MI:COP Risk Scoring Dashboard Discussion Document Jamie Miller, CEO August 6-7, 2019 This document contains Mission Innovate Proprietary and Confidential Business Information
Common Operating Picture “The Whole is Greater than Common Operating Picture the Sum of its Parts” Military term used to describe a command and control solution that aggregates First coined by the philosopher Aristotle, important operational information (e.g., this phrase aptly defines the importance of the position of soldiers, supplies, etc.) all a consolidated view/solution in one picture Cybersecurity Human Body / Any System (New Idea) (Really Old Idea) 2
Cyber Common Operating Picture A common operational picture (COP) for cyberspace facilitates C2 of CO and real-time comprehensive Situational Awareness. A cyberspace COP should include the ability to rapidly fuse, correlate, and display data from global network sensors to deliver a reliable picture of friendly, neutral, and adversary networks, including their physical locations and activities. In addition, the cyberspace COP should support real-time threat and event data from myriad sources (i.e., DOD, IC, interagency, private industry, and international partners) and improve commanders’ abilities to identify, monitor, characterize, track, locate, and take action in response to cyberspace activity as it occurs both globally for USSTRATCOM/ USCYBERCOM and within the AOR for the GCC . Joint Publication 3- 12(R), “Cyberspace Operations”, dated 5 February 2013 Key Features of a Cyber MI:COP Automated Asset and Information Aggregation ● Transparent and measurable Heuristics-based Data Normalization ● distribution of risk based on Disparate System Data ETL (Extraction, ● legitimate metrics = better / Transformation, and Loading) more reliable decision- Continuous Monitoring / Near Real-Time ● making Quantifiable and Efficient Risk Management ● 3
Current Environment – Challenges Example of Distributed Organization C-Suite / CISO Business Business Business Different Business Business ● Organizations/ Unit Unit Unit Unit Unit Roles/ People / A C E B D Geographies Different Tools/ ● Technology Different Value ● Chains/Missions Value Chain Value Chain Value Chain Value Chain Different ● Architectures Different Data ● Types 4
Current Environment – Implications Example of Distributed Organization Implications C-Suite / CISO Very difficult to manage to standard ● risk profile Business Business Business Business Business ● Different Organizations/ Unit Unit Unit Unit Unit − Inconsistent performance metrics Roles/ People / A C E B D Geographies are being collected and examined ● Different Tools/ Technology − Nearly impossible to have Different Value ● Chains/Missions Value Chain Value Chain Value Chain Value Chain complete visibility of environment Different ● Architectures Decisions are based on “gut feel” ● ● Different Data Types because of incomplete data sets Data collected is often “stale” and − not current/real-time Competing interests create “political ● push- pull” The cost to manage environment are ● invariably high − Resources are not effectively prioritized 5
MI:COP – The Solution Executive Dashboard MI:COP Solution Concept Business SCAP Tool / Data Source Process Content Inputs Vulnerability CVE Extract Scan Systems Business Information Data Scans IT Asset Process #1 CPE Extract Mgmt. Systems ▪ Se nsor System Business CCE Extract controller Configurations Process #2 automatically Risk Threshold System monitors the CRE Extract Remediations enterprise risk Business Configuration XCCDF / OVAL Process #3 level based on Mgmt. Systems Extract real-time Regional Hub vulnerabilities Manual OCIL Extract (Aggregated Business and threats (i.e., Checklists Process … Data) key risk XCCDF / OVAL Vulnerability indicators) Remediation Extract ▪ Example data sources could include asset Risk Threshold management, patch management, incident management, event (malware) management, and threat management data feeds Risk Threshold Events & Alerts Reports Email 6
MI:COP – Key Components Key Components Cyber COP Solution E x e c u tiv e D a s h b o a rd Focus the Cyber COP solution on Cyber COP Solution Concept 1. 1 Business SCAP what’s important to your organization Tool / Data Source Process Content Inputs Vulnerability CVE Extract Scan Systems (i.e., on the “key effectiveness Business Information Data Scans IT Asset Process #1 CPE Extract Management Systems measures”) ▪ S e n s o r c o n tro lle r System Business CCE Extract a u to m a tic a lly m o n ito rs Configurations Process #2 th e e n te rp ris e ris k le v e l System R is k T h re s h o ld b a s e d o n re a l-tim e Identify/Employ “The Right” Tools and CRE Extract Remediations 2. 2 v u ln e ra b ilitie s a n d Business Configuration XCCDF / OVAL Process #3 th re a ts (i.e ., k e y ris k Management Systems Extract in d ic a to rs ) Technology R e g io n a l H u b Manual Checklists OCIL Extract Business (A g g re g a te dD a ta ) Process … Vulnerability XCCDF / OVAL Set-up an effective architecture 3. 3 Remediation Extract ▪ E Create the “Secret Sauce” R is k T h re s h o ld x a m p le d a ta s o u rc e s c o u ld in c lu d e a s s e t m a n a g e m e n t, p a tc h 4. 4 m a n a g e m e n t, in c id e n t m a n a g e m e n t, e v e n t (m a lw a re ) m a n a g e m e n t, a n d th re a t m a n a g e m e n t d a ta fe e d s − Develop the custom algorithms/scripts R is k T h re s h o ld E v e n ts & A le rts R e p o rts E m a il Develop a well thought out dashboard 5. 5 Place significant energy on 6. 6 maintenance and tuning of the overall solution 7
MI:COP – Demonstration (Transfer to Live Demonstration) 8
Tier 1 Dashboard – Commanders View Go to Demo 9
MI:COP – Results Cyber COP Results -- Resolutions to Challenge Environment # Implications Resolutions 1. Difficult to manage to standard risk profile Defined “key effectiveness measures” allows leadership/management to track and − Inconsistent performance metrics are being monitor what it most cares about collected and examined − Nearly impossible to have complete visibility of environment 2. Decisions are based on “gut feel” because of Use of automated tools, ensures close to near incomplete data sets real-time capture of the defined “high - priority” metrics – acknowledging that not all − Data collected is often “stale” and not data is created equal current/real-time 3. Competing interests create “political push - Implementation of “ risk economy ” and pull” incentive structure based on risk scoring motivates security practitioners to implement fixes based on priority. 4. The cost to manage environment are invariably Leadership’s access to dynamic risk scoring high dashboard enables quick and easy risk decision-making , and more effective − Resources are not effectively prioritized allocation of resources where they matter most 10
Questions Contact Information Jamie Miller President / CEO 256-829-8859 (Mobile) jmiller@missionmultiplier.com www.missionmultiplier.com 2016 Emerging 2018 EDPA imerge Entrepreneur of the Innovation Award Finalist Year 11
Back-up Slides 12
Recommend
More recommend
