The Vigilant Enterprise


Published on

An Integrated Approach to Managing Cyber Risk

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Vigilant Enterprise

  1. 1. The Vigilant EnterpriseAn Integrated Approach to Managing Cyber RiskReady for what’s next.
  2. 2. Table of ContentsThe Multifaceted Cyber Threat ............................................1The Rising Cybersecurity Threat ..........................................2Managing Cyber Risk .........................................................3 Enterprise Risk Management ........................................3 Cyber Asset Management ..............................................5 Cyber Human Capital Planning ......................................5 Resiliency and Recovery Planning .................................6 Cyber Program Oversight and Compliance ....................7 Cyber Program Planning and Performance Management ............................................9Building a Dynamic Cyber Defense ...................................10Conclusion .......................................................................10About the Authors ............................................................12About Booz Allen ..............................................................13Principal Offices ................................................ Back Cover
  3. 3. The Vigilant Enterprise:An Integrated Approach to Managing Cyber RiskThe Multifaceted Cyber Threat throughout the enterprise. Do you have the resources—and the capability—to addressMany organizations approach cybersecurity as primarily these application vulnerabilities?a technology challenge—calling on complex solutions • A computer virus at your corporate office forces youto counter increasingly sophisticated threats. While to shut down systems for an indefinite period. Istechnology is important, robust cybersecurity cannot your resiliency plan tested and well-rehearsed, orbe implemented without effective management of will this be your first real attempt to implement it?the totality of the cyber milieu—coordinating a broadspectrum of activities involving cyber policies, people, • A disgruntled employee with routine access toand operations, in addition to technology. Consider your company’s data releases highly proprietarythese scenarios: information on the Internet. How will you anticipate and mitigate Insider Threats in the future?• One of your top executives downloaded an attachment containing malware, inadvertently As these scenarios illustrate, cybersecurity enabling a criminal to steal enormous amounts encompasses a host of interdependent activities— of sensitive data. Your security staff contends such as monitoring cyber assets and supply chains, that the executive should have recognized the developing processes for threat assessments (including potentially malicious e-mail; however, your executive monitoring for network intrusions), identifying anomalous responds, “When did I become responsible for cyber events that might identify malicious insider activity, e-mail security?” responding quickly to attacks and minimizing impacts, establishing remediation activities, and exercising• A sophisticated malware to spy on and disrupt a resiliency plans—all of which require proactive enterprise- software application is detected running on many of level strategy and capabilities that greatly exceed your desktops, laptops, servers, and mobile devices. deployment of cyber technologies. Cyber management How quickly can you identify all the devices infected is the set of tasks or functions for overseeing and with this malware, mitigate damage, and trace the coordinating these interdependent requirements. malware’s source to prevent a recurrence? The vigilant enterprise manages wide-ranging cyber• A counterfeit microcircuit containing vulnerabilities capabilities in an integrated, holistic fashion to ensure is discovered on hardware deployed throughout they work together in the most efficient and effective your organization. Can you identify the source of manner to create a defense that is as dynamic and counterfeit electronics in your supply chain to prevent adaptive as the environment in which it operates. the acceptance of more compromised products?• When using new application scanning tools, you discover common vulnerabilities in legacy and modernized applications deployed 1
  4. 4. The Rising Cybersecurity Threat cyber espionage attack that went undetected by the majority of its victims. Operation Shady RAT is just oneThe growing destructiveness of cyber threats is matched of many recently discovered attacks that include theby their increasing sophistication. In 2011, the security theft of RSA SecureID security tokens and the much-firm McAfee reported that computers within more than publicized cyber attack on Google, a multi-year effort70 global corporations and government organizations that targeted Chinese human rights activists, and morein 14 countries were hacked as part of a 5 year effort than 30 companies. Increasingly, many such attacksdubbed Operation Shady RAT (Remote Access Tool).1 are sponsored by well-funded organizations motivatedThe criminal enterprise that launched Operation Shady by political, religious, or financial goals. Attacks oftenRAT—believed to be