I’ve wasted so much money at the doctor’s office. It’s deeply influenced the way I look at ‘going to the doctor’. I’ll be that guy that should’ve gone in a lot earlier, but now I”m stuck with some horrible prognosis because I delayed. I once went in to have my knee looked at, and instead, all I got was a prescription for a weight loss medication from a triple-chinned doctor that spoke bad English. Somehow she came to this diagnosis by entering my weight, height, age, and knee symptoms in a system that told her what was wrong with me. From that automated diagnosis, she prescribed a fix. Can I have my money back? I’m on a high deductible HSA plan,…
The same thing can happen in cybersecurity.
What is prescriptive security? It’s a security philosophy that attempts to predetermine security controls and procedures based on the inputs of risks. Prescriptive security attempts to map controls to risk.
The goal of prescriptive security is to have a security strategy and plan that is based on a repeatable premeditated plan and system, rather than a security analysts intuition.
Using the NIST Cybersecurity Framework 2.0 to walk through some examples of how prescriptive security can be applied we can look at each pillar:
-Identify
– Protect
– Detect
– Respond
– Recover
Identify
If you asked ten different security analysts how they would go about identifying the threats, vulnerabilities, and risks to your business how many different answers do you think you’d get?
Applying a prescriptive approach we can layout of the framework of qualifying questions that help us get to an approach (like the doctor example above). We’ll start with high-level general questions and work down to more specific pain points.
1. Does the business have information or data that want to prevent everyone from having?
2. What exactly is the data that needs to be protected?
3. How is the data created, stored, transmitted, and destroyed during its lifecycle?
4. What systems does the data touch, processed by, stored on, transmitted to and from?
5. Who and when should have access to this data, what is appropriate?
6. Who would benefit from stealing or getting access to this data?
7. How could they use this data, or how could they leverage access to this data?
8. Are these specific motivated attacker groups, or are they common threats?
9. How do the threats impact data availability, confidentiality, and integrity?
10. Are the systems and data identified above connected to other systems (i.e. the Internet)?
11. What is the connection architecture?
12. What is the most appropriate way to assess the vulnerabilities of these systems?
13. How can the vulnerabilities be reported based on severity and priority?
14. What is the risk to the business?
15, What is the residual risk after remediating, or mitigating the security findings?
Even though these questions offer a repeatable set of things to consider so that the proper security procedures can be initiated, it’s still not the heart of prescriptive security. Where it really gets traction is in the ‘Protect’ section of the NIST framework.
Protect
Here controls can be prescribed. If (this) then (this).
If (web server) then:
– Open up outbound firewall rules
– Rename administrator account
– Verify directory rights
– If hosting ‘application’ review application controls
– Ensure server meets the secure configuration
– Have web server vulnerability scanned
– All High and Medium findings are remediated
– Ensure web server has been added to a scanning schedule
If (web application) then:
– Review and document application risk
– If the risk is Confidential or Sensitive have applications pen tested
– Review database and service access for application
– Ensure service passwords are enforced
– Ensure service credentials meet requirements
As you can see we start to move to something that resembles a checklist. But this checklist is complete with desired outputs and actions.
Respond
This is another area that can befit from a premeditated and planned procedure. The event of a security incident can be extremely stressful. During stress, mistakes can happen and important processes can be overlooked and forgotten. Sometimes when the steps are remembered, it’s too late.
1. When does an alert become an investigation?
2. When does an investigation become an incident?
3. What qualifies as an incident?
4. When does the ‘Incident Response and Handling’ process officially start?
5. What document needs to be updated with times and dates?
6. Where will investigation notes, indicators of compromise, and security notes be documented?
7. Who needs to be communicated and alerted about incidents?
8. When does an incident become a breach?
9. Who needs to be communicated to?
10. What roles are people responsible for, such as public disclosure and communication?
Recommended Book
In his books ‘The Checklist Manifesto: How to Get Things Right’ Atul Gawande reviews this topic on how complex things can be benefited from a checklist. I highly recommend this book and have given it a gift to several cybersecurity friends.
Problems with Prescriptive Security
Often times leadership can pressure security analysts to come up with a prescriptive security plan. They do it for the right reasons:
- Reduce risk when the employee leaves
- Document and improve processes
- Educate and enable other staff
The hope is that a security formula can be created:
If this problem occurs then do this action.
I’m all about process and systems, and continuous improvement, but most often times prescriptive security completely solve the issue it was intended to solve.
A well-experienced cybersecurity professionally is an expert. They have seen a lot, some things are seen still can’t be explained. But asking good questions and getting to the source of the problem requires tapping into our education and training, unique experiences, and skill sets. A great cybersecurity professional will start along a path and have the ability to dynamically adapt questions to eliminate issues and get closer to troubleshooting the ultimate issue.
