Dashboard Discussion Document Jamie Miller, CEO August 6-7, 2019 - - PowerPoint PPT Presentation

Jamie Miller, CEO August 6-7, 2019

This document contains Mission Innovate Proprietary and Confidential Business Information

MI:COP Risk Scoring Dashboard

Discussion Document

Common Operating Picture

2

Common Operating Picture

Military term used to describe a command and control solution that aggregates important operational information (e.g., the position of soldiers, supplies, etc.) all in one picture

“The Whole is Greater than the Sum of its Parts”

First coined by the philosopher Aristotle, this phrase aptly defines the importance of a consolidated view/solution

Cybersecurity (New Idea) Human Body / Any System (Really Old Idea)

Cyber Common Operating Picture

3

A common operational picture (COP) for cyberspace facilitates C2 of CO and real-time comprehensive Situational Awareness. A cyberspace COP should include the ability to rapidly fuse, correlate, and display data from global network sensors to deliver a reliable picture of friendly, neutral, and adversary networks, including their physical locations and activities. In addition, the cyberspace COP should support real-time threat and event data from myriad sources (i.e., DOD, IC, interagency, private industry, and international partners) and improve commanders’ abilities to identify, monitor, characterize, track, locate, and take action in response to cyberspace activity as it occurs both globally for USSTRATCOM/ USCYBERCOM and within the AOR for the GCC. Joint Publication 3-12(R), “Cyberspace Operations”, dated 5 February 2013

Key Features of a Cyber MI:COP

• Automated Asset and Information Aggregation
• Heuristics-based Data Normalization
• Disparate System Data ETL (Extraction,

Transformation, and Loading)

• Continuous Monitoring / Near Real-Time
• Quantifiable and Efficient Risk Management

Transparent and measurable distribution of risk based on legitimate metrics = better / more reliable decision- making

Current Environment – Challenges

4

C-Suite / CISO

Example of Distributed Organization

• Different

Organizations/ Roles/ People / Geographies

• Different Tools/

Technology

• Different Value

Chains/Missions

• Different

Architectures

Business Unit A Business Unit B Business Unit C Business Unit D Business Unit E

Value Chain Value Chain Value Chain Value Chain

• Different Data

Types

Current Environment – Implications

5

• Very difficult to manage to standard

risk profile

−

Inconsistent performance metrics are being collected and examined

−

Nearly impossible to have complete visibility of environment

• Decisions are based on “gut feel”

because of incomplete data sets

−

Data collected is often “stale” and not current/real-time

• Competing interests create “political

push-pull”

• The cost to manage environment are

invariably high

−

Resources are not effectively prioritized

Implications Example of Distributed Organization

C-Suite / CISO

• Different

Organizations/ Roles/ People / Geographies

• Different Tools/

Technology

• Different Value

Chains/Missions

• Different

Architectures

Business Unit A Business Unit B Business Unit C Business Unit D Business Unit E

Value Chain Value Chain Value Chain Value Chain

• Different Data

Types

▪Example data sources could include asset management, patch management, incident management, event (malware) management, and threat management data feeds

SCAP Content Tool / Data Source

Vulnerability Scan Systems IT Asset

• Mgmt. Systems

System Configurations System Remediations Configuration

• Mgmt. Systems

Manual Checklists Vulnerability Remediation

CVE Extract CPE Extract CCE Extract CRE Extract XCCDF / OVAL Extract OCIL Extract XCCDF / OVAL Extract

Information Data Scans

MI:COP Solution Concept

Regional Hub (Aggregated Data) Executive Dashboard Risk Threshold Events & Alerts Risk Threshold Risk Threshold Email

▪ Sensor controller automatically monitors the enterprise risk level based on real-time vulnerabilities and threats (i.e., key risk indicators)

MI:COP – The Solution

6

Reports Business Process Inputs Business Process #1 Business Process #2 Business Process #3 Business Process …

MI:COP – Key Components

7

1.

Focus the Cyber COP solution on what’s important to your organization (i.e., on the “key effectiveness measures”)

2.

Identify/Employ “The Right” Tools and Technology

3.

Set-up an effective architecture

4.

Create the “Secret Sauce”

− Develop the custom algorithms/scripts 5.

Develop a well thought out dashboard

6.

