SlideShare a Scribd company logo

IPOR_Gray_2

Download as PPTX, PDF
D
Douglas Gray, CISSP, CISO
1 of 25
© 2015 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Douglas Gray
2 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0003143
3 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Introduction
4 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited The Problem Introduction How does a decision maker make sense of the flood of threat information to make informed resilience decisions? Intelligence Resilience
5 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited A structured framework to… • identify intelligence needs • consume intelligence • make decisions What is IPOR? Introduction Intelligence Preparation for Operational Resilience (IPOR) Voice of the Environment Voice of the Threat Actor Voice of the Organization
6 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited IPOR integrates, leverages and/or builds upon existing frameworks, such as… • DOD’s Intelligence Preparation of the Battlefield (IPB) process • CERT® Resilience Management Model (CERT-RMM) • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) • Agile • Project Management Body of Knowledge Leveraging Existing Frameworks Introduction
7 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Initially developed for kinetic military operations Assesses the organization’s mission Identifies the organization’s needs for intelligence collection Determines how organization will consume intelligence Limitations: • Military terminology limits application by civilian organizations • Opportunity for targeted operational resilience application Building Upon IPB Introduction
8 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Threat Actor • “a situation, entity, individual, group, or action that has the potential to exploit a threat” Threat • “combination of a vulnerability, a threat actor, a motive (if the threat actor is a person or persons), and the potential to produce a harmful outcome for the organization” Risk • “combination of a threat and a vulnerability (condition), the impact (consequence) on the organization if the vulnerability is exploited, and the presence of uncertainty” Threat Actors, Threats, Risks Introduction
9 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Operational Resilience Introduction • eCommerce • HR • Accounts Payable • Research and Development Resilient Services – Able to Support the Strategic Objectives • People • Information • Technology • Facilities Resilient Assets – Able to Support Services The ability of the organization to achieve its mission even under degraded circumstances
10 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Management Considerations
11 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Building Situational Awareness Management Considerations Levels of Situation Awareness Level 1 perception of the elements in the environment Level 2 comprehension of the current situation Level 3 projection of future status [Endsley 2012, p. 14] Boyd’s OODA Loop
12 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Tailor Information to Recipient Management Considerations Executives: C-Suite, elected leaders, appointees, generals, admirals Target data with eye toward organizational mission and stakeholders Middle Management: Staff, analysts Target data with eye toward routines, procedures information [Allison & Zelikow 1999, Kindle locations 3235, 5603]
13 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Other Management Considerations Management Considerations  Build routine, habitual relationship of trust with intelligence provider  Formality and rigor will depend on the time and resources available  Collect incomplete information and add or revise as more information becomes available  Document incorrect information acted upon to illuminate what led to past actions  Understand and be able to identify cognitive biases that can distort intelligence
14 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience IPOR Overview
15 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Decomposing Information IPOR Overview IPOR Voice of the Environment Socio-Political Legal and Policy Technological Business Physical Voice of the Organization Voice of the Mission Voice of the Service Strategic Objectives and Supporting Services Organizational Culture Organizational Assets External Dependencies Voice of the Threat Actor Describe Threat Actor Develop Threat Actor Use Cases
16 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Determine the Socio-Political Environment • Nation state conflicts • Nation state cooperation • Political perception of company Determine the Legal and Policy Environment • Statutes, treaties (pending and on the books) • Court cases • Insurance coverage Determine the Technological Environment • Cloud, mobile, etc. • Encryption Determine the Business Environment • Effects of consumer and shareholder confidence • Effects of operational resilience on brand image Determine the Physical Environment • Natural hazards (prone to hurricanes, tornados, earthquakes) • Positioning of and access to facilities Voice of the Environment IPOR Overview
17 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Voice of the Mission • Organizational context • Strategic Objectives • High-value services • Organizational culture Voice of the Service • Organizational assets that support high-value services • People • Information • Technology • Facilities • External dependencies • Vendors, partners • Externally managed assets (i.e., cloud) Voice of the Organization IPOR Overview
18 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Develop Threat Actor Taxonomy • NIST RMF categories • Hostile cyber/physical attacks • Human errors of omission or commission • Natural and man-made disasters • Intel Threat Agent Library • Customize to organizational needs • Support Information sharing Develop Threat Use Cases • Service(s)/asset(s) threatened • Potentially interested threat actor categories • Intentions • Motivations • Most likely attack pattern • Evidence/historical information? Voice of the Threat Actor IPOR Overview
19 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Operationalizing Intelligence
20 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited IPOR Analysis Risk Management Mitigate Through Project Management Operationalizing IPOR
21 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Risk and Resilience Management • CERT® Resilience Management Model (CERT-RMM) • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro • NIST Risk Management Framework Project Management • Agile • Project Management Body of Knowledge (PMBOK) Use of Risk, Resilience, and Project Management Frameworks Operationalizing Threat Intelligence
22 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited • Operational resilience practitioners require a method to methodically inject threat-actor intelligence into their resilience, risk, and project-management methodologies • IPOR proposes a framework to enable operational resilience practitioners to  Develop a relationship with their intelligence provider  Identify their intelligence needs  Consume intelligence  Integrate it into their risk-management processes  Mitigate those risks through effective project management. Conclusion
23 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited More information on IPOR can be found in our special report at http://goo.gl/5JzVgL For more information
24 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Douglas Gray Information Security Engineer Telephone: +1 703.247.1374 Email: dagray@cert.org Contact Information
25 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Questions

