“A must read for any professional… to build a world class enterprise cyber program …”
“There are a myriad of cybersecurity books available these days. However, none like this. This book is the differentiator.”
“Extremely valuable and clear guidance…”
“…an excellent reference guide of how to practically and pragmatically build a security program..”
“Adopting and applying the characteristics of a journey, Schreider guides the reader through the mileposts of building a cybersecurity program, start to finish. Even so, the book is organized so it can easily be used as a reference guide, providing detailed information for any point along the route. This book includes ample visual graphics to illustrate the complex ideas addressed in the text. These graphical representations help the reader to comprehend and retain the information presented. It should be noted that there are a large number of hyperlinks in this book. Many readers will find a digital copy with active hyperlinks most useful.”
“…a step-by-step guide with practical examples and a true roadmap for anyone who needs to build a cybersecurity program…”
“Schreider provides a detailed and real-world roadmap on how to create an effective information security program. He also brings his practical experience to every chapter, detailing what works and does not, the pros and cons of items suggested and more… heavy on practical guidance. ”
You know by now that your company could not survive without the Internet. Not in today’s market. You are either part of the digital economy or reliant upon it. With critical information assets at risk, your company requires a state-of-the-art cybersecurity program. But how do you achieve the best possible program? Tari Schreider, in Building Effective Cybersecurity Programs, 2nd Edition, lays out the step-by-step roadmap to follow as you build or enhance your cybersecurity program.
BUILD YOUR CYBERSECURITY PROGRAM WITH THIS COMPLETELY UPDATED GUIDE
Security practitioners now have a comprehensive blueprint to help build effective cybersecurity programs. Building an Effective Cybersecurity Program (2nd Edition) instructs security architects, security managers, and security engineers how to properly construct effective cybersecurity programs using contemporary architectures, frameworks, and models. This comprehensive book is also the result of the author’s professional experience and involvement in designing and deploying hundreds of effective cybersecurity programs. For example, this extensive content will include the following:
Recommended design approaches
Program structure
Cybersecurity technologies
Governance
Policies
Vulnerability
Threat and intelligence capabilities
Risk management
Defense-in-depth
DevSecOps
Service management
…and much more!
Additional Comprehensive Instructional Materials NOW AVAILABLE!*
* (for qualified academic adoptions)
The book is presented as a practical roadmap detailing each step required for you to build your effective cybersecurity program. It also provides many design templates to assist in program builds and all chapters include self-study questions to gauge your progress. Building An Effective Cybersecurity Program (2nd Edition) is your single source reference for building effective cybersecurity programs!
Building an Effective Cybersecurity Program: 2nd Editionis organized around the six main steps on the roadmap that will put your cybersecurity program in place:
Design an effective Cybersecurity Program
Establish a Foundation of Governance
Build a Threat, Vulnerability Detection, and Intelligence Capability
Build a Cyber Risk Management Capability
Implement a Defense-in-Depth Strategy
Apply Service Management to Cybersecurity Programs
Because Schreider has researched and analyzed over 150 cybersecurity architectures, frameworks, and models, he has saved you hundreds of hours of research. For this reason, he sets you up for success by talking to you directly as a friend and colleague, using practical examples. His book will also help you to:
Identify the proper cybersecurity program roles and responsibilities.
Classify assets and identify vulnerabilities.
Define an effective cybersecurity governance foundation.
Evaluate the top governance frameworks and models.
Automate your governance program to make it more effective.
Integrate security into your application development process.
Apply defense-in-depth as a multi-dimensional strategy.
Implement a service management approach to implementing countermeasures.
The roadmap to building an effective cybersecurity program
With this new 2nd edition of this handbook, you can move forward confidently, trusting that Schreider is recommending the best components of a cybersecurity program for you. In addition to this, the book provides hundreds of citations and references allow you to dig deeper as you explore specific topics relevant to your organization or your studies. Whether you are a new manager or current manager involved in your organization’s cybersecurity program, this book will answer many questions you have on what is involved in building a program.