Place significant energy on maintenance and tuning of the overall solution

Key Components Cyber COP Solution

▪E x a m p le d a ta s

• u

rc e s c

• u

ld in c lu d e a s s e t m a n a g e m e n t, p a tc h m a n a g e m e n t, in c id e n t m a n a g e m e n t, e v e n t (m a lw a re ) m a n a g e m e n t, a n d th re a t m a n a g e m e n t d a ta fe e d s

SCAP Content Tool / Data Source Vulnerability Scan Systems IT Asset Management Systems System Configurations System Remediations Configuration Management Systems Manual Checklists Vulnerability Remediation CVE Extract CPE Extract CCE Extract CRE Extract XCCDF / OVAL Extract OCIL Extract XCCDF / OVAL Extract

Information Data Scans

Cyber COP Solution Concept

R e g io n a l H u b (A g g re g a te dD a ta ) E x e c u tiv e D a s h b

• a

rd R is k T h re s h

• ld

E v e n ts & A le rts R is k T h re s h

• ld

R is k T h re s h

• ld

E m a il

▪ S e n s

• r c
• n

tro lle r a u to m a tic a lly m

• n

ito rs th e e n te rp ris e ris k le v e l b a s e d

• n

re a l-tim e v u ln e ra b ilitie s a n d th re a ts (i.e ., k e y ris k in d ic a to rs )

R e p

• rts

Business Process Inputs Business Process #1 Business Process #2 Business Process #3 Business Process …

1 2 4 5 6 3

MI:COP – Demonstration (Transfer to Live Demonstration)

8

9

Tier 1 Dashboard – Commanders View

Go to Demo

MI:COP – Results

10

# Implications Resolutions 1. Difficult to manage to standard risk profile

− Inconsistent performance metrics are being

collected and examined

− Nearly impossible to have complete visibility

• f environment

Defined “key effectiveness measures” allows leadership/management to track and monitor what it most cares about 2. Decisions are based on “gut feel” because of incomplete data sets

− Data collected is often “stale” and not

current/real-time Use of automated tools, ensures close to near real-time capture of the defined “high- priority” metrics – acknowledging that not all data is created equal 3. Competing interests create “political push- pull” Implementation of “risk economy” and incentive structure based on risk scoring motivates security practitioners to implement fixes based on priority. 4. The cost to manage environment are invariably high

− Resources are not effectively prioritized

Leadership’s access to dynamic risk scoring dashboard enables quick and easy risk decision-making, and more effective allocation of resources where they matter most

Cyber COP Results -- Resolutions to Challenge Environment

Questions

11

Contact Information

Jamie Miller President / CEO

256-829-8859 (Mobile) jmiller@missionmultiplier.com www.missionmultiplier.com

2016 Emerging Entrepreneur of the Year 2018 EDPA imerge Innovation Award Finalist

Back-up Slides

12

Cyber COP – Mission Focus

13

1

Business Prospective Security Prospective

Which processes in your business are vital to your

• perations?

Which information is the most important/ sensible into your enterprise Ranking by the impact the disruption of these processes would have on your business Ranking by impact for the loss of availability, confidentiality, integrity that information would have on your business

Enterprise-wide Business Impact Assessment

Most important Assets / Functions

Key Effectiveness Measure Definition

Metrics Formation (Relative to Key Assets)

▪E x a m p le d a ta s

• u

rc e s c

• u

ld in c lu d e a s s e t m a n a g e m e n t, p a tc h m a n a g e m e n t, in c id e n t m a n a g e m e n t, e v e n t (m a lw a re ) m a n a g e m e n t, a n d th re a t m a n a g e m e n t d a ta fe e d s

SCAP Content Tool / Data Source Vulnerability Scan Systems IT Asset Management Systems System Configurations System Remediations Configuration Management Systems Manual Checklists Vulnerability Remediation CVE Extract CPE Extract CCE Extract CRE Extract XCCDF / OVAL Extract OCIL Extract XCCDF / OVAL Extract

Information Data Scans

Cyber COP Solution Concept

R e g io n a l H u b (A g g re g a te dD a ta ) E x e c u tiv e D a s h b

• a

rd R is k T h re s h

• ld

E v e n ts & A le rts R is k T h re s h

• ld

R is k T h re s h

• ld

E m a il

▪ S e n s

• r c
• n

tro lle r a u to m a tic a lly m

• n

ito rs th e e n te rp ris e ris k le v e l b a s e d

• n

re a l-tim e v u ln e ra b ilitie s a n d th re a ts (i.e ., k e y ris k in d ic a to rs )

R e p

• rts

Business Process Inputs Business Process #1 Business Process #2 Business Process #3 Business Process …

Key Focus Areas / Metrics

Cyber COP – “Key Effectiveness Measures”

14

1

Establish Timeliness, Accuracy, Coverage Continuous Operational Risk Response Implement Monitoring and Essential Controls / Threat Data

Controls / Threat Data Security Program Capability Measures Security Program Effectiveness Measures

Goal Efficiency/Effectiveness

▪ Controls are selected based on risk

• posture. Controls are assessed to

see if each produce the desired

• effect. However, having an

individual control does not mean that overall security is effective in protecting mission. ▪ Capability Measures quantify the timeliness and validate coverage

• f which the

interdependent set of controls are employed. ▪ Effectiveness Measures quantify the extent to which the interdependent set of security controls actually increases security.