a state actor—gained access employ multifaceted technical and social engineeringto government secrets, valuable intellectual property, techniques and are nearly impossible to detectand competitive business information as part of a with traditional security tools. Major banks, energy companies, defense contractors, and government agencies have been victims of Advanced PersistentExhibit 1 Cyber Mission Integration Threats (APTs) and opportunists who steal identities, Cybersecurity is a complex, multidisciplinary challenge that financial data, intellectual capital, government secrets, integrates and unites five major pillars of robust security: and other valuable information over a period of months Management, Policy, Operations, People, and Technology. Cyber Management supports each of the other functions as and even years before discovery. it anticipates threats and reduces risk. The rising APT is not the only cause for alarm. The increasing interdependence among organizations POLICY and individuals using cyber networks creates new vulnerabilities and opportunities for attack, as does the expanding use of social media, mobile computing, and other emerging technologies. At the same time, dependence on interconnected networks and MANAGEMENT PEOPLE communications significantly increases the risk of harm CYBER MISSION that could result from insider activities. The actions of INTEGRATION a single malicious insider can cause extensive financial FRAMEWORK damage and irreparable harm to the organization’s business operations and financial bottom line. For example, Verizon’s “2011 Data Breach Investigation’s Report” found that regular employees and end-users— TECHNOLOGY OPERATIONSSource: Booz Allen Hamilton1 “Revealed: Operation Shady RAT,” Dmitri Alperovitch, Vice President, Threat Research, McAfee.2
  5. 5. not the highly trusted ones—are responsible for the Exhibit 2 The Six Functions of Cyber Managementmajority of data compromises.2 As the WikiLeaks Cyber Management consists of six mutually reinforcing functionsdisclosures revealed, a disgruntled employee with to ensure that cybersecurity resources, policies, and processesroutine access to networks or systems can cause are deployed in the most cost-effective manner to reduce riskenormous harm. The cost—from downtime and loss and support business-critical operations and mission goals.of sensitive data to reputational and brand damage—can be enormous. The importance of cybersecurity as RISE RISK MANA GE E RP MEan enabler of success has never been higher and the E NT NTchallenge has never been more difficult. Cyber Program Cyber Human CapitalManaging Cyber Risk Planning & Performance Planning ManagementSimply building stronger firewalls and other perimeterdefenses is insufficient. Cybersecurity’s multi- Cyberdimensional challenge requires a comprehensive Managementmanagement approach to enable an enterprise tooversee and coordinate all elements of cybersecurity,including policy, operations, technology, and people Resiliency & Cyber Asset Recovery Planning Management(see Exhibit 1). Cyber management encompassesa broad range of interlinked organizational activities C E B C N Y ERto ensure that the cybersecurity program addresses L IA PR OG MP RAM COthe common forms of cyber attacks and the growing OVE R S I G H T A NDthreat of sophisticated APTs, as well mitigates therisk of harm that could result from insider activity. For Source: Booz Allen Hamiltonexample, Verizon reported that 96 percent of securitybreaches could have been avoided through simple orintermediate controls.3 Responsible cyber management 1. Enterprise Risk Management provides anprotects against both external and internal attacks by organizational framework for decision making thatemploying dynamic defenses that prevent, deter, detect, considers risk in every decision based on the mission,assess and mitigate these threats. Comprehensive risk tolerance, and sound policy. Cyber-related risksmanagement of cybersecurity entails the integrated cut across multiple functions, including acquisition,management of six primary functions as shown Information Technology (IT) operations, IT development,in Exhibit 2:2 “2011 Data Breach Investigations Report,” p. 22.3 Ibid, p.3. 3
  6. 6. and compliance. The vigilant enterprise addresses Within Enterprise Risk Management, Information Riskrisk within these different functions from a unified Management is an established practice to identify,perspective of supporting enterprise goals and assess, and prioritize the risks to information and theobjectives, so the functions work together rather systems where the information resides. Similarly, Cyberthan as independent stovepipes. Strong enterprise Supply Chain Risk Management is an emerging practicerisk management provides an overarching enterprise that manages the risk to information and communicationperspective that coordinates interdependent cyber technology (ICT) products and services caused by theactivities and ensures that they align with business global and distributed nature of how these products andand mission goals. Within the private sector, a chief services are assembled and delivered. ICT products andrisk officer often oversees these related activities to services are vulnerable to intentional