Operational resilience is the name of the game when it comes to how business leaders evaluate cybersecurity program effectiveness. While security practitioners are thinking about exploits, vulnerabilities, controls, and threat actors’ TTPs, what executives really want to know is, “When the company is the victim of an attack, what effect will that have on the rest of the company, how quickly can employees resume ‘business as usual,’ and what hard and soft costs will be incurred?”
During his Threat Intelligence Summit 2016 talk, “Intelligence Preparation for Operational Resilience (IPOR),” Doug Gray, Senior Cyber Architect at Lunarline shared a new, structured framework developed at the Software Engineering Institute (SEI) at Carnegie Mellon University to help organizations identify intelligence needs, consume intelligence, and make information decisions based on that intelligence. The problem with most cyber threat intelligence, as it exists today, said Gray, “is that people are drinking from a firehose.” Because data is nearly infinite, Gray continued, “How does a decision maker make sense of the flood of threat information to make informed resilience decisions?” The answer: IPOR enables companies to make sense of the abundance of intelligence.
I’m bulletproof, nothing to lose
The SEI saw an opportunity in the marketplace; although the security community already has various frameworks—DoD’s Intelligence Preparation of the Battlefield, CERT Resilience Management Model, NIST, Agile, OCTAVE, etc.—there was still a gap, a lack of a methodology to organize information in a way that allows decision makers to act swiftly and appropriately when a threat arises. IPOR, said Gray, was not built to replace other established frameworks. Instead, it integrates with other frameworks so that organizations don’t have to reinvent the wheel while trying to keep the wheel spinning. Quite simply, IPOR lays out three areas on which security, threat, and operations teams can focus.
Source: Doug Gray, http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=448155
What does the threat landscape look like (voice of the environment)? What is the company trying to protect (voice of the organization)? What tools, tactics, and procedures is the threat actor using (voice of the threat actor)? IPOR operates under the premise that if organizations understand these three pillars, security and operations teams have a better opportunity to focus efforts and maintain operational resilience. At first glance the model seems overly basic, but the beauty of IPOR is in its simplicity—the fact that operational resilience relies on a direct connection between threat data collected and business goals.
Fire away, fire away
One of the issues with threat intelligence and threat intelligence programs is the lack of industry-wide definitions. Gray asked attendees to accept the following as the basis for discussion in New Orleans:
Source: Doug Gray
With the terminology agreed upon, Gray explained that operational resilience is “the ability of the organization to achieve its mission even under degraded circumstances.” This is precisely the type of information business executives and boards of directors want to hear; they’re less interested in the colorful charts and graphs or reams of log data that currently comprise most threat programs’ deliverables. While back end data informs the threat strategy, the output of the data must align with business goals, i.e., facilitating business operations even during a security incident.
Further, to achieve a highly effective threat program that enables operational resilience, threat and security teams must also build routine, habitual relationships of trust with management. It’s important, too, to explain that not all of the data collected will be 100% accurate at the exact time of discovery or for a given situation; the aim is to collect information that could be relevant and add or revise when new information becomes available or as circumstances change. Documenting incorrect information—especially when it’s been acted upon—will provide valuable lessons that will improve the program and allow the organization to withstand attacks in the future.
Finally, cautioned Gray, “Understand and be able to identify cognitive biases that can distort intelligence,” thus affecting any decisions concluded because of it. This last piece is particularly important because no threat program will ever be truly effective without an analyst or data scientist, all of whom, as human beings, are susceptible to sway (this is not to say that threat intelligence should be wholly automated. In fact, the most successful threat intelligence programs employ full-time skilled analysts/scientists).
Ricochet, take your aim
Achieving operational resiliency depends on an organization’s ability to provide resilient services which support strategic objectives (e.g., developing, marketing, and selling products or services). This means that functional areas/services like eCommerce, human resources, accounts payable, and research and development are available and functioning normally or as close to normal at all times—even during a security incident. The resilient assets that support resilient services include people, information, technology, facilities, and the supply chain. Not coincidentally, assets are the most frequently targeted and directly affected by a cyber attack.
IPOR, building on other established industry frameworks, steps organizations through a process to uncover the voice of the organization (its goals, objective, assets, culture, etc.), voice of the environment (the company’s threat profile), and voice of the threat actor (who, what, how, why).
IPOR provides a different perspective on how organizations can systematically manage the risk of cyber attacks by better harnessing threat intelligence to achieve business goals, namely, operational resilience. In a world where security practitioners generally accept the inevitability of an attack or breach, it’s prudent to develop a plan that allows the organization to resume business as usual as quickly as possible. Naturally, operational resilience and the plan to get there will vary with each organization and its unique voice. The framework won’t accomplish your goals for you, but it will set you well on your way.
More detail about Gray’s operational resilience model can be found at the SEI CMU website.