The organization has a process to remove unauthorized hardware (It might not be used) When the audit group puts unauthorized machines on the network they are found and removed within 24 hours The probability that a compromise is caused by unauthorized hardware is within control limits (All are found and addressed)

Monitoring Compliance

Monitoring Effectiveness

(But are all found?)

Cyber COP Effectiveness Measures

Cyber COP – “The Right” Tools/Technology

15

2

Key Focus Areas / “Effectiveness Measure”

Conduct Cyber Tool Assessment

Cyber COP Tools Analysis

• Validation that you have and are employing the appropriate cyber tools and

technology; so that you have the capability to capture the information you need and want to monitor

• Assurance that you have the appropriate network coverage, timeliness, and data

accuracy that you need

• Assurance that the tools you need are automated to the extent that they reduce

workload and integrate with and support existing IT business processes Validate Tool Suite

Cyber COP – Effective Architecture

16

3

Example High-Level Architecture

• It is necessary to ensure that the

data you collect and extract can be effectively collected, aggregated, and transmitted across the network to a central location or database

• Determining how to route the data

flows, which often necessitates customized middleware (where data feeds and technologies don’t easily talk to each other)

• Design of customized database

design that supports the normalization, parsing, and processing of information collected – such as a Hadoop Cluster Deployment – is of critical importance

Key Characteristics

Organizational Network

Cyber COP – The “Secret Sauce”

17

4

• Once all the expected data feeds are

captured in a central database, customized algorithms (or scripts) will need to be developed to query (and organize) the dataset

• Development of custom

algorithms (combined with the actual database design) are where the “secret sauce” of the COP program resides

• How the data feeds are
• rganized, parsed, or prioritized

is based on the design of the queries.

−

To “get this right” takes some experimenting. Ultimately, though, the right queries will enable access to actionable data and improved risk decision- making, and depending on the set frequency of the scanning, the results could be provided in near real- time

Cyber COP Custom Queries Key Characteristics

Cyber COP – The Dashboard

18

5

• A Cyber COP dashboard visualizes the

results of custom queries (based on the key effectiveness measures) to different

• stakeholders. Results can be captured

and presented to:

− Executive/Commander level − Business owner level − IT system owner level

• Stakeholders can access the actionable

data they need to make decisions, change behaviors, or validate performance

• Scoring incentivizes direct behavior

change of security stakeholders/practitioners to focus on mitigating risks to the mission in priority

• rder

−

The scoring algorithm can include a behavioral-science-based heuristic the promotes the desired behavior/actions

• The dashboard design should be

accessible, be easy to understand, support day-to-day

• perations, and integrate with the
• verall solution architecture and

dataflow.

Example Cyber COP Dashboard Key Characteristics

Cyber COP – Maintenance

19

6

• As new IT systems, business

processes, and new organizational priorities arise, the different components of the Cyber COP solution architecture (e.g., metrics, tools, analytics/data queries) will need to be adjusted

• For the Cyber COP to be most

effective, it will need to evolve with the organization

• Although powerful in its results, its

management and implementation is no small undertaking

Example Cyber COP Key Characteristics

▪E x a m p le d a ta s

• u

rc e s c

• u

ld in c lu d e a s s e t m a n a g e m e n t, p a tc h m a n a g e m e n t, in c id e n t m a n a g e m e n t, e v e n t (m a lw a re ) m a n a g e m e n t, a n d th re a t m a n a g e m e n t d a ta fe e d s

SCAP Content Tool / Data Source Vulnerability Scan Systems IT Asset Management Systems System Configurations System Remediations Configuration Management Systems Manual Checklists Vulnerability Remediation CVE Extract CPE Extract CCE Extract CRE Extract XCCDF / OVAL Extract OCIL Extract XCCDF / OVAL Extract

Information Data Scans

Cyber COP Solution Concept

R e g io n a l H u b (A g g re g a te dD a ta ) E x e c u tiv e D a s h b

• a

rd R is k T h re s h

• ld

E v e n ts & A le rts R is k T h re s h

• ld

R is k T h re s h

• ld

E m a il

▪ S e n s

• r c
• n

tro lle r a u to m a tic a lly m

• n

ito rs th e e n te rp ris e ris k le v e l b a s e d

• n

re a l-tim e v u ln e ra b ilitie s a n d th re a ts (i.e ., k e y ris k in d ic a to rs )

R e p

• rts

Business Process Inputs Business Process #1 Business Process #2 Business Process #3 Business Process …

• Once the dashboard is up and running and

the Cyber COP solution is operational, it needs to be continuously managed and tweaked