answered
        2. OM Step 2: Select Appropriate Objects to Measure
        3. OM Step 3: For Each Object, Define the Object Characteristics to Measure
        4. OM Step 4: For Each Characteristic, Create a Value Scale
        5. OM Step 5: Measure Each Characteristic Using the Value Scale
        6. OM Step 6: Calculate the Overall Cybersecurity Program Assessment Index Using Object Measurement
      3. Visualizing Cybersecurity Assessment Scores
      4. Cybersecurity Measurement Summary
    3. Chapter 13: Mapping Against Cybersecurity Frameworks
      1. Looking at Control Frameworks
      2. Clearly Defining “Controls”
      3. Mapping Against External Frameworks
        1. Assessment Audit and Security Scopes
        2. IT Systems and Security Controls
        3. Balancing Prevention with Detection and Response
        4. Security Capabilities, Technologies, and Processes
        5. Validation Audit and Reporting
      4. One Audit, Many Results
        1. Audit Report Mapping
        2. Deficiency Tracking and Management
  15. Part V: Enterprise Cybersecurity Program
    1. Chapter 14: Managing an Enterprise Cybersecurity Program
      1. Enterprise Cybersecurity Program Management
        1. Cybersecurity Program Step 1: Assess Assets, Threats, and Risks
        2. Cybersecurity Program Step 2: Identify Security Scopes
        3. Cybersecurity Program Step 3: Assess Risk Mitigations, Capabilities by Functional Area, and Security Operations
        4. Cybersecurity Program Step 4: Identify Target Security Levels
        5. Cybersecurity Program Step 5: Identify Deficient Areas
        6. Cybersecurity Program Step 6: Prioritize Remediation and Improvements
        7. Cybersecurity Program Step 7: Resource and Execute Improvements
        8. Cybersecurity Program Step 8: Collect Operational Metrics
        9. Cybersecurity Program Step 9: Return to Step 1
      2. Assessing Security Status
        1. Cybersecurity Program Step 3: Assess Risk Mitigations, Capabilities, and Security Operations
        2. Cybersecurity Program Step 4: Identify Target Security Levels
        3. Cybersecurity Program Step 5: Identify Deficient Areas
        4. Cybersecurity Program Step 6: Prioritize Remediation and Improvements
      3. Analyzing Enterprise Cybersecurity Improvements
        1. Considering Types of Improvements
        2. Considering Threat Scenarios
        3. Examining Cybersecurity Assessment Scores across Multiple Scopes
        4. Considering Improvement Opportunities across Multiple Scopes
        5. Considering “Bang for the Buck”
      4. Prioritizing Improvement Projects
        1. Immediate: Executing
        2. This Year: Preparing
        3. Next Year: Resourcing
        4. Future: Prioritizing
        5. Updating Priority Lists
      5. Tracking Cybersecurity Project Results
        1. Visualizing Cybersecurity Program Assessment Scores
        2. Measuring Cybersecurity Program Assessment Scores over Time
    2. Chapter 15: Looking to the Future
      1. The Power of Enterprise Cybersecurity Architecture
      2. Evolution of Cyberattack and Defense
        1. Before the Internet
        2. Generation 1: Hardening the Host
        3. Generation 2: Protecting the Network
        4. Generation 3: Layered Defense and Active Response
        5. Generation 4: Automated Response
        6. Generation 5: Biological Defense
        7. Cybergenerations Moving Down Market
        8. Future Cybersecurity Evolution
      3. Evolving Enterprise Cybersecurity over Time
        1. Enterprise Cybersecurity Implementation Considerations
        2. Tailoring Cybersecurity Assessments
        3. Evolution of Enterprise Cybersecurity Capabilities
        4. Evolution of Enterprise Cybersecurity Functional Areas
      4. Final Thoughts
  16. Part VI: Appendices
    1. Appendix A: Common Cyberattacks
      1. 1. Phishing / Spearphishing
      2. 2. Drive-By / Watering Hole / Malvertising
      3. 3. Code Injection / Webshell
      4. 4. Keylogging / Session Hijacking
      5. 5. Pass-the-Hash and Pass-the-Ticket
      6. 6. Credential Harvesting
      7. 7. Gate-Crashing
      8. 8. Malware / Botnet
