# Cybersecurity Since adversaries are stakeholders that an organization does not want, adopting them can be quite problematic. Through our work and research, we have determined that [[Cybersecurity]] is an important top-level strategic business capability intended to increase the adversary resilience of digital business assets. For that reason, within our capability maps, it resides at the L0 level which is the top-level of an organization's capabilities. Cybersecurity capabilities identified in this capability map are the capabilities that create cybersecurity value and which are not effectively represented by another capability map. The Cyber City Map is organized around minimizing adversary opportunities that deplete an organization of its durable offerings and capabilities. The goal of this map is to help an organization meet its business needs by providing a framework for how to align and optimize business and cybersecurity goals, reducing real-world risks by design. It is structured to support business investment into cybersecurity capabilities, with the sole purpose of exiting adversaries. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- A[[Adversary Research]] Top --- B[[Control Development]] Top --- C[[Threat Mitigation]] Top --- D[[Control Verification]] Top --- E[[Incident Containment]] subgraph top[Core] subgraph subPadding1[ ] direction TB A --- A.1[[Persona Management]] A.1 --- A.2[[Dwell Analytics]] A.2 --- A.3[[Exploit Management]] A.3 --- A.4[[Target Prediction]] A.4 --- A.5[[Adversary Intelligence]] B --- B.1[[Defense Modeling]] B.1 --- B.2[[Standards Management]] B.2 --- B.3[[Policy Management]] B.3 --- B.4[[Test Plan Management]] B.4 --- B.5[[Threshold Management]] C --- C.1[[Allow Listing]] C.1 --- C.2[[Challenge Management]] C.2 --- C.3[[Deny Listing]] C.3 --- C.4[[Deception Management]] D --- D.1[[Attack Surface Enumeration]] D.1 --- D.2[[Resilience Testing]] D.2 --- D.3[[Risk Prioritization]] D.3 --- D.4[[Remediation Management]] D.4 --- D.5[[Assurance Reporting]] E --- E.1[[Alert Correlation]] E.1 --- E.2[[Case Management]] E.2 --- E.3[[Incident Management]] E.3 --- E.4[[Forensic Analysis]] E.4 --- E.5[[Asset Restoration]] E.5 --- E.6[[Abuse Reporting]] E.6 --- E.7[[Failure Tracing]] end end %% Class Definitions %% ===================== class top cssClassSub; classDef cssClassSub font-color:blue,font-size:20px,fill:none; class subPadding1 subgraph_padding; classDef subgraph_padding stroke:none,fill:none; class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6,E.7 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6,E.7 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class Top cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD subgraph two[Foundational] subgraph subPadding1[ ] direction LR F[Asset Management] ~~~~ G[Policy Automation] G ~~~~ H[Code Testing] H ~~~~ I[Data Management] I ~~~~ J[Log Management] J ~~~~ K[Stream Processing] end end %% Class Definitions %% ===================== class two subPadding; classDef subPadding fill:none,font-size:20px; class subPadding1 subgraph_padding; classDef subgraph_padding stroke:none,fill:none; class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6,F,G,H,I,J,K internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:#333,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E,F,G,H,I,J,K cssClassL1; classDef cssClassL1 fill:gray,stroke:#333,stroke-width:0px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:#333,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!cm-definition] Definition > Cybersecurity capabilities ensure that an organization's processes, business capabilities, and products are adversary resilient by design. ## Goals Cybersecurity capabilities are best optimized by balancing an organization's strategy of maximizing stakeholder benefits against the adversary opportunities it may generate. >[!cm-goal] Goal 1 >**Secure Asset Lifecycle** - Business assets are designed for adversary resilience from inception through retirement to increase long-term durability and asset value to the organization and its stakeholders. >[!cm-goal] Goal 2 >**Strategically-Aligned Adversary Resilience** - The cybersecurity investments for all business capabilities are transparent, business-optimized, measurable, documented, and tied into an organization's strategy, achieving maximum adversary resilience. >[!cm-goal] Goal 3 >**Transparent Trade-Offs** - The organization has an ability to harmonize the securability of all business assets with its other strategic initiatives through its decisions and trade-offs. >[!cm-goal] Goal 4 >**Top-Level Accountability** - Executive Management and the Board of Directors are responsible for ensuring that security weaknesses are evaluated, prioritized, and remediated to achieve durable business value. > [!cm-goal] Goal 5 > **Optimal Governance and Roles** - An organization's Cyber City Map is governed by the Chief Cybersecurity Officer who operates as a strategic advisor for Executive Management and the Board of Directors. ## Scope The scope of this map establishes a baseline minimum for organizations to assess cybersecurity capabilities in pursuit of greater adversary resilience. It does not include elements of security capabilities meant to reside in other parts of an