and unintentionalmeasure and manage the cyber risks to business-critical insertion of vulnerabilities throughout the supply chain;operations. Additionally, NIST Special Publication 800-39 and they are also potentially vulnerable to compromiserecently identified a “Risk Executive” function that by foreign adversaries or competitors who have failed atfulfills a similar objective: measure and manage the traditional data mining techniques or cyber attacks, asinformation security risks to mission-critical operations.4 well as to the insertion of counterfeit microelectronics.Recent Securities and Exchange Commission (SEC) Effective supply chain risk management combinesDisclosure Guidance for publicly held companies requires multiple disciplines and functions for monitoringdisclosure of cyber incidents and cybersecurity risks that supply chains and managing risk that ICT componentspresent a material risk to the enterprise, similar to the with malware or vulnerabilities of any type, includingdisclosure of operational and financial risks. counterfeits, will enter the enterprise.4 “Managing Information Risk: Organization, Mission, and Information System View,” March 2011, Section 2.3.2. The Risk Executive function is not assigned a specific organizational role by NIST.4
  7. 7. 2. Cyber Asset Management inventories, monitors, assess talent and skill levels against current and futureand maintains the organization’s cyber assets over needs to ensure that professional cybersecurity stafftheir lifecycles, including hardware, software, data, has the right training and competencies to counterand facilities. For example, hardware and software are the threat as it evolves over time. A vigilant enterprisetracked to ensure that their security is current and creates a pipeline to recruit new hires and providescomplies with relevant standards. Organizations monitor continuing education and training to existing staff. Theseinformation to ensure it remains valid and uncorrupted. efforts to hire, train, and retain top cyber talent requireStrong security of physical facilities is essential. inclusion in budget and planning activities.Strong cyber supply chain risk management bolsters Cyber human capital planning has a different dimensioncyber asset management, because the enterprise with regard to the insider threat. Training cyber staffcan continue to monitor cyber components as they on insider threat awareness and key events that canmove through the supply chain and into the cyber signal malicious insider activity is essential to theinfrastructure. Mature organizations know what their defense of any organization. Human capital policiesassets are at any given point in time and understand and procedures that address everything from accesswhich cyber assets are most critical to operations to permissions for staff to how Human Resources handlesensure their security protections are commensurate a negative work-related activity contribute to a higherwith their value. Cyber asset management reduces level of proprietary data protection. For example, thethe risk of compromised networks and systems from Secret Service’s 2005 “Insider Threat Study” found thatinternal and external threats. It continuously validates a negative work-related event triggered most insiders’that assets are legitimate, while quickly removing actions in infrastructure sectors; most insiders hadunapproved assets. Equally important, it enables acted out in a concerning manner in the workplace; theeffective response to attacks because they can quickly majority of insiders planned their activities in advance;identify, isolate, and deactivate compromised assets. and remote access was used to carry out the majorityCyber asset management also provides the basis for of the attacks. To minimize the risk of accidentalany performance measures related to asset protection, breaches and internal threats, all employees shouldsuch as measures showing the physical and logical be educated about the nature of the cyber threat, howlocation of all assets, the number of unapproved assets, individuals may be targeted as a penetration path, thethe level of compliance with configuration management motives and behaviors of insiders, their methods andguidelines, and vulnerabilities and patches statistics. techniques, and how they, as users, can effectively fight against that threat through disciplined behavior3. Cyber Human Capital Planning supports the and reporting processes. Many organizations have a“People” component within the Cyber Mission Integration formalized approach to ensure that employees receiveFramework (in Exhibit 1) by ensuring a comprehensive cyber education and training to understand basicapproach to hire, train, and retain a high performing cyber hygiene for desktops and devices, and adherecyber workforce. That strategy needs to be reinforced to policies for downloading attachments, using thumbthrough a consistent, effective method to regularly 5
