As the cyber landscape changes, new threats emerge, old threats evolve, and vulnerabilities constantly put businesses and agencies at risk. The concept of “cybersecurity” has evolved from total defense, to layered defense, to cyber resilience, based on risk analysis and a cold calculation of our own risk profiles. One way to address this is through outcome-based cybernetics, an emerging practice that I have helped shape.
Outcomes-based cyber is a more holistic approach to cybersecurity than compliance-based cyber. Compliance-based cyber is a comforting checklist for determining a risk profile, establishing controls, and measuring compliance with controls. That has become critical to cybersecurity programs, but it’s obviously not enough. Outcomes-based cyber occurs when an organization actively and continuously assesses its network and systems and reacts proactively and responsively to what it discovers. The US government now recognizes this in the Department of Defense’s mandate to vendors to transition to the new Certification of the Cybersecurity Maturity Model (CMMC).
This evolution does not eliminate the need for classic cybersecurity controls. If an organization is not following some of the NIST SP 800-53 Compliant Standardsincluding configuration and privilege management, then that organization will not be secure and will not comply with the CMMC guidance.
Outcomes-based cyber measures the value and validity of an organization’s and enterprise’s cyber defenses based on active analysis against the organization’s total risk profile. Because every organization is different, results-based cyber is a strategic and independent decision for an organization to implement. Most organizations with security operations centers already determine what they need to measure and react to, but those measures must continually evolve.
Risks are discovered through analytics and red teams, a group from outside a network that comes in as “friendly” adversary insiders. They use hacking tools, Social engineeringand physical access assessments to assess the security profiles of targets. Red teams run cyber scenarios and hopefully find vulnerabilities before they become problems.
True results-based cybersecurity requires organizations to remain dynamic and reactive. Controls implemented on Day X may not apply on Day X+180 and should be re-examined to ensure they are addressing significant new threat vectors. For example, when data centers began to implement virtualization, threats began to attack hypervisors, and new policies and technologies appeared to defend against these attacks. The same goes for the latest vulnerabilities in Intel and AMD processors, connected to the very hardware of our systems’ CPUs.
As researchers discover new vulnerabilities, leadership must determine the risk they pose to the organization. If a CPU vulnerability can be accessed through an unauthorized attack on a web page, it is a high priority and should be fixed; If a hypervisor vulnerability can only be executed by people with access to certain company resources, adding monitoring to those resources may be the right answer.
The key to outcome-based cyber is the risk analysis process. For example, what are the chances that a malicious actor could access a server that hosts critical business information? It may be low. Add 500 people with electronic access to that same server and the risk increases significantly. Organizations must weigh the cost of mitigating risk against the cost and impact of the outcome of failing to respond to a vulnerability.
Outcomes-based cyber is about continuously assessing the state of an organization and the risk environment. Last January, the US Cybersecurity and Infrastructure Security Agency sent a notification about Mozilla Zero-day vulnerability in Firefox that included gravity, commonalities, and the fact that it was already used in the wild by malicious actors. Through threat intelligence and information sharing, companies were able to identify the flaw, understand it while assessing the risk, and install patchit is.
Vulnerabilities, like that Firefox bug, need to be fixed, while other issues can be accepted, temporarily, as part of a risk analysis, and still others are addressed by installing compensating controls around them.
Security operations centers are responsible for analyzing new and emerging threats and creating more powerful rules. Companies should take that information and share it for use by both internal and external partner organizations, including the Department of Defense’s CyberCrime Center (DC3) Y IT-ISAC. This will lead to greater global cyber resilience, a topic that the Solarium Cyberspace Commission report addresses.
The Department of Defense CMMC will be the new standard for working with the Pentagon and calls for a results-based approach to cyber. Beyond basic levels, and the entity must be able to identify and intercept advanced threat-level cyberattacks per system and assess the risks of anticipated and emerging threats. This is one of the purposes of outcome-based cybernetics. It is a philosophy, not a set of tools: a philosophy that balances risk to the company, the company and the community.
John Cosby is Director of Solutions Architects in the Intelligence and Security Sector at BAE Systems.