Volume 1: TAG Cyber Security Fifty Controls – Volume 1 Introduces the Fifty Primary Control Areas Required for CISO Teams to Be More Effective
Total Page:16
File Type:pdf, Size:1020Kb
Designer – Vision Creative Finance – M&T Bank Administration – navitend Promotion – Braithwaite Communications Research – TAG Cyber LLC Lead Author – Dr. Edward G. Amoroso TAG Cyber LLC P.O. Box 260, Sparta, New Jersey 07871 Copyright © 2017 TAG Cyber LLC. All rights reserved. This publication may be freely reproduced, freely quoted, freely distributed, or freely transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system without need to request permission from the publisher, so long as the content is neither changed nor attributed to a different source. Security experts and practitioners must recognize that best practices, technologies, and information about the cyber security industry and its participants will always be changing. Such experts and practitioners must therefore rely on their experience, expertise, and knowledge with respect to interpretation and application of the opinions, information, advice, and recommendations contained and described herein. Neither the author of this document nor TAG Cyber LLC assume any liability for any injury and/or damage to persons or organizations as a matter of products liability, negligence or otherwise, or from any use or operation of any products, vendors, methods, instructions, recommendations, or ideas contained in any aspect of the 2017 TAG Cyber Security Annual volumes. The opinions, information, advice, and recommendations expressed in this publication are not representations of fact, and are subject to change without notice. TAG Cyber LLC reserves the right to change its policies or explanations of its policies at any time without notice. Page 2 2017 TAG Cyber Security Annual September 1, 2016 To the Reader: I wrote every word of this 2017 TAG Cyber Security Annual based on my experience, opinion, and research – and I wrote it for one purpose: To serve as a useful guide for Chief Information Security Officer (CISO) teams. My desire was to make all three volumes of the 2017 TAG Cyber Security Annual free to practitioners, and any other persons or groups who might find the content useful. To that end, roughly fifty cyber security vendors served as sponsors, agreeing to distribute this Annual with no pre-arranged agreements about the nature of the analysis included. They kindly offered their advice, expertise, and knowledge in the development of this report – and to that end, they are referenced here as distinguished vendors. Without their assistance, this report would not exist. As with any researcher, I must admit to my biases. With the publication of this report, I am only several months removed from three decades of proud service to the customers and people of AT&T. During that time, I poured my heart and soul into the development and operation of the vast assortment of cyber security services that the company continues to market. To that end, it is impossible for me to remain unbiased in my conviction that these services are world class, and that the underlying promise of AT&T’s software defined network, led by John Donovan, to support on- demand virtualized cyber security will prove to be exactly the right technical and infrastructure approach to stopping advanced malicious actors. Furthermore, I have served proudly over the years on a variety of informal advisory boards for cyber security vendors, such as Koolspan, over the past decade. I also serve as an independent director on M&T Bank’s Board of Directors, as a Senior Advisor to the Applied Physics Lab at Johns Hopkins University, and as an Adjunct Professor in the Computer Science Departments at the Stevens Institute of Technology and New York University. While none of these affiliations should introduce any untoward bias, all inevitably have some bearing on the advisory material included here. Discussions with students and faculty at Stevens and NYU, in particular, have had considerable influence on my opinions regarding cyber security technology. You will notice that the research presented here differs significantly from the advisory work of firms such as Gartner and Forrester. Where such firms rank vendors based on in-depth feature analysis, my approach is to try to educate readers in the fundamentals. The emphasis is therefore on broad themes that are likely to remain constant, rather than detailed feature-by-feature comparisons that can change in an instant. Also, the decision to avoid rankings is made in the observation that all vendors provide some value to their customers – or they would not be in business. And the familiar process of “asking around” to see what “customers are saying” is both unscientific and misleading – not to mention fraught with the conflicts that arise when advisory firms sell consulting services to the same vendors they are ranking. One major caveat regarding this 2017 TAG Cyber Security Annual is that the reader must expect a plethora of errors and inaccuracies, especially in Volume 3, where facts about company names, product offerings, and executive positions