  8. 8. Path to Stronger Cyber Management • A well-known enterprise developed a multi-prong solution to manage the risk posed by externally Booz Allen is engaged with government and facing Web sites with vulnerabilities in the code. commercial clients across the globe, helping The enterprise used automated tools to review them improve cybersecurity by implementing the code, deployed trained experts to verify and stronger cyber management. For example, with resolve identified vulnerabilities, tracked the Booz Allen’s support: progress in resolving the vulnerabilities, and • A federal agency developed and implemented an updated software security policies and enterprise-wide strategy for managing cyber risk processes. This initiative enhanced the based on a NIST Risk Management Framework organization’s risk posture through the and Consensus Audit Guidelines. The effort strengthened use of performance measures automated traditional Security Accreditation and and cyber human capital management Authorization processes to provide continuous techniques, and by identifying and monitoring of assets in operations. As a result, implementing improvement actions. the agency is meeting both its business and • A large enterprise implemented a management compliance objectives with a continuous system to increase efficiencies in analyzing and process that monitors assets in near real-time. communicating incident data across a large This initiative improved compliance and the stakeholder community. The new management organization’s understanding of cyber assets. system helped improve enterprise resiliency by The initiative also leveraged performance eliminating leadership bottlenecks in the daily measures to provide actionable data to business decision process and accelerating improve decision making and, ultimately, the maturation of standardized analytic and reduce overall enterprise risks. management processes across the enterprise.drives, reporting suspicious e-mails, and other routine 4. Resiliency and Recovery Planning complementsactivities. At the same time, insider threats such as a Enterprise Risk Management by implementing the cyberrogue employee with access to corporate networks and infrastructure and resources necessary to continuedatabases can circumvent the most sophisticated cyber operations following an undesirable man-made or naturaldefenses to deliberately steal information, plant malware, event. This takes a proactive approach to identifying andor commit some other crime. Cyber management also remediating potential cyber challenges and addressingshould include auditing capabilities with triggers that baseline vulnerabilities. Cyber resiliency ensuresidentify anomalies in behavior, abuse of privileges, or business continuity for private-sector companiesother indications of potential insider activities. and mission assurance for government agencies.6
  9. 9. This requires that organizations understand how their 5. Cyber Program Oversight and Compliance servesbusiness and mission requirements are connected to two main functions: ensuring that the enterprisethe cyber domain. For example, which cyber assets are can demonstrate compliance with the applicableessential for operations? And what critical business cybersecurity laws, regulations, standards, andfunctions or mission capabilities are supported by the guidelines; and helping reduce risks throughcyber assets? This information enables the enterprise strengthening cybersecurity. A compliance programto identify the assets and processes it depends on for should go beyond “checking boxes” to implementingbusiness continuity, after which it can determine what risk-based security controls. Pursuing the business andis required for their continued functioning. In this way, compliance objectives in unison significantly increasesresiliency and recovery planning aligns the business the cost-effectiveness of oversight and compliance.continuity plans with its disaster recovery plans Compliance mandates and guidelines usually require aidentifying the impact of loss due to a cyber attack. minimum set of practices protecting their assets, data,Resiliency and recovery planning help test the and critical infrastructure. Among those originating fromperformance and capabilities of cyber assets, including external bodies are the Sarbanes-Oxley (SOX) Act, SECpeople, uncovering weaknesses in cyber operations Disclosure Guidance for cybersecurity incidents andand identifying areas for improvement. Resiliency and risks. Health Insurance Portability and Accountability Actrecovery planning should be coordinated with cyber (HIPAA), Federal Information Security Management Actprogram planning and performance management, (FISMA), NIST standards and guidelines, Internationalwhich also identifies critical systems and prioritizes Organization for Standardization (ISO)/Internationalcybersecurity spending to protect those systems. Plans Electrotechnical Commission (IEC) 27000 familyshould be tested and exercised, which will help uncover of standards, and the Organization for Economicunforeseen problems and ensure that the plans work Cooperation and Development (OECD) Guidelines foras anticipated during an undesirable event. the security of Information Systems and Networks. 7