You will also be able to get up to speed quickly on program development practices and have a roadmap to follow in building or improving your organization’s cybersecurity program.If you are new to cybersecurity in the short period of time it will take you to read this book, you can be the smartest person in the room grasping the complexities of your organization’s cybersecurity program. If you are a manager already involved in your organization’s cybersecurity program, you have much to gain from reading this book. Given these points, this book will become your go to field manual guiding or affirming your program decisions.
2020, 406 pages.
Comprehensive Instructional Materials NOW AVAILABLE!
Dedication …………………………………………………………………………………………………………………….. iii
Acknowledgments………………………………………………………………………………………………………….. iii
Preface ………………………………………………………………………………………………………………………….. iv
Why a Second Edition? ………………………………………………………………………………………………….. vii
Foreword ………………………………………………………………………………………………………………………. ix
Contents ……………………………………………………………………………………………………………………….. xi
Introduction ……………………………………………………………………………………………………………………. 1
Chapter 1 Designing a Cybersecurity Program …………………………………………………………………. 5
Chapter 1 Roadmap …………………………………………………………………………………………………………. 6
1.1 Cybersecurity Program Design Methodology ……………………………………………………………….. 9
1.1.1 Need for a Design to Attract the Best Personnel ……………………………………………… 9
1.1.2 A Recommended Design Approach: ADDIOI Model? …………………………………. 10
1.1.3 The Six Phases of the ADDIOI Model? ……………………………………………………… 11
1.2 Defining Architectures, Frameworks, and Models ……………………………………………………….. 13
1.2.1 Program Design Guide ……………………………………………………………………………….. 15
1.3 Design Principles …………………………………………………………………………………………………….. 16
1.4 Intersection of Privacy and Cybersecurity …………………………………………………………………… 17
1.5 Good Practice vs. Best Practice …………………………………………………………………………………. 17
1.6 Adjust Your Design Perspective ………………………………………………………………………………… 18
1.7 Architectural Views …………………………………………………………………………………………………. 19
1.8 Cybersecurity Program Blueprint ………………………………………………………………………………. 20
1.9 Program Structure ……………………………………………………………………………………………………. 23
1.9.1 Office of the CISO ………………………………………………………………………………………….. 23
1.9.2 Security Engineering ………………………………………………………………………………………. 25
1.9.3 Security Operations ………………………………………………………………………………………… 26
1.9.4 Cyber Threat Intelligence ………………………………………………………………………………… 28
1.9.5 Cyber Incident Response …………………………………………………………………………………. 29
1.9.6 Physical Security ……………………………………………………………………………………………. 30
1.9.7 Recovery Operations ………………………………………………………………………………………. 31
1.10 Cybersecurity Program Frameworks and Models ……………………………………………………….. 32
1.10.1 HITRUST? CSF? ……………………………………………………………………………………….. 33
1.10.2 Information Security Forum (ISF) Framework …………………………………………………. 36
1.10.3 ISO/IEC 27001/27002 Information Security Management System (ISMS) ………….. 39
1.10.4 NIST Cybersecurity Framework …………………………………………………………………….. 42
1.11 Cybersecurity Program Technologies ……………………………………………………………………….. 44
1.11.1 Application security ………………………………………………………………………………………. 45
1.11.2 Authentication ……………………………………………………………………………………………… 47
1.11.3 Cloud security ………………………………………………………………………………………………. 47
1.11.4 Container security …………………………………………………………………………………………. 48
1.11.5 Data Loss Prevention (DLP)…………………………………………………………………………… 48
1.11.6 Digital forensics ……………………………………………………………………………………………. 49
1.11.7 Distributed Denial of Service (DDoS) Mitigation ……………………………………………… 49
1.11.8 Deception technology ……………………………………………………………………………………. 49
1.11.9 Domain Name Services (DNS) Attack Security ………………………………………………… 50
1.11.10 Encryption …………………………………………………………………………………………………. 50
1.11.11 Endpoint Protection Platform (EPP) ………………………………………………………………. 51