The real place a prescriptive plan should come in is on the basics. And that’s called ‘processes’. These are core to a great cybersecurity program and a true professional can help create them. When it comes to troubleshooting complex security issues, diving deep, and analyzing anomalies – it’s really difficult to approach it prescriptively.
The Right Measure of Prescriptive Approach
I think the real driver behind prescript security is a leadership desire to feel more confident the right security controls are being applied to the proper risks.
Security analysts are all different, and based on talent and abilities can have very different approaches and communicate different priorities. This can leave leadership feeling less confident.
In addition, as humans, we tend to focus on what we’re good at and what interests us. We tend to procrastinate or ignore the unknown and the things that are difficult. In cybersecurity that might mean that an old technology we never learned about, have no qualified security tools for, and can’t retire goes unattended within the company network. I’m not saying everyone does this, I’m just being honest and saying as humans we have this tendency.
During the times that I’ve had leading a cybersecurity team, I’ve always felt a certain level of uncertainty from leadership. I don’t judge them. Matter of fact, I feel it too. Day and night we as cybersecurity professionals are asking what we’re missing, is there an attack vector we haven’t considered, even though that person said there was no sensitive data on there how can we validate their claims,… the list goes on and on. My point is, we still owe it to our leader to provide them with as much confidence as we can. We can do this by showing them the system of how we are coming up with the strategy and security controls and capabilities we’ve laid out. We can document as much as possible. We can prepare their cybersecurity program to the point that if we leave, nothing will be lost and the transition of someone new will fit right in and pick up right where we left off without the degradation of security or increase of risk.
The absolute best thing we can do as cybersecurity professionals is to provide additional confidence to our leaders is to be transparent about the unknown. This is hard to do and requires an ideal relationship between cybersecurity managers and executive leaders. It should be the strived towards and be the milestone of what we strive for. Transparency fuels trust.
Not only is trust the only output of this relational milestone though. LEaders also know the business better than the cybersecurity professional and can get us information and solutions that we couldn’t achieve on our own. Many times, the unknowns we struggle with are a business question and they can solve it. They also have the ability to go and get the additional funding for resources, whether technology or labor, to help us address those unknowns. And whether those unknowns are figured out and secured or not, the business deserves to know about them. Leaders do an amazing job communicating these risks in the right way. These unknown risks should be communicated to business leaders and board members in the right way, by the right people, equipped with the right facts and information about them.
Conclusion
The concept of prescriptive security is very attractive. At the end of the day, it doesn’t deliver all that is hoped for. The ideas with prescriptive security are very relative to those we’ve already been trying to implement as part of a responsible cybersecurity program such as documentation, process and procedures, handbooks, and even checklists.
Cybersecurity professionals should strive to document as much as they can about the cybersecurity program they are responsible for. This includes the frameworks, the controls, how they identify assets, how they assess risk, how they identify data and document it, how assessment takes place, how reports are priorities and provided, and how risk is addressed or accepted.
Leaders should strive to trust their cybersecurity leaders. And cybersecurity leaders should strive to respect your leaders through documentation and planning.
If you had a strange heart palpitation, would you want to see a generalist or a specialist? If you see the specialist, will you feel better if they follow a script of questions, or if they use industry knowledge and combine that with their unique experience and skills to help you?
If you choose the later, you will be thankful to continue to see them whenever you have symptoms and you won’t feel like asking for your money back.
Better Alternative
An alternative to the prescriptive security philosophy is performing an annual cybersecurity assessment. Base the assessment on a security framework like the NIST Cybersecurity Framework. Take each pillar and walk through the recommended controls and see if they are appropriate and if your current program is capable of implementing those security controls.
This will give you a common foundation to base your security strategy on, it will provide you a current measurement of your capabilities, and it will provide you with priorities and roadmap of what you want to focus on moving forward.
Documenting this process can act as a guidebook to your cybersecurity program, and it can provide a platform for replacement cybersecurity analysts and leaders to review and be brought up to speed on your capabilities and position.
To complement this process build some fundamental documents that articulate the document the risk that your unique business has. These documents should include an information security policy, an annual cybersecurity awareness policy, a risk register, and a risk acceptable document.
Lastly, if you want to take this a step further once you know your unique risks, and you know your current security position relative to an accepted cybersecurity framework, you can have your cybersecurity team perform a skills assessment. Many online education portals are now offering these skills assessments. An output of this exercise to document and lay out the roles and responsibilities of your team and then map those responsibilities to an individual position. The employee can then be measured against their documented responsibilities on an annual basis, and it becomes much easier to identify a replacement, whether internal or external when the employee is no longer in the role.
Contact Us
Asher Security is a local Minnesota cybersecurity advisory and consulting business with the goal of helping businesses lower their risk by increasing their cybersecurity maturity. If you’d like to learn more about how we can help you please call us directly or fill out our contact form.
Recent Comments