  10. 10. Organizations may also create their own cybersecurity Managing Cyber Resources and Risk: policies and standards, derived from those listed What Keeps You Up at Night? above, but tailored to the needs of their enterprise. Consequently, they should develop processes to • Do you know what all of your information assess and report compliance of their cyber programs. assets are? Are they protected according Compliance drivers usually require organizations to to your business and mission needs? demonstrate that they have a comprehensive program • Are your business and agency partners for identifying and managing cyber risks using a protecting your critical information? comprehensive risk-based approach, proactive planning, cyber asset management, resiliency and recovery • Do your suppliers deliver capability, and performance measures. trustworthy products? Effective program oversight and compliance will • How confident are you that your identify and align all internal and external compliance organization can continue to operate drivers with applicable internal cybersecurity program while under cyber-attack? activities. Aligning compliance drivers and cyber • What processes are in place to ensure that activities minimizes the impact of compliance terminated employees don’t retaliate by activities; for example, the enterprise can streamline exfiltrating data or planting malware? the collection of information for compliance reporting by using information already collected by the cyber • Do your employees know how to identify security program through existing dashboards and and handle suspicious e-mails? performance measures, asset inventories, training • Upon discovering vulnerabilities in a statistics, and lessons learned from resiliency and legacy application, can your enterprise recovery exercises. Ultimately, compliance should help mitigate similar vulnerabilities across organizations strengthen cybersecurity—which, after your enterprise? all, is the purpose of compliance mandates—and it will enable the most efficient processes for measuring and • Do your leaders have actionable information demonstrating compliance across the entire spectrum to make security resource decisions? of legal, regulatory, and contractual requirements.8
  11. 11. 6. Cyber Program Planning and PerformanceManagement ensures that the enterprise allocatescyber resources in the most efficient manner, consistentwith the enterprise strategy and goals. This functioninvolves planning for the activities of the cyber programand measuring the program’s effectiveness at protectingassets. Cyber program planning also ensures theacquisition of resources needed to continuouslyaddress evolving threats and emerging requirements,including, for example allocating sufficient resourcefor hiring and training cybersecurity professionals.Performance measures provide meaningful, actionabledata on the status of cyber security to decision makersand cyber professionals throughout the organization,helping them identify program gaps, define resourcesrequired to close the gaps, and prioritize resources tofocus on activities that provide the greatest efficiency,effectiveness, and ability to demonstrate long-termreturn on investment.The cyber program planning and performancemanagement function facilitates integration of a The cyber program planning and performancebroad range of cybersecurity functions across the management function is closely aligned with theenterprise. Among its responsibilities, this management enterprise’s cybersecurity strategy. As a key elementfunction identifies cyber initiatives for funding, develops of the “policy” component within the Cyber Missionan acquisition plan, tracks implementation, and Integration Framework (in Exhibit 1), strategy exploresmeasures performance over the enterprise lifecycle. various ways and means to accomplish policy goals;A proactive cyber program planning and performance and it identifies the right configuration of capabilitiesmanagement function enables proactive, measurement- (people, process, and technology) to achieve thebased cyber security capable of anticipating and mission most efficiently. In this way, strategy helpsquickly responding to the evolving threat and guide the program planning and investment decisionsregulatory compliance environment. to carry out cyber policy and goals. 9
  12. 12. Building a Dynamic Cyber Defense monitors the threat landscape, understands its own vulnerabilities, manages the risks associated withWhen all six functional areas of cyber management malicious insiders, responds rapidly to cyber incidentsare effectively integrated and working together, cyber and attacks, minimizes quickly the impact of breachesmanagement supports a layered, dynamic defense in and attacks, and continuously remediates vulnerabilities,which cyber principles and practices are embedded and strengthens security across all organizationalthroughout the enterprise. With a dynamic defense dimensions of cybersecurity, namely policy, people,in place, the enterprise proactively analyzes and technology, operations, and management.ConclusionNo enterprise can protect itself completely from cyber As information systems become more integral toattack. Rather, the goal is to reduce the risk of attack business and government operations and our nation’sand damage by managing all aspects of cybersecurity critical infrastructure, cybersecurity becomes awithin an integrated dynamic defense framework. “strategic enabler” rather than a tactical afterthought.Comprehensive cyber management ensures that the When managed