Release #2: A basic CDC Model

For our discussions I will define a reference model with functions, responsibilities and an organizational background. The external requirements are based on the EU and German ligislations and requirements for the finance sector. (1)
 
BTW, a well known eBook from Carson Zimmermann is named "Ten Strategies of a world-class Cybersecurity Operation Center" is a good read for practioneers. You should read it too.
 

CDC Reference Model

Our CDC reference model does not include the responsibility for the administration of security technologies, like firewalls, intrusion detection systems, SIEM, AV scanners and such.
 
The detailed organizational setup depends on the size of the organisation, the bigger the organisation the less technical and administrative responsibilities should the CDC have and the more interdependence within the organisation exists. If the CDC is located outside the IT department (maybe in the staff department of the CISO), then it is very unlikely that the CDC team will have the responsibility to run the IT and instead depend on the cooperation with the IT department. This cooperation works as long as the relationship between the CISO and the CIO is healthy and it even works better if the CISO comes with his own budget.
 
Typical functions of our CDC model are

  • detect potential security violations
  • receive security alerts (source: SIEM, telephone hotline, tickets, etc.)
  • analysis and containment of security incidents (incident response)
  • run the vulnerability management program or at least know about the critical and serious vulnerabilities in the IT infrastructure to have a better understanding of the company's threat landscape
  • in addition to the internal threat landscape Threat Intelligence analysts should constantly evaluate the external threat landscape (which cyber crime campagne is curently runnig that targets banking, what tools are used et cetera)
  • reporting comes in various flavours
    • TTPs (tactics, techniques and procedures of adversaries) for the Level-1 and Level-2 Security Analysts and the technical departments
    • the threat landscape for the technical departments, analysts, and management to know and understand the contextand better estimate their operational risk
    • KPI fulfillment for mangement and maybe the customers (SLA fulfillment)
    • customer reports if your CDC provides security-as-a-service
    • new and unhandled risks to risk owners and/or the enterprise risk management department
  • to always keep up with the increasing technical demand (new attack techniques, more systems and log data, etc) the CDC will always be involved in projects for continuous improvement

 
Let's go down further in our diagram, the next layer are the best practices which we dive deeper into in this blog, but a bit later.
 

Policy Pyramid or House of Policies

Then comes the layer of the organisational measures; corporate policies (like information security policies and guidelines) and written rules for the daily life of analysts and other technical staff. They are normally ordered in a pyramid based on abstraction. The upper two layers (like the top of a pyramid) are strategic and organisational policies; the lower layers describe the operational work defined at each functional entitiy (department or team). The operational fulfillment of these written rules is most interesting for most auditors (internal auditros which are the 3rd Line-of-Defense as well as external auditors). Of course, the policies from the top and middle layer of the pyramid will also be tested to be complete, coherent, and up-to-date.

You already realized it, our CDC reference model is the pyramid but upside down.

Undefined Terms

Now let's come to the terminology used within the blog, but let's focus on terms that are ambiguous and not already defined in an RFC or by another industry norm.

  • CERT: A Computer Emergency Repsponse Team, first used by the Carnegie Mellon University. There is/was an US patent on this acronym, therefore the acronym CSIRT should better be used.
  • CSIRT: Computer Security Incident Response Team. Both terms focus on the response task. Which is just one part of cyber defense.
  • IRT: An Incident Response Team takes care of natural disasters. ISO 27035 mentions an IRT which they use as synonym for CERT/CSIRT, a bad decision on my opinion.  
  • SOC: A Security Operation Center centeralizes security functions and also contains the detection functionality by correlating and analyzing log information. It could also include the function of running IT security solutions and verifying survailane cameras.
  • CDC: A Cyber Defense Center does active defense of the IT infrastructure and puts its weight on the defense not the operation functionality.

        
For variations of oranizational setups, have a look at the above mentioned Mitre eBook.
 

From Security Event to Security Incident

It is not seldom that documentation mixes the use of "security event" and "security incident". A uniform definition is important when it comes to Service Level Agreements (SLAs), escalation and notification processes, as well as for communications with external entities (like auditors for an ISO 27001 certification, or government officials).


Personally I like the definition of the ISO 27000 standard.

  • Security event: “.. is identified occurrence of a system, service or network state indicating a possible breach of information security or failure of controls, or a previously unknown situation that may be relevant". At the simplest level it could be the log-entry of the system service like SSH for a failed log-in attempt.
  • Security incident: "... is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”. The multiple accurence of log-entries of failed log-in attempts for many users indicating a "brute force" or "password spraying" attack.

 
 


If a security incident goes out of control and the impact reaches a defined threshold it becomes a crisis. In the diagram above the word "certainty" on the lower arrow is meant as "level of certainty that a bad thing happened" and not as "knowing how to handle it"; especially in a crisis the way to contain damage might get very individual and less standardardized.

Checkout HBR 2020/11 to read about when to use heuristics and when to use standard routines.

 

Best,

Thomas

 

 

(1) BSI (German Federal Office for Information Security) Sektorstudien (sector studies, unfortunately in German only): https://www.kritis.bund.de/SubSites/Kritis/DE/Publikationen/Sektorstudien/Sektorstudien_node.html



Popular posts from this blog

Release #3: Terminology, Frameworks and Standards - Part 1

Image
I n my previous blog posting we defined our CDC, the function it provides and introduced some basic terms. Next we will look at catalogues and models that help defenders to understand the actions of attackers. The MITRE ATT&CK catalogue categorizes typical attack techniques and tactics and provides many additional information which is often very helpful in the daily life of a CDC architect or analyst. Info Box Tactics, Techniques and Procedure (TTPs) ! TTPs are an attacker's actions, regardless of the phase in the kill chain. This refers to tactics, techniques and procedures, not the underlying strategy.   MITRE ATT&CK™ Matrix The MITRE ATT&CK™ Framework describes itself on the web page (https://attack.mitre.org/) as follows: MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for th
Read more

Facebook: Magnitude of the leaked data

Image
About 2 days ago bleepingcomputers reported about a leak of over 500.000.000 Facebook user records. Scratching the surface revealed that the data is available to nearly everyone. Here are some numbers to estimate the magnitute of the leak. 77 Gb of plaintext data from 105 countries world wide can be found on the Internet. Some indicators make clear that at least part of the data is from 2019, but only Facebook can make clear if there is also more current data included. The collections seem not to be from one web scraping session, but might be local web scraping campaigns in each country. Some file names are even in local languages. A world map with all countries (file size in MB).     Here are the top 20 based on file size in MB.   The data is of the following categories. name sex relationship status address employer email address (very seldom) year of birth (very seldom) telephone number (very seldom) some dates and IDs Note that citizens from various EU states are affected which is
Read more

Release #1: Cyber Defense in highly regulated Markets - Intro

T oday, in the middle of the 21st century terms like "Cyberwar" and "Cybercrime" are omnipresent in our society. Fortunately the Cyberwar is (yet) no real war between states; instead it is a mixture of sabotage, espionoage, psyops, manipulation of information and as well the theft of money(1)(2)(3). The relams of nation-state hackers and cyber crimnals and also tradional crimnals overlap because it is oportunistic ("Go where the money is.").(4)   Between the 80s and the 90s of the 20th century our current situation was mostly just in the heads of computer nerds and cyberpunk authors. Some of the computer freaks stepped over the border, people that were called "Hackers" pushed the technology and thinking beyond its intention and limits, found failures (bugs) in the systems and codes to get control over telephone and computer systems for fun and to learn how they work. In these days every bigger IT company had their own Unix-flavor with their own h
Read more