change so quickly that it is impossible to keep up. But this should not detract from the usefulness of the report. Readers should use the volumes as an Alpha Guide to their own understanding, and should take the initiative to augment this guide with their own research, which hopefully will be shorter and easier based on the material provided here. I hope that this guide is useful to you. Expect updates – and a completely revised edition next year. Dr. Edward G. Amoroso, Chief Executive Officer, TAG Cyber LLC Page 3 2017 TAG Cyber Security Annual Purpose and Overview of 2017 TAG Cyber Security Annual The purpose of this 2017 TAG Cyber Security Annual is to assist the women and men who are tasked with protecting their organizations from the potentially damaging effects of cyber attacks. Throughout the report, these dedicated cyber defenders are referred to as members of Chief Information Security Officer (CISO) teams. The report provides CISO team members with detailed technical and architectural guidance based on fifty specific controls that support the reduction of cyber risk. Offering cyber security guidance based on a control methodology is hardly a new idea. Literally dozens of cyber security frameworks are available to working professionals. What is unconventional here, however, is an underlying security framework that uniquely embraces cloud, virtualization, and mobility as solutions rather than problems. It is a cyber framework that seeks to support proactive avoidance, rather than just passive acceptance, of malicious attacks. The underlying architectural framework of this report consists of a three- step infrastructure improvement process that every CISO team should embrace: In Step 1, they must explode their perimeter-based infrastructure into smaller, distributed micro-segments. In Step 2, they must offload these segments onto virtualized, cloud-based systems with advanced security protections. And in Step 3, they must reload their cyber security technology with superior technologies from the myriad of expert commercial vendors available. Figure 1. Three-Step Methodology for Enterprise Security Teams It is argued throughout this report that these three steps – exploding, offloading, and reloading – are absolutely required to stop the advanced cyber attacks being aimed at commercial and government systems. The case is made in these pages that these three steps cannot be ignored by CISO teams if they wish to regain control of their infrastructure from malicious intruders and re-establish dependability and trust in the computing and networking systems that support our world. The argument is Page 4 2017 TAG Cyber Security Annual made repeatedly here that the consequences of following the familiar perimeter- dependent path are simply unthinkable. The report does, however, recognize the practical and budgetary realities of the modern enterprise, and that no CISO team can simply wave a magic wand and move their applications and systems to some micro-segmented cloud with advanced machine-learning analytics. To that end, the report includes specific guidance on the most likely existing types of systems and infrastructure that will exist in companies and agencies – including, for example, mainframe systems. This approach is taken so that readers can translate the underlying three-step process and associated framework into a feasible plan. This 2017 TAG Cyber Security Annual is organized around a comprehensive set of resources, technical information, and guidance designed to assist the CISO team with the recommended distribution, virtualization, and improvement tasks. It does so in the context of fifty specific cyber security controls that must be present in the CISO team’s arsenal as they upgrade their infrastructure. Some of these controls are familiar, such as firewall platforms and anti-malware tools. But others might be new including security analytics, network monitoring, and deception. All of the controls, however, are relevant and essential to the success of the modern CISO team. One final point on purpose and overview: This report is not written for C- suite managers or board-level executives, and it is not written to raise awareness amongst industry observers or politicians with casual technical backgrounds. It is written instead for the hard core, working CISO team member professional. The report targets those individuals and groups with the requisite experience, expertise, and ability to make decisions and to take positive steps to improve our global cyber security infrastructure. So if you don’t know the difference between an IP packet and a USPS envelope, or if you don’t know the difference between a virtual and physical machine, or if you have no idea why signature-based processing makes variant writing so easy – then please toss this book aside. It’s not for you. Page 5 2017 TAG Cyber Security Annual Introduction to the 2017 TAG Cyber Security Annual To be successful at protecting infrastructure from cyber attacks, modern Chief Information Security Officer (CISO) teams must attend properly to the following four focus areas in their organizational cyber protection scheme: 1.