Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats

by Scott E. Donaldson

Assume an Intelligent Attacker: Enterprises must consider that an intelligent attacker is not going to walk into defenses as they are designed. Rather, the intelligent attacker is going to seek to find the easiest, fastest, and potentially the cheapest way to defeat the enterprises’ defenses and achieve the attack objective. Enterprises must look at themselves from the attacker’s perspective and design their defenses accordingly. Design Defenses to Detect and Delay: While it is certainly nice to prevent attacks in the first place, prevention will inevitably fail or be defeated. When failure or defeat happens, the only hope is to detect the attackers and delay them long enough for defenders to respond. Detection must be designed so that it catches real attacks and does not overload defenders with noise from false positives that they do not have time to investigate.

Layer Defenses to Contain Attacks: Design defenses so that initial incursions, particularly in Internet-facing systems such as web servers or user endpoints, can be detected when they first occur. Have additional layers of protection around the databases, file servers, and security infrastructures the attackers are really targeting. Use an Active Defense to Catch and Repel Attacks: The final critical component is the presence of an active defense. This component involves real people who monitor IT systems and respond to intrusions when they occur. This incident response team diagnoses the attacks and repels them before the attackers can defeat the enterprise’s cyberdefenses and achieve their objectives.

You can be secure without being compliant and compliant without being secure.

This compliant/secure challenge is important. Enterprise management wants to believe a clean compliance report indicates success. The CISO can help management understand this challenge is not so straightforward. Compliance is a good thing, but it must not be treated as the only cyberdefense objective. In many ways, a CISO’s measure of success is related to how well the CISO can steer the cybersecurity program so it correlates compliance with actual real-world security. Compliance measures need to support the effectiveness of the security program, rather than simply being a check-the-box distraction.

SP 800-160

A key tenet of the enterprise cybersecurity architecture in this book is that the 11 functional areas of enterprise cybersecurity are of approximately equal importance. This means the functional areas that are weakest are the ones most likely to be attacked successfully in a targeted attack and should be prioritized first for strengthening. When risk mitigations and security operations are considered alongside of the 11 functional areas, there are a total of 13 characteristics of enterprise cybersecurity that should all be considered and should all be of approximately equal levels of effectiveness.

Measurement needs to be expressed in everyday terms that are familiar to the enterprise—otherwise, the measurements may, at best, be of little value.

Generation 1: Hardening the Host Generation 2: Protecting the Network Generation 3: Layered Defense and Active Response Generation 4: Automated Response Generation 5: Biological Defense