1.11.12 Firewalls (FW) ……………………………………………………………………………………………. 52
1.11.13 Identity and Access Management (IDAM) …………………………………………………….. 52
1.11.14 Internet of Things (IoT) Security…………………………………………………………………… 52
1.11.15 Intrusion Protection Systems (IPS)………………………………………………………………… 53
1.11.16 Network Access Control (NAC)……………………………………………………………………. 53
1.11.17 Privileged Account Management (PAM) ……………………………………………………….. 54
1.11.18 Security Information and Event Management (SIEM) ……………………………………… 54
1.11.19 Security Orchestration, Automation and Response (SOAR) ……………………………… 55
1.11.20 Threat Intelligence Platform (TIP) ………………………………………………………………… 55
1.11.21 User and Entity Behavior Analysis (UEBA) …………………………………………………… 56
1.11.22 Virtualization security …………………………………………………………………………………. 56
1.11.23 Vulnerability management …………………………………………………………………………… 57
1.11.24 Web filtering ………………………………………………………………………………………………. 57
1.11.25 Whitelisting ……………………………………………………………………………………………….. 57
1.12 Security Training Program ………………………………………………………………………………………. 58
1.12.1 Awareness Training ………………………………………………………………………………………. 58
1.12.2 Phishing Attack Training ……………………………………………………………………………….. 59
1.12.3 Ransomware Attack Simulations…………………………………………………………………….. 59
1.13 Maturing Cybersecurity Programs ……………………………………………………………………………. 60
1.13.1 Security Ratings ……………………………………………………………………………………………. 64
1.14 Cybersecurity Program Design Checklist ………………………………………………………………….. 64
Chapter 2 Establishing a Foundation of Governance ………………………………………………………… 71
Chapter 2 Roadmap ……………………………………………………………………………………………………….. 72
2.1 Governance Overview ……………………………………………………………………………………………… 74
2.2 Cybersecurity Governance Playbook ………………………………………………………………………….. 75
2.3 Selecting a Governance Framework …………………………………………………………………………… 78
2.3.1 COBIT? 5: Framework for Information Technology Governance and Control ………. 79
2.3.2 COSO 2013 Internal Control ? Integrated Framework ………………………………………… 82
2.3.3 Information Governance Reference Model (IGRM) ……………………………………………. 86
2.3.4 ARMA ? Information Coalition ? Information Governance Model ………………………. 89
2.3.5 OCEG GRC Capability Model? 3.0 (Red Book) ………………………………………………. 91
2.4 Governance Oversight Board …………………………………………………………………………………….. 94
2.5 Cybersecurity Policy Model ……………………………………………………………………………………… 95
2.5.1 Cybersecurity Policy Management ……………………………………………………………………. 96
2.5.2 Cybersecurity Policy Management Software ……………………………………………………… 98
2.6 Governance, Risk, and Compliance (GRC) Software …………………………………………………… 98
2.7 Key Cybersecurity Program Management Disciplines ………………………………………………….. 99
2.8 Security Talent Development ………………………………………………………………………………….. 101
2.8.1 Training ………………………………………………………………………………………………………. 101
2.8.2 Certifications ……………………………………………………………………………………………….. 102
2.9 Creating a Culture of Cybersecurity …………………………………………………………………………. 102
2.10 Cybersecurity Insurance ………………………………………………………………………………………… 103
2.11 Governance Foundation Checklist ………………………………………………………………………….. 104
Chapter 3 Building a Cyber Threat, Vulnerability Detection, and Intelligence Capability ……. 111
Chapter 3 Roadmap ……………………………………………………………………………………………………… 112
3.1 Cyber Threats and Vulnerabilities ……………………………………………………………………………. 115
3.1.1 Threats, Vulnerability, and Intelligence Model …………………………………………………. 116
3.2 Cyber Threats ………………………………………………………………………………………………………… 118
3.2.1 Lesson from the Honeybees …………………………………………………………………………… 118
3.2.2 Cyber Threat Categories ………………………………………………………………………………… 119
3.2.3 Threat Taxonomies ……………………………………………………………………………………….. 122
3.2.4 Cyber Threat Actors ……………………………………………………………………………………… 125
3.2.5 Cyber Threat-Hunting……………………………………………………………………………………. 128
3.2.6 Cyber Threat-Modeling …………………………………………………………………………………. 130