organization's capability map. >[!cm-notscope] Example of what's not included >For example, this map does not include "Identity and Access Management" which is a core capability for most organizations and requires a significant amount of security features to deliver properly. Instead, Identity and Access Management resides alongside Cybersecurity as an L0. The security features found in Identity and Access Management are enumerated within its capability definition, such as: Password Encryption or Passkey Management. ## Process At a top-level, Cybersecurity is a close-looped process which spans between Adversary Research and Incident Containment. It's strategic value is determined by the long-term durability of technology-assisted business assets and capabilities when confronted by an adversary. The following process flow depicts how Cybersecurity capabilities achieve reduced adversary opportunities and less incidents, creating durable value for an organization over time: ```mermaid flowchart LR A[1. Research <br /> Adversaries] --> B[2. Develop <br /> Controls] B --> C[3. Mitigate <br /> Threats] C --> D[4. Verify <br /> Controls] D --> E[5. Contain <br /> Incidents] E ----> A ``` 1. **Research Adversaries**- Taking in data from public intelligence, organizational alerts, and incident data, researching adversaries provides a lens into the types of adversary attacks may be possible. 2. **Develop Controls** - With adversary intelligence and compliance requirements as input, defenses are modeled, policies and standards are documented, controls and thresholds enumerated, and test plans developed. 3. **Mitigate Threats** - If control owners are unable to fulfill on a defense, they may choose to fund or leverage broad organization-wide threat mitigation options. These threat mitigation options are determined from adversary intelligence and defensive models to provide allowing listing, deny listing, deception, or challenging threats to increase friction for adversaries. 4. **Verify Controls** - Controls are tested continuously to identify any weaknesses, establishing a common understanding for where controls present exploitable opportunities for adversaries. 5. **Contain Incidents** - Alerts and weakness data are received and correlated, incidents determined through triage, forensics performed when necessary, remediation and containment managed, and abuse reported to ensure any unauthorized access is prevented and an asset restored to a defensible position. ## Metrics From the top-level process outlined above, Cybersecurity can be measured by assessing the coverage and effectiveness of defensive controls identified in the organization's adversary model. Through experience, we know that unmitigated and known exploitability will eventually become a predictable incident where adversary interest exists and dwell continues. >[!cm-metric] KPI 1: [[Coverage]] > Coverage is a key performance indicator that measures the inclusion of assets, threats, and verification of controls within a cybersecurity program. >[!cm-metric] KPI 2: [[Securability]] > Securability is a key performance indicator that measures the security posture of an asset based on known threats and the possibility for escape over time. >[!cm-metric] KPI 3: [[Predictable Incidents]] >Predictable Incidents is a key performance indicator that measures risk based on not remediating known risks ahead of an adversary attack that results in an incident. >[!cm-metric] KPI 4: [[Security Culture]] > Security Culture is a key performance indicator that measures the strength of security decisions based on decision maker confidence after interacting with a member of the cybersecurity department. >[!cm-metric] KPI 5: [[Policy Adherence]] > Policies Adherence is a key performance indicator that measures the growth of resilience within a business ecosystem by assessing policy exceptions, either taken explicitly by registering a deviation or implicitly by inaction when confronted with a policy defect. >[!cm-metric] KPI 6: [[Resilient Third Parties]] > Resilient Third Parties is a key performance indicator that measures the growth of resilience within a business ecosystem to the adversaries which surround it and that compound during partnerships. ## Inspiration & Resources + [Securability is the missing -ility metric for DevSecOps](https://medium.com/ravemetrics/securability-is-the-primary-ility-metric-for-devsecops-ab7ef26e65f0) + https://cybercapacity.org/map_network/ + https://www.fsisac.com/insights/adversarial-risk-management + https://www.fsisac.com/insights/tag/intelligence-sharing + https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2 + https://c2m2.doe.gov/ + https://www.osti.gov/servlets/purl/1431955 + https://scaledagileframework.com/ + https://rave.community + https://gcscc.ox.ac.uk/the-cmm + [CMMI Institute - CMMI](https://cmmiinstitute.com/capability-maturity-model-integration) + [Pragmatic Enterprise Architecture Framework | The Transformation of Transformation (pragmatic365.org)](https://pragmatic365.org/) + [Speed Up AppSec Improvement With an Adversary-Driven Approach (darkreading.com)](https://www.darkreading.com/application-security/speed-up-appsec-improvement-with-an-adversary-driven-approach) ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.