Bringing a Business Perspective to Cybersecurity Operations I
Facebook X LinkedIn

Bringing a Business Perspective to Cybersecurity Operations I

Combined Session
Tuesday, October 08, 2019 13:15—14:15
Location: Holeman Lounge

Opening Pandora's Box with FAIR + ATT&CK + SOAR = An Improved Cyber Security Response Strategy

When I meet with CISOs and Cyber Security Directors, they usually ask what use cases should they target first. I generally proceed with a few simple questions and immediately recommend going after general use cases or low hanging fruit or a strategy based on how mature their organization is.

During this session, you’ll find out what questions I ask, what answers I get, and why I propose approaching a cyber security response using FAIR + ATT&CK + SOAR.

Risk and compliance managers and disaster recovery experts have been applying a variety of risk models to organizations and businesses for many years and they have just begun the complex process of truly understanding cyber risk. Part of the reason that cyber security insurance exists for corporations is that risk and compliance managers have a way of protecting the organization from liabilities which may be out of their control or because they simply do not understand the cyber security problem domain. One of the core reasons behind this is that risk and compliance managers focus on corporate risks such as disaster recovery or compliance risks like GDPR, PCI, SOX, HIPPA, which do not really protect or reduce the risk of cyber threats to the organization. While useful, these risks are a somewhat different realm than protecting the organization from cyber security threats or reducing risk on a continuous basis in their cyber security program. The result and outcome of all of this is a lack of focus around improving their cyber security response strategies for potential or real breaches to their organization when or if they occur.

When developing cyber security response strategies it’s obvious to CSOs, incident responders and security operations staff members that they should specifically develop solutions based on either a quantity of alerts, the cyber threat event frequency, responding to known vulnerabilities, or simply going after and protecting against low hanging fruit or things that take the most time within the organization.

However, cyber security response activities generally do not align with the overarching goals for risk managers or compliance officers nor do risk management teams necessarily understand cyber security risks. The primary reason is that risk managers and compliance managers are thinking of loss of financial or reputational value to the organization. It is much easier for risk managers to understand what the expected financial or reputational loss will be if a building burns down than the financial or reputational loss to the organization if a breach to an intern’s laptop.

So how can we improve this Wackamole? This is where potentially combining the FAIR (Factor analysis of information risk) model, with the Mitre ATT&CK and a SOAR (Security Orchestration and Automated Response) strategy can improve and enable organizations to prioritize their cyber security response strategies and process. In this talk, I will discuss the basics around the FAIR model and ATT&CK framework, as well as address how the combination of these with SOAR to prioritize an organizations response capability can attempt to reduce the risk for the organization. In order to reduce real cyber risks to an organization, it requires an active commitment to risk management combined with a continuous approach to cyber security response by not just the CISO or Directors of Security within the organization, but by the risk management staff who stand beside them.

Key take-aways:

Opening Pandora's Box with FAIR + ATT&CK + SOAR = An Improved Cyber Security Response Strategy
Presentation deck
Opening Pandora's Box with FAIR + ATT&CK + SOAR = An Improved Cyber Security Response Strategy
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Tyler Rorabaugh
Tyler Rorabaugh
Demisto at Palo Alto Networks
16+ years of experience in cyber security including offensive, defensive, product engineering, consulting and for the last 3 years in SOARLandia. I've worked for a number of large and small cyber...

DODCAR Overview: Standardizing and Automating Cyber Threat Understanding for Threat-based, Cybersecurity Assessments

The DoDCAR performs threat-based, cybersecurity architecture assessments to ensure DoD leadership has the insight and knowledge to make well-informed, prioritized cybersecurity investment decisions to enable dependable mission execution on the unclassified and classified environments. This approach establishes a threat-based, analysis-driven, repeatable process to synchronize and balance cybersecurity investments, minimize redundancies, eliminate inefficiencies, and improve all-around mission performance. The DODCAR framework provides a foundation for automation through a data standardization and tagging framework to develop analytics and machine learning in cyber security.

This talk will provide an overview and deeper understanding of the DODCAR methodology and its objectives, and to lay a foundation for data standards and tagging to help better understand cyber threat for the whole cybersecurity community.

The Department of Defense Cybersecurity Analysis and Review (DoDCAR) is sponsored by the Department of Defense (DoD) Chief Information Officer (CIO) Deputy CIO for Cybersecurity, National Security Agency (NSA) Deputy National Manager for National Security Systems, and the Defense Information Systems Agency (DISA) Director.  DoDCAR performs threat-based, cybersecurity architecture assessments to ensure DoD leadership has the insight and knowledge to make well-informed, prioritized cybersecurity investment decisions to enable dependable mission execution on the unclassified and classified environments. DODCAR objectives are twofold:

The DODCAR approach establishes a threat-based, analysis-driven, repeatable process to synchronize and balance cybersecurity investments, minimize redundancies, eliminate inefficiencies, and improve all-around mission performance. This approach also provides the insight and knowledge necessary to support effective, prioritized, and integrated cybersecurity capability investments. The end goal of the DODCAR methodology is to talk about cyber security within the framework so everyone can understand, regardless of their technical background or level of expertise. Communication of a threat prior to DODCAR is often explained through the Godzilla analogy. That is, if the architects and engineers see Godzilla from the lower floors of the building, they would see feet, but the system administrators see knees, and so on up to the operators and executives who just see the teeth. Because IT network engineers see and fear things differently than operators/users, it makes the discussion of cyber threat and potential solutions quite difficult based on the differing perspectives.

The standardization of cyber data is a prevailing problem as we buy technologies that are not standardized.  Metadata and data tags have been initially normalized through efforts like OASIS' STIX/TAXII. This, however, offers a low-level view of data normalization because we still cannot talk about threat holistically from a single perspective, and we do not have a standard framework to view cyber threat. Data governance, through NIST and Department of Defense (DoD) wide implementation policies, is currently being established to ensure the normalization of cyber data. This normalization will become the foundation for us to look at big data and to create analytics and machine learning from the government's perspective. 

Key take-aways:

DODCAR Overview: Standardizing and Automating Cyber Threat  Understanding for Threat-based, Cybersecurity Assessments
Presentation deck
DODCAR Overview: Standardizing and Automating Cyber Threat Understanding for Threat-based, Cybersecurity Assessments
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Karin Breitinger
Karin Breitinger
Tensley Consulting INC.
Owen Sutter
Owen Sutter
DOD Cybersecurity Analysis & Review (DODCAR)
A Doctoral Student at Capitol Technology University with a focus on behavioral psychology within cybersecurity. Owen Sutter is a cybersecurity operations professional with 10 years managing...
Subscribe for updates
Please provide your email address