3.2.7 Cyber Threat Detection Solutions …………………………………………………………………… 133
3.2.8 Cyber Threat Metrics …………………………………………………………………………………….. 137
3.2.9 Cybersecurity Threat Maps ……………………………………………………………………………. 138
3.3 Adversary Profile …………………………………………………………………………………………………… 141
3.4 Vulnerability Management ……………………………………………………………………………………… 142
3.4.1 Vulnerability Scanning ………………………………………………………………………………….. 143
3.4.2 Patch Management ……………………………………………………………………………………….. 144
3.5 Security Testing …………………………………………………………………………………………………….. 145
3.5.1 Penetration Testing ……………………………………………………………………………………….. 146
3.5.2 Red Teams …………………………………………………………………………………………………… 147
3.5.3 Blue Teams ………………………………………………………………………………………………….. 147
3.5.4 Purple Teams ……………………………………………………………………………………………….. 148
Tari Schreider, C|CISO, CRISC, ITIL? Foundation, MCRP, SSCP is a distinguished technologist and nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. Schreider is an instructor for EC-Council where he teaches advanced CISO certification and risk management courses.
Schreider has designed and implemented complex cybersecurity programs including a red team penetration testing program for one of the world?s largest oil and gas companies, an NERC CIP compliance program for one of Canada?s largest electric utility companies, an integrated security control management program for one of the largest 911 systems in the US and designed a cybersecurity service architecture for one of the largest retailers in the US. He has advised organizations worldwide including Brazil, China, India and South Africa on how to improve their cybersecurity programs.
Schreider implemented a virtual Security Operations Center network with vSOCs located in the US, Brazil, Italy, Japan, Sweden, and the US. He was also responsible for creating the first Information Sharing and Analysis Center in collaboration with the Information Technology Association of America (IT-ISCA). His earliest disaster recovery experiences included assisting companies affected during the 1992 Los Angeles riots and 1993 World Trade Center bombing. His most unique experience came during the Gulf War helping a New York financial institution recover after becoming separated from its data center in Kuwait.
Schreider has appeared on ABC News, CNN, CNBC, NPR, and has had numerous articles printed in security and business magazines, including Business Week, New York Times, SC Magazine, The Wall Street Journal and many others. He is the author of The Manager?s Guide to Cybersecurity Law (Rothstein Publishing, 2017) and is a co-author of the US patent Method for Analyzing Risk.
He studied Criminal Justice at the College of Social & Behavioral Sciences at the University of Phoenix and holds the following certifications in security and disaster recovery:
American College of Forensic Examiners, CHS-III
Certified CISO (C|CISO)
Certified in Risk and Information Systems Control (CRISC)
ITIL? v3 Foundation Certified
System Security Certified Practitioner (SSCP)
Member of the Business Continuity Institute (MBCI)
University of Richmond ? Master Certified Recovery Planner (MCRP)
Excerpt from the Preface
Few companies today could survive without the Internet; either you are part of the digital economy, or you are reliant upon those who are. I am hard-pressed to find someone today who does not interact with some aspect of the Internet to perform all or some of his or her work duties. IT professionals and managers alike need to be cybersecurity-savvy to compete in today?s job market. You must accept that you are or will be working for an organization that takes cybersecurity seriously. To ensure you do not become one of those managers you read about who lets the cyber aggressors in the backdoor, you must also take cybersecurity seriously as well.
