Our pursuit of security is a lot like our efforts to remain healthy.
While it’s not something I desire, I know that I’m going to get sick again. I take steps to avoid illness, including washing my hands, exercising regularly, avoiding unhealthy activities such as smoking, and even participating in my company’s wellness program. But I can’t mitigate all the threats to my health. For example, I travel all too frequently on airplanes, exposing myself to germs others are infected with. Fortunately, over the years my body has built up resistance and I’m usually unaffected. When I do get sick, and I will, I’ll see a doctor and persevere until I'm back to full health.
Keep the security doctor away
Similarly, we need to recognize that in today’s evolving threat landscape we face a constant risk of attacks and need to build up our resilience against them. Hewlett Packard Enterprise’s security research report, The Business of Hacking, reports that in 2015, losses due to cybercrime were estimated to be more than $300 billion. So while we may have layers of defenses to thwart attacks, some of these attack vectors are succeeding in bypassing our security controls. When we do succumb to an attack, our business functions will need to continue to operate.
Good systems security engineering practices are required to build more trustworthy and resilient systems. The latest guidance for this domain is captured in the second draft of National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The SP details the engineering-driven processes necessary to develop more defensible, resilient, and survivable systems. The recommended security design principles are captured in the figure below.
As stated by NIST senior fellow Ron Ross in the forward:
“The ultimate objective is to obtain trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders.”
Who do you trust?
I strongly encourage you to take the time to read and comment on the draft SP to better understand the trust-driven model being proposed by NIST. If, however, you lack the time to digest the 300-plus pages, the Institute for Critical Infrastructure Technology (ICIT) has released NIST SP 800-16-: For the Rest of Us. This is a 25-page version that provides a simplified and quick reference guide to the SP in a more consolidated format. As stated in the ICIT’s brief:
“In terms of system security engineering, a trusted system is one that meets specific security requirements in addition to meeting other critical requirements. Without a new model, systems will continue to collapse due to malicious attacks, natural disasters, user errors, and other calamities because organizations will fail to alter their already failing security strategies to meet changes in the threat landscape. The inevitable breaches will result in major inconveniences and catastrophic losses for United States citizens.”
At the ICIT’s Resiliency & Enablement Forum in April, federal CIO Tony Scott shared some of his thoughts on what he feels is the direction we need to take to protect vulnerable attack surfaces laid siege by state-sponsored advanced persistent threats, hacktivists, sophisticated mercenaries and cyber criminals. One of his recommendations was that we should be "building in more resiliency into the building blocks first."
He is interested in R&D related to components with self-awareness that recognize when they’re no longer in a safe, secure state and can operate in a degraded mode or even take themselves out of service until fixed. But he also recognizes that we need to apply the best practices already understood and captured in SP 800-160 to build more trustworthy systems.
Sickness will strike, so stay healthy
We are not going to be able to anticipate all potential forms of attack or prevent all disruptions, hazards, and threats. Our systems are going to get “sick.” However, we can build up our resistance by architecting and designing our systems and applications using security engineering best practices to make them inherently less vulnerable and resilient.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.