Recommended

Narrative Mind Week 7 H4D Stanford 2016
Narrative Mind Week 7 H4D Stanford 2016Narrative Mind Week 7 H4D Stanford 2016
Narrative Mind Week 7 H4D Stanford 2016Stanford University
 
Right of Boom Week 8 H4D Stanford 2016
Right of Boom Week 8 H4D Stanford 2016Right of Boom Week 8 H4D Stanford 2016
Right of Boom Week 8 H4D Stanford 2016Stanford University
 
Jimpezzone coverletter
Jimpezzone coverletterJimpezzone coverletter
Jimpezzone coverletterDevi Reddy
 
CW2016_Cross Cultural Compliance Challenges
CW2016_Cross Cultural Compliance ChallengesCW2016_Cross Cultural Compliance Challenges
CW2016_Cross Cultural Compliance ChallengesRob Lindquist
 
Newtec company profile
Newtec company profileNewtec company profile
Newtec company profileNewtec
 
Data Driven Cybersecurity Governance
Data Driven Cybersecurity GovernanceData Driven Cybersecurity Governance
Data Driven Cybersecurity GovernanceDouglas Gray, CISSP, CISO
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsIT-oLogy
 
170330 cognitive systems institute speaker series mark sherman - watson pr...
170330 cognitive systems institute speaker series mark sherman - watson pr...170330 cognitive systems institute speaker series mark sherman - watson pr...
170330 cognitive systems institute speaker series mark sherman - watson pr...diannepatricia
 

Recommended

Narrative Mind Week 7 H4D Stanford 2016
Narrative Mind Week 7 H4D Stanford 2016Narrative Mind Week 7 H4D Stanford 2016
Narrative Mind Week 7 H4D Stanford 2016Stanford University
 
Right of Boom Week 8 H4D Stanford 2016
Right of Boom Week 8 H4D Stanford 2016Right of Boom Week 8 H4D Stanford 2016
Right of Boom Week 8 H4D Stanford 2016Stanford University
 
Jimpezzone coverletter
Jimpezzone coverletterJimpezzone coverletter
Jimpezzone coverletterDevi Reddy
 
CW2016_Cross Cultural Compliance Challenges
CW2016_Cross Cultural Compliance ChallengesCW2016_Cross Cultural Compliance Challenges
CW2016_Cross Cultural Compliance ChallengesRob Lindquist
 
Newtec company profile
Newtec company profileNewtec company profile
Newtec company profileNewtec
 