Whether you are a new manager, or a current manager involved in your organization?s cybersecurity program, I am confident this book will answer many questions you have about what is involved in building a program. You will be able to get up to speed quickly on program development practices and have a roadmap to follow in building or improving your organization?s cybersecurity program.
Even if you are new to cybersecurity, in the short period of time it will take you to read this book, you can be the smartest person in the room grasping the complexities of your organization?s cybersecurity program.
If you are already involved in your organization?s cybersecurity program, you have much to gain from reading this book. This book will become your go-to field manual to guide or affirm your program decisions.
After 30 years of experience in the trenches, designing and building cybersecurity programs throughout the world, I wrote this book to help the process go more smoothly for you. In creating this roadmap for you, I was motivated by what I see as a systemic lack of experience and resources in those tasked with designing and building cybersecurity programs.
First, many managers have never had to build a cybersecurity program from the ground up, resulting in cybersecurity programs based on insular opinions guiding program development rather than sound architecture and design principles.
Managers involved in cybersecurity can expect an average tenure in their role of approximately two years, which means they are inheriting cybersecurity programs serially throughout their careers. This leaves little time to forge experience gained through building a program of their own design.
In addition, few of these managers graduated from a cybersecurity degree program that teaches architecture and design.
Second, we do not have a generation of managers equipped to build cybersecurity programs.
By many accounts, there are over one million cybersecurity jobs open in the US. According to the US Bureau of Labor Statistics, this industry will grow by 37% through 2022. Who will fill these roles? Only the recently graduated or certified are available to fill these open positions, but neither group has the experience necessary to build a cybersecurity program.
Certifications and degrees may not always be a true measure of the skills required to build today?s programs, since there is no substitute for experience.
Third, inexperienced managers have difficulty separating fact from what I call ?security theater.?
A multibillion-dollar industry of thousands of cybersecurity vendors and consultants driven by their own self-interest can easily lead managers astray. Managers with little experience can fall under their spell, succumbing to their cybersecurity technologies and becoming locked into proprietary program maturity models.
I have seen many led down a perilous path of cybersecurity programs crammed with technologies that promise to protect their information and assets from hackers but offer little in the way of basic blocking and tackling.
This book is intended to give you the knowledge and guidance that will allow you to choose wisely and avoid the pitfalls I have described above.
My experience working with hundreds of companies will serve as your roadmap to step you through building your own cybersecurity program. In writing this book, I analyzed over 150 cybersecurity architectures, frameworks, models, etc., so that you would not have to. I have called out those that I felt were great examples to assist you along your journey. This alone will save you hundreds of hours attempting to conduct the research necessary to identify all the components of a cybersecurity program.
My best wishes as you follow the roadmap to create an effective cybersecurity program for your organization!
?Tari Schreider
Atlanta, Georgia
September 2019
Excerpt from the Introduction
Think about building your organization?s cybersecurity program as a journey. Do you know what you will need to bring? As with any trip, your purpose can be for either business or pleasure. If it is for business, then there?s a good chance you are inheriting someone else?s program and problems. If it is for pleasure, then you will be able to build your own program from the ground up. In any case, if you are reading this book, there?s a good chance that your purpose is business, and your boss has already told you your next destination ? cybersecurity land. A cybersecurity program will represent the completion of your journey.
All trips have one thing in common. You need to prepare. Trips require a roadmap and a guide or Sherpa to make the journey as smooth as possible. Before you begin your trip, at the very least, you look at a map and some travel brochures. The map shows you how to get to your destination, and the brochures point out interesting sites along the way. Even if you find yourself a passenger on your trip to cybersecurity land (HR manager, attorney, etc.), you can still add value to the trip by using this book to ask the right questions.
For our journey in this book, we will follow a map, and I will be your Sherpa. Each chapter will be a stop on your journey to creating a cybersecurity program, providing important references to help you along the way. Your journey will look something like a winding road.
Your first stop will have you designing your cybersecurity program, after which you will proceed to establishing principles and policies for how your program should be managed.
The midpoint of your journey involves identifying the highway robbers or hackers and other threats you want your program to protect against.