      9. 9. Distributed Denial-of-Service (DDoS)
      10. 10. Identity Theft
      11. 11. Industrial Espionage
      12. 12. Pickpocket
      13. 13. Bank Heist
      14. 14. Ransomware
      15. 15. Webnapping
      16. 16. Hijacking
      17. 17. Decapitation
      18. 18. Sabotage
      19. 19. Sniper / Laser / Smart Bomb
      20. 20. Smokeout / Lockout
      21. 21. Infestation / Whack-a-Mole
      22. 22. Burndown
      23. 23. Meltdown
      24. 24. Defamation
      25. 25. Graffiti
      26. 26. Smokescreen / Diversion
      27. 27. Fizzle
    2. Appendix B: Cybersecurity Frameworks
      1. (ISC)2 Common Body of Knowledge (CBK)
      2. ISO 27001/27002 Version 2013
      3. ISO 27001/27002 Version 2005
      4. NIST SP800-53 Revisions 3 and 4
      5. NIST Cybersecurity Framework (2014)
      6. DHS Cyber Resilience Review (CRR)
      7. Council on CyberSecurity Critical Security Controls
      8. Australian DSD Strategies to Mitigate Targeted Cyberintrusions
      9. PCI DSS Version 3.0
      10. HIPAA Security Rule
      11. HITRUST Common Security Framework (CSF)
      12. NERC CIP Cyber Security Version 5
      13. NERC CIP Cyber Security Version 3
    3. Appendix C: Enterprise Cybersecurity Capabilities
      1. Systems Administration (SA)
      2. Network Security (NS)
      3. Application Security (AS)
      4. Endpoint, Server, and Device Security (ESDS)
      5. Identity, Authentication, and Access Management (IAAM)
      6. Data Protection and Cryptography (DPC)
      7. Monitoring, Vulnerability, and Patch Management (MVPM)
      8. High Availability, Disaster Recovery, and Physical Protection (HADRPP)
      9. Incident Response (IR)
      10. Asset Management and Supply Chain (AMSC)
      11. Policy, Audit, E-Discovery, and Training (PAET)
      12. References
    4. Appendix D: Sample Cybersecurity Policy
      1. The Policy
    5. Appendix E: Cybersecurity Operational Processes
      1. Supporting Information Systems
      2. 1. Policies and Policy Exception Management
      3. 2. Project and Change Security Reviews
      4. 3. Risk Management
      5. 4. Control Management
      6. 5. Auditing and Deficiency Tracking
      7. 6. Asset Inventory and Audit
      8. 7. Change Control
      9. 8. Configuration Management Database Re-certification
      10. 9. Supplier Reviews and Risk Assessments
      11. 10. Cyberintrusion Response
      12. 11. All-Hazards Emergency Preparedness Exercises
      13. 12. Vulnerability Scanning, Tracking, and Management
      14. 13. Patch Management and Deployment
      15. 14. Security Monitoring
      16. 15. Password and Key Management
      17. 16. Account and Access Periodic Re-certification
      18. 17. Privileged Account Activity Audit
    6. Appendix F: Object Measurement
      1. OM Index Equation
      2. OM Steps
      3. OM Value Scales
      4. Expert Judgment OM Example
      5. Observed Data OM Example
      6. OM Measurement Map
      7. Other Cybersecurity-Related Measurements
    7. Appendix G: Cybersecurity Capability Value Scales
      1. Systems Administration (SA)
      2. Network Security (NS)
      3. Application Security (AS)
      4. Endpoint, Server, and Device Security (ESDS)
      5. Identity, Authentication, and Access Management (IAAM)
      6. Data Protection and Cryptography (DPC)
      7. Monitoring, Vulnerability, and Patch Management (MVPM)
      8. High Availability, Disaster Recovery, and Physical Protection (HADRPP)
      9. Incident Response (IR)
      10. Asset Management and Supply Chain (AMSC)
      11. Policy, Audit, E-Discovery, and Training (PAET)
    8. Appendix H: Cybersecurity Sample Assessment
      1. Sample Assessment Scope and Methodology
      2. Level 1 Assessment: Focus on Risk Mitigations
      3. Level 2 Assessment: Focus on Functional Areas
      4. Level 3 Assessment: Focus on Capabilities
    9. Appendix I: Network Segmentation
      1. The Legacy Network
      2. Protecting the Security Infrastructure
      3. Watertight Compartments
      4. Systems Administration
      5. Applications
      6. Web Traffic
      7. Network Segmentation Summary
    10. Glossary
    11. Bibliography
  17. Index