Data Driven Cybersecurity Governance
Data Driven Cybersecurity GovernanceData Driven Cybersecurity Governance
Data Driven Cybersecurity GovernanceDouglas Gray, CISSP, CISO
 
Software Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsSoftware Security Assurance - Bruce Jenkins
Software Security Assurance - Bruce JenkinsIT-oLogy
 
170330 cognitive systems institute speaker series mark sherman - watson pr...
170330 cognitive systems institute speaker series mark sherman - watson pr...170330 cognitive systems institute speaker series mark sherman - watson pr...
170330 cognitive systems institute speaker series mark sherman - watson pr...diannepatricia
 
How biotech companies can get started with cloud for clinical trials?
How biotech companies can get started with cloud for clinical trials?How biotech companies can get started with cloud for clinical trials?
How biotech companies can get started with cloud for clinical trials?ClinCapture
 
Security Policies and Implementation IssuesChapter 12Inciden.docx
Security Policies and Implementation IssuesChapter 12Inciden.docxSecurity Policies and Implementation IssuesChapter 12Inciden.docx
Security Policies and Implementation IssuesChapter 12Inciden.docxjeffreye3
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaPuneet Kukreja
 
Regaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in CybersecurityRegaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in Cybersecuritydanb02
 
IntelliSoft Corporate and Technology Overview
IntelliSoft Corporate and Technology OverviewIntelliSoft Corporate and Technology Overview
IntelliSoft Corporate and Technology OverviewMark Valerio
 
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt Neil Ernst
 
Cybersecurity and the Accountability of Elected Officials
Cybersecurity and the Accountability of Elected OfficialsCybersecurity and the Accountability of Elected Officials
Cybersecurity and the Accountability of Elected OfficialsGopal Khanna
 
Wrenches in the Trenches: A Practical Application of ITSM Know-How
Wrenches in the Trenches: A Practical Application of ITSM Know-HowWrenches in the Trenches: A Practical Application of ITSM Know-How
Wrenches in the Trenches: A Practical Application of ITSM Know-HowBeyond20
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityCAST
 
Nuclear Industry Resilience
Nuclear Industry ResilienceNuclear Industry Resilience
Nuclear Industry ResilienceSeven Questions Consulting Limited
 
Resilience an engineering construction perspective
Resilience an engineering construction perspectiveResilience an engineering construction perspective
Resilience an engineering construction perspectiveBob Prieto
 
8 Steps to Creating a Data Strategy
8 Steps to Creating a Data Strategy8 Steps to Creating a Data Strategy
8 Steps to Creating a Data StrategySilicon Valley Data Science
 
Sec1391
Sec1391Sec1391
Sec1391PaulDAvilar
 
Implementing Ethics: Developing Trustworthy AI PyCon 2020
Implementing Ethics: Developing Trustworthy AI PyCon 2020Implementing Ethics: Developing Trustworthy AI PyCon 2020
Implementing Ethics: Developing Trustworthy AI PyCon 2020Carol Smith
 
Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan Holdings, Inc.
 
deloitte-au-privacy-index-2015
deloitte-au-privacy-index-2015deloitte-au-privacy-index-2015
deloitte-au-privacy-index-2015David Batch
 
2023 NCIT: Essentials for a CERT
2023 NCIT: Essentials for a CERT2023 NCIT: Essentials for a CERT
2023 NCIT: Essentials for a CERTAPNIC
 
Itb overview packetwebsite3.7.11
Itb overview packetwebsite3.7.11Itb overview packetwebsite3.7.11
Itb overview packetwebsite3.7.11ITBLamb
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Defense and Intelligence Council Newsletter-December 2014
Defense and Intelligence Council Newsletter-December 2014Defense and Intelligence Council Newsletter-December 2014
Defense and Intelligence Council Newsletter-December 2014Daniel McGarvey
 

More Related Content

Similar to IPOR_Gray_2

How biotech companies can get started with cloud for clinical trials?
How biotech companies can get started with cloud for clinical trials?How biotech companies can get started with cloud for clinical trials?
How biotech companies can get started with cloud for clinical trials?ClinCapture
 