Stop four shows you how to assess and manage risk.
Nearing the end of your journey, your fifth stop will have you define defensive measures required to protect your organization?s assets and information.
The next to the last stop shows you how to operate your program and ensure you have the right staff doing the right things.
In the final stop I show you how to unpack all that you have learned.
Chapter 1: Designing a Cybersecurity Program ? Whenever you begin a journey, it is best to have your destination in sight. A blueprint does just that, it lets all involved in the program?s construction know what it should look like once completed. To begin your cybersecurity program, you will need a blueprint that outlines the program?s general structure as well as its supporting components. In this chapter, I offer an ideal state example of a cybersecurity program blueprint as well as introduce you to industry leading cybersecurity frameworks. I will also introduce you to leading cybersecurity technologies you should consider adding to your program.
?Chapter 2: Establishing a Foundation of Governance ? The way your company is controlled by the people who run it, is called governance. The way your cybersecurity program is controlled is also governance. Governance is all about making the right decisions for the benefit of the organization. For a cybersecurity program to stand the test of time, it must benefit from proper governance. Governance ensures the program adheres to its design principles. In this chapter, I explain what constitutes a governance program as well as the proper governance of a cybersecurity program. An overview of the top information governance frameworks and models will provide you with an understanding of resources available to mature your cybersecurity program?s governance foundation. You will also learn how to automate your governance foundation. I will also discuss how to treat your top cybersecurity talent.
Chapter 3: Building a Threat, Vulnerability Detection and Intelligence Capability ? Your next step is to determine what is most important to your organization. This includes classifying your organization?s assets and information by importance and identifying the types of threats and vulnerabilities to which they are exposed. Next, this chapter shows you how to identify the different points of entry an attacker can use to steal your sensitive information. All these points of entry make up your attack surface, as this is what you will be protecting with your program. I will show you how to create a threat intelligence function that leverages your threat inventory and vulnerability detection systems to reduce the exposure to your attack surface. You will also learn how to acquire threat intelligence and how to make it actionable. To ensure everything works, I will walk you through various methods of testing a cybersecurity program.
Chapter 4: Building a Cyber Risk Management Capability ? Now that you know the threats and vulnerabilities your organization is exposed; a risk profile can be determined. Your risk profile is your organization?s willingness to take risks in comparison to the threats faced. In this chapter, I show you how to leverage industry-leading risk assessment frameworks and calculators to derive your organization?s risk score. I will show you how to organize and manage your risks with a risk register. A register is an inventory of your organization?s risk by order of criticality. Each risk is assigned an owner and a corresponding plan to mitigate or manage the risk. Importantly, the topic of risk extends past your organization to third-parties, allowing you to close an often-exploited loophole that could allow unauthorized access to your organization?s critical information.
Chapter 5: Implementing a Defense-in-Depth Strategy ? Up to this point in the journey your focus has been building the foundation and structure of the cybersecurity program. Now that?s done, we must populate our program with services and in order to readily find and manage those services we need to put them in a central place, a catalog. The countermeasures service catalog is a repository with a parking space for every one of your program services. Each parking space will include the documents, controls, artifacts and product descriptions that describe the purpose and benefit of each service. The catalog is where you will go to make service enhancements, add new services or retire old services.
Chapter 6: Applying Service Management to Cybersecurity Programs ? Your next stop of your journey shows you everything that you will need to do to operate your program according to its design and governance principles. Many reported security breaches occurred when organizations did not implement their cybersecurity countermeasures properly. These breaches take place because many managers stop just short of their destination. They fail to implement their program?s countermeasures to ensure they operate efficiently and effectively. In this chapter, I show you how to deliver and support your cybersecurity countermeasures, managing them in a continuous improvement lifecycle. I will give real-world examples of best practices for service management.
