Technological Dimensions of Cyber Defense

Deep understanding of these and other related disciplines are essential prerequisites for mounting defense in cyberspace (as well as for mastering cyber exploitation and attack).

Cyber operations integrate realities of how technology functions with the mission-focused needs of organizations. Organizational leaders have developed, after years of experience in the fight, accepted best practices for mounting defenses while supporting the mission. The many best practices that have matured over the years include bodies of knowledge around software development (like the Software Engineering Institute’s Capability Maturing Model Improving (CMMI), The Office of Government Commerce’s Information Technnology Infrastructure Library (ITIL), and the many best practices codified and continually enhanced by groups like ISC2 (maintaner of the CISSP certification body of knowledge) and SANS.

For federal government security operators these many best practices are periodically codified in NIST coordinated guidance. One of particular note is the NIST special publication for Information Security of August 2009 (Recommended Security Controls for Federal Information Systems and Organizations). This work represents the input and experience of network and computer defenders from the DoD and the IC and elsewhere in the federal space and provides guidance which would very likely be applicable to any enterprise anywhere who seeks to enhance their security posture.

Another particularly important representative example of the body of knowledge surrounding enterprise defense is the community coordinated “20 Critical Security Controls” maintained by SANS. The nature of items which must be controlled, measured, audited and continually enhanced are:

• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Boundary Defense
• Maintenance, Monitoring, and Analysis of Audit Logs
• Application Software Security
• Controlled Use of Administrative Privileges
• Controlled Access Based on Need to Know
• Continuous Vulnerability Assessment and Remediation
• Account Monitoring and Control
• Malware Defenses
• Limitation and Control of Network Ports, Protocols, and Services
• Wireless Device Control
• Data Loss Prevention
• Secure Network Engineering
• Penetration Tests and Red Team Exercises
• Incident Response Capability
• Data Recovery Capability
• Security Skills Assessment and Appropriate Training to Fill Gaps

These baseline operations are necessary, and the body of knowledge of experienced network and computer security operators is an important foundational reference. But the threat continues to enhance and threat actors have been historically proven to never stop. The threat will find a way in and defenses can not remain static.

Among the key gaps in defense today are requirements for solutions like:

• Predictive solutions providing early or advance warning includes tying strategic warning inputs (traditional intel) into what is happening over-the-wire
• Highly automated capabilities that augment traditional staffing making analysts more effective may include dashboards and other means of quickly reading and assessing key metrics as well as anomalies
• Systems which can provide attribution indicators an signal adversary intent This would really require deep-dive technical skills in near-real-time.
• Systems which leverage the deep packet inspection ability available in the market today
• Advanced comprehensive and easy to use collaborative capabilities
• Knowledge discovery vice knowledge search in IT datasets
• Cross domain multi-level intelligence and information sharing
• Rapid access to SMEs outside the traditional computer technology mission area; pre-established call lists and clearance sharing