Security Policies and Implementation IssuesChapter 12Inciden.docx
Security Policies and Implementation IssuesChapter 12Inciden.docxSecurity Policies and Implementation IssuesChapter 12Inciden.docx
Security Policies and Implementation IssuesChapter 12Inciden.docxjeffreye3
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaPuneet Kukreja
 
Regaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in CybersecurityRegaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in Cybersecuritydanb02
 
IntelliSoft Corporate and Technology Overview
IntelliSoft Corporate and Technology OverviewIntelliSoft Corporate and Technology Overview
IntelliSoft Corporate and Technology OverviewMark Valerio
 
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt Neil Ernst
 
Cybersecurity and the Accountability of Elected Officials
Cybersecurity and the Accountability of Elected OfficialsCybersecurity and the Accountability of Elected Officials
Cybersecurity and the Accountability of Elected OfficialsGopal Khanna
 
Wrenches in the Trenches: A Practical Application of ITSM Know-How
Wrenches in the Trenches: A Practical Application of ITSM Know-HowWrenches in the Trenches: A Practical Application of ITSM Know-How
Wrenches in the Trenches: A Practical Application of ITSM Know-HowBeyond20
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityCAST
 
Resilience an engineering construction perspective
Resilience an engineering construction perspectiveResilience an engineering construction perspective
Resilience an engineering construction perspectiveBob Prieto
 
Implementing Ethics: Developing Trustworthy AI PyCon 2020
Implementing Ethics: Developing Trustworthy AI PyCon 2020Implementing Ethics: Developing Trustworthy AI PyCon 2020
Implementing Ethics: Developing Trustworthy AI PyCon 2020Carol Smith
 
Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan Holdings, Inc.
 
deloitte-au-privacy-index-2015
deloitte-au-privacy-index-2015deloitte-au-privacy-index-2015
deloitte-au-privacy-index-2015David Batch
 
2023 NCIT: Essentials for a CERT
2023 NCIT: Essentials for a CERT2023 NCIT: Essentials for a CERT
2023 NCIT: Essentials for a CERTAPNIC
 
Itb overview packetwebsite3.7.11
Itb overview packetwebsite3.7.11Itb overview packetwebsite3.7.11
Itb overview packetwebsite3.7.11ITBLamb
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Defense and Intelligence Council Newsletter-December 2014
Defense and Intelligence Council Newsletter-December 2014Defense and Intelligence Council Newsletter-December 2014
Defense and Intelligence Council Newsletter-December 2014Daniel McGarvey
 

Similar to IPOR_Gray_2 (20)

How biotech companies can get started with cloud for clinical trials?
How biotech companies can get started with cloud for clinical trials?How biotech companies can get started with cloud for clinical trials?
How biotech companies can get started with cloud for clinical trials?
 
Security Policies and Implementation IssuesChapter 12Inciden.docx
Security Policies and Implementation IssuesChapter 12Inciden.docxSecurity Policies and Implementation IssuesChapter 12Inciden.docx
Security Policies and Implementation IssuesChapter 12Inciden.docx
 
ISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_KukrejaISF Congress 2016 - Session 7.2_Kukreja
ISF Congress 2016 - Session 7.2_Kukreja
 
Regaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in CybersecurityRegaining the Defensive Advantage in Cybersecurity
Regaining the Defensive Advantage in Cybersecurity
 
IntelliSoft Corporate and Technology Overview
IntelliSoft Corporate and Technology OverviewIntelliSoft Corporate and Technology Overview
IntelliSoft Corporate and Technology Overview
 
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt
Measure It, Manage It, Ignore It - Software Practitioners and Technical Debt
 
Cybersecurity and the Accountability of Elected Officials
Cybersecurity and the Accountability of Elected OfficialsCybersecurity and the Accountability of Elected Officials
Cybersecurity and the Accountability of Elected Officials
 