?Chapter 7: Cybersecurity Program Design Toolkit ? Your last stop on the journey is the creation of your cybersecurity program design guide. Here I provide templates for baselining your existing program, designing the new or revised program and documenting how your program is built. How you complete these templates is covered in the previous chapters. Through these forms, I show you how to determine what is usable in a current program, what can be saved as well as what should be improved to provide maximum protection of information and assets.
Cybersecurity programs are complex, requiring a methodical approach to their design and construction. When setting out on a journey to build a cybersecurity program, my advice is to start at the beginning, resist hopscotching stops, and stay true to the journey. This book is a process, emphasizing the benefits of basic preparatory steps that are often overlooked. Your journey begins with creating a blueprint of what you are going to build, and it will end with ensuring your program operates as a mature service organization.
Excerpt from the Foreword by Michael Speas
First off, let me start by saying that I?ve worked with Tari Schreider for over 10 years. During this time, we have developed a friendship based on a shared passion for Information Security. Tari has been a key part of helping me build Information Security programs, and I have been able to take that body of knowledge with me wherever I go as I help other companies build their security programs.
After I took on security leadership for an organization early in my career, Tari and I worked together to develop the Information Security program using the ISO 27001 framework. With Tari?s help, I was able to perform a gap analysis of our existing program, align our current policies, standards, and controls, and build a multi-year roadmap for addressing the greatest threats and highest risks to the organization and closing program gaps. Using the ISO 27001 framework and the concepts that Tari outlines in this book, I could demonstrate to senior management, the Board, and our regulators that our program was organized and comprehensive.
Since that time, I have used that experience to build security programs for several companies where I led security teams. Much has evolved with organizations since we first worked together. Companies have become more risk aware, have integrated security into software development, and have started to use artificial intelligence to assist in analyzing user behavior.
Tari?s book is like a compendium of his knowledge that he?s imparted on me and many others in the industry over the years. It?s based on established frameworks and models and, more importantly, practical experience. While I wish I had this book when I first started, I was fortunate to able to work directly with Tari. However, I know that for those who won?t be so lucky, I plan to make this one of the books I gift to my staff and security friends.
This book truly is a go-to field guide for designing, building, and maintaining an Information Security program. It?s perfect both for someone new to the field and the seasoned professional alike. I know it?s a book that I?ll be referencing often, and I think that you will, too.
Michael Speas
VP, Chief Information Security Officer
Western & Southern Life
August 2019
?
Additional information
Weight
3 lbs
Excerpt from Chapter 3: Cyber Threat Intelligence
3.7 Cyber Threat Intelligence
Organizations ready to move to the next level of threat management can turn to external intelligence services to aid in their threat decision-making process. Actionable intelligence is key to guiding threat management investments. Dedicating personnel to scour the Internet looking for threat intelligence or gleaning threat data from information sharing and analysis center (ISAC) alerts has proven ineffective. Check out the National Council of ISACS at: //www.nationalisacs.org/. The alternative is to outsource threat intelligence gathering to companies specializing in sourcing threat information.
For over twenty years, companies have offered threat intelligence services to help organizations stay ahead of the threat curve. Early services relied on manually sifting through vendor vulnerability reports. Now, intelligence services are faster, more in-depth, and highly targeted toward advanced persistent threats. Today?s services have solved the relevance problem that plagued this industry for some time. Now, only threat information aligned to an organization?s attack surface or industry makes it to the chief information security officer?s desk.
In the past, companies found themselves with multiple threat feeds or services that resulted in various levels of redundancy. Redundancies caused multiple alerts for the same threat costing valuable research time to sort out the overlap. As a user of several of these services over the years, I was disappointed with how many low-value alerts where rated as high. I also found much of the reporting run-of-the-mill already known threats.
Requirements guide the gathering of threat intelligence and its analysis to make it actionable. Documenting a proper set of requirements will help you:
Track bad actors targeting your organization.
Acquire threat information aligned to your attack surface.
Know which hacktivist organization targets your industry.
Understand the types of techniques adversaries use to exploit vulnerabilities in your enterprise.
3.7.1 Cyber Threat Intelligence Services