in a holistic way, cybersecurity paves theorganization pays attention to the big picture, rather than way for innovative technologies such as virtualizationend solutions, aligning its resources with the enterprise and cloud computing; and it secures the environmentstrategy and goals. As a result, the vigilant enterprise for game-changing solutions in areas such as e-health,understands and manages emerging cyber security smart grids, and financial systems, and e-government.risks, employees understand and follow the security Cyber management serves as the foundation for robust,policies, policies are structured to prevent insiders dynamic cybersecurity that supports enterprise strategicfrom releasing sensitive information, cyber assets are objectives as an integrated business process.identified and appropriately protected, and resources areprioritized towards high impact activities.10
  13. 13. 11
  14. 14. About the AuthorsGeorge Schu is a Senior Vice President at Nadya Bartol is a Senior Associate at Booz Allen HamiltonBooz Allen Hamilton and supports the Technology and manages a team of more than 35 cybersecurityCapability efforts in the firm’s federal and commercial consultants. She has over 17 years of informationmarkets. His primary functional areas include technology and information assurance experience.cybersecurity, Continuity of Operations (COOP), IT She has led numerous strategic groundbreakingresilience, cross domain solutions, risk management, cybersecurity engagements for US federal governmentidentity management, and anti-money laundering/ clients addressing cybersecurity measurement,counterterrorist financing. He is active in government continuous monitoring, and cyber supply chainand industry associations. He holds a master’s degree risk management. Bartol has co-authored severalfrom Georgetown University, and is a graduate of the NIST special publications and interagency reportsDefense Language Institute and the Industrial College and serves as co-chair of DoD/DHS/NIST SwAof the Armed Forces. Measurement Working Group. She also serves as US delegate to an ISO committee dedicated to the development of cybersecurity standards.12
  15. 15. About Booz Allen HamiltonBooz Allen Hamilton has been at the forefront of Booz Allen is headquartered in McLean, Virginia,strategy and technology consulting for nearly a century. employs more than 25,000 people, and had revenue ofToday, Booz Allen is a leading provider of management $5.59 billion for the 12 months ended March 31, 2011.and technology consulting services to the US Fortune has named Booz Allen one of its “100 Bestgovernment in defense, intelligence, and civil markets, Companies to Work For” for seven consecutive years.and to major corporations, institutions, and not-for- Working Mother has ranked the firm among its “100 Bestprofit organizations. In the commercial sector, the firm Companies for Working Mothers” annually since 1999.focuses on leveraging its existing expertise for clients More information is available at the financial services, healthcare, and energy (NYSE: BAH)markets, and to international clients in the MiddleEast. Booz Allen offers clients deep functionalknowledge spanning strategy and organization, Contactsengineering and operations, technology, and analytics— George Schuwhich it combines with specialized expertise in Senior Vice Presidentclients’ mission and domain areas to help solve schu_george@bah.comtheir toughest problems. 703-377-5001The firm’s management consulting heritage is the Nadya Bartolbasis for its unique collaborative culture and operating Senior Associatemodel, enabling Booz Allen to anticipate needs and bartol_nadya@bah.comopportunities, rapidly deploy talent and resources, and 301-444-4114deliver enduring results. By combining a consultant’sproblem-solving orientation with deep technicalknowledge and strong execution, Booz Allen helpsclients achieve success in their most critical missions—as evidenced by the firm’s many client relationships thatspan decades. Booz Allen helps shape thinking andprepare for future developments in areas of nationalimportance, including cybersecurity, homeland security,healthcare, and information technology. 13
  16. 16. Principal Offices Huntsville, Alabama Indianapolis, Indiana Philadelphia, Pennsylvania Sierra Vista, Arizona Leavenworth, Kansas Charleston, South Carolina Los Angeles, California Aberdeen, Maryland Houston, Texas San Diego, California Annapolis Junction, Maryland San Antonio, Texas San Francisco, California Hanover, Maryland Abu Dhabi, United Arab Emirates Colorado Springs, Colorado Lexington Park, Maryland Alexandria, Virginia Denver, Colorado Linthicum, Maryland Arlington, Virginia District of Columbia Rockville, Maryland Chantilly, Virginia Orlando, Florida Troy, Michigan Charlottesville, Virginia Pensacola, Florida Kansas City, Missouri Falls Church, Virginia Sarasota, Florida Omaha, Nebraska Herndon, Virginia Tampa, Florida Red Bank, New Jersey McLean, Virginia Atlanta, Georgia New York, New York Norfolk, Virginia Honolulu, Hawaii Rome, New York Stafford, Virginia O’Fallon, Illinois Dayton, Ohio Seattle, Washington The most complete, recent list of offices and their addresses and telephone numbers can be found on©2012 Booz Allen Hamilton Inc.