Wrenches in the Trenches: A Practical Application of ITSM Know-How
Wrenches in the Trenches: A Practical Application of ITSM Know-HowWrenches in the Trenches: A Practical Application of ITSM Know-How
Wrenches in the Trenches: A Practical Application of ITSM Know-How
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
Nuclear Industry Resilience
Nuclear Industry ResilienceNuclear Industry Resilience
Nuclear Industry Resilience
 
Resilience an engineering construction perspective
Resilience an engineering construction perspectiveResilience an engineering construction perspective
Resilience an engineering construction perspective
 
8 Steps to Creating a Data Strategy
8 Steps to Creating a Data Strategy8 Steps to Creating a Data Strategy
8 Steps to Creating a Data Strategy
 
Sec1391
Sec1391Sec1391
Sec1391
 
Implementing Ethics: Developing Trustworthy AI PyCon 2020
Implementing Ethics: Developing Trustworthy AI PyCon 2020Implementing Ethics: Developing Trustworthy AI PyCon 2020
Implementing Ethics: Developing Trustworthy AI PyCon 2020
 
Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014Finjan_Investor_Presentation_May2014
Finjan_Investor_Presentation_May2014
 
deloitte-au-privacy-index-2015
deloitte-au-privacy-index-2015deloitte-au-privacy-index-2015
deloitte-au-privacy-index-2015
 
2023 NCIT: Essentials for a CERT
2023 NCIT: Essentials for a CERT2023 NCIT: Essentials for a CERT
2023 NCIT: Essentials for a CERT
 
Itb overview packetwebsite3.7.11
Itb overview packetwebsite3.7.11Itb overview packetwebsite3.7.11
Itb overview packetwebsite3.7.11
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Defense and Intelligence Council Newsletter-December 2014
Defense and Intelligence Council Newsletter-December 2014Defense and Intelligence Council Newsletter-December 2014
Defense and Intelligence Council Newsletter-December 2014
 

IPOR_Gray_2

  • 1. © 2015 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Douglas Gray
  • 2. 2 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0003143
  • 3. 3 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Introduction
  • 4. 4 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited The Problem Introduction How does a decision maker make sense of the flood of threat information to make informed resilience decisions? Intelligence Resilience
  • 5. 5 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited A structured framework to… • identify intelligence needs • consume intelligence • make decisions What is IPOR? Introduction Intelligence Preparation for Operational Resilience (IPOR) Voice of the Environment Voice of the Threat Actor Voice of the Organization
  • 6. 6 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited IPOR integrates, leverages and/or builds upon existing frameworks, such as… • DOD’s Intelligence Preparation of the Battlefield (IPB) process • CERT® Resilience Management Model (CERT-RMM) • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) • Agile • Project Management Body of Knowledge Leveraging Existing Frameworks Introduction
  • 7. 7 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Initially developed for kinetic military operations Assesses the organization’s mission Identifies the organization’s needs for intelligence collection Determines how organization will consume intelligence Limitations: • Military terminology limits application by civilian organizations • Opportunity for targeted operational resilience application Building Upon IPB Introduction
  • 8. 8 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Threat Actor • “a situation, entity, individual, group, or action that has the potential to exploit a threat” Threat • “combination of a vulnerability, a threat actor, a motive (if the threat actor is a person or persons), and the potential to produce a harmful outcome for the organization” Risk • “combination of a threat and a vulnerability (condition), the impact (consequence) on the organization if the vulnerability is exploited, and the presence of uncertainty” Threat Actors, Threats, Risks Introduction
  • 9. 9 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Operational Resilience Introduction • eCommerce • HR • Accounts Payable • Research and Development Resilient Services – Able to Support the Strategic Objectives • People • Information • Technology • Facilities Resilient Assets – Able to Support Services The ability of the organization to achieve its mission even under degraded circumstances
  • 10. 10 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Management Considerations
  • 11. 11 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Building Situational Awareness Management Considerations Levels of Situation Awareness Level 1 perception of the elements in the environment Level 2 comprehension of the current situation Level 3 projection of future status [Endsley 2012, p. 14] Boyd’s OODA Loop
  • 12. 12 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Tailor Information to Recipient Management Considerations Executives: C-Suite, elected leaders, appointees, generals, admirals Target data with eye toward organizational mission and stakeholders Middle Management: Staff, analysts Target data with eye toward routines, procedures information [Allison & Zelikow 1999, Kindle locations 3235, 5603]
  • 13. 13 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Other Management Considerations Management Considerations  Build routine, habitual relationship of trust with intelligence provider  Formality and rigor will depend on the time and resources available  Collect incomplete information and add or revise as more information becomes available  Document incorrect information acted upon to illuminate what led to past actions  Understand and be able to identify cognitive biases that can distort intelligence
  • 14. 14 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience IPOR Overview
  • 15. 15 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Decomposing Information IPOR Overview IPOR Voice of the Environment Socio-Political Legal and Policy Technological Business Physical Voice of the Organization Voice of the Mission Voice of the Service Strategic Objectives and Supporting Services Organizational Culture Organizational Assets External Dependencies Voice of the Threat Actor Describe Threat Actor Develop Threat Actor Use Cases
  • 16. 16 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Determine the Socio-Political Environment • Nation state conflicts • Nation state cooperation • Political perception of company Determine the Legal and Policy Environment • Statutes, treaties (pending and on the books) • Court cases • Insurance coverage Determine the Technological Environment • Cloud, mobile, etc. • Encryption Determine the Business Environment • Effects of consumer and shareholder confidence • Effects of operational resilience on brand image Determine the Physical Environment • Natural hazards (prone to hurricanes, tornados, earthquakes) • Positioning of and access to facilities Voice of the Environment IPOR Overview
  • 17. 17 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Voice of the Mission • Organizational context • Strategic Objectives • High-value services • Organizational culture Voice of the Service • Organizational assets that support high-value services • People • Information • Technology • Facilities • External dependencies • Vendors, partners • Externally managed assets (i.e., cloud) Voice of the Organization IPOR Overview
  • 18. 18 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Develop Threat Actor Taxonomy • NIST RMF categories • Hostile cyber/physical attacks • Human errors of omission or commission • Natural and man-made disasters • Intel Threat Agent Library • Customize to organizational needs • Support Information sharing Develop Threat Use Cases • Service(s)/asset(s) threatened • Potentially interested threat actor categories • Intentions • Motivations • Most likely attack pattern • Evidence/historical information? Voice of the Threat Actor IPOR Overview
  • 19. 19 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Operationalizing Intelligence
  • 20. 20 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited IPOR Analysis Risk Management Mitigate Through Project Management Operationalizing IPOR
  • 21. 21 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Risk and Resilience Management • CERT® Resilience Management Model (CERT-RMM) • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro • NIST Risk Management Framework Project Management • Agile • Project Management Body of Knowledge (PMBOK) Use of Risk, Resilience, and Project Management Frameworks Operationalizing Threat Intelligence
  • 22. 22 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited • Operational resilience practitioners require a method to methodically inject threat-actor intelligence into their resilience, risk, and project-management methodologies • IPOR proposes a framework to enable operational resilience practitioners to  Develop a relationship with their intelligence provider  Identify their intelligence needs  Consume intelligence  Integrate it into their risk-management processes  Mitigate those risks through effective project management. Conclusion
  • 23. 23 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited More information on IPOR can be found in our special report at http://goo.gl/5JzVgL For more information
  • 24. 24 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Douglas Gray Information Security Engineer Telephone: +1 703.247.1374 Email: dagray@cert.org Contact Information
  • 25. 25 Intelligence Preparation for Operational Resilience (IPOR) December 10, 2015 © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited © 2015 Carnegie Mellon University Distribution Statement A: Approved for Public Release; Distribution is Unlimited Intelligence Preparation for Operational Resilience (IPOR) Questions

Editor's Notes

  1. 1/26/2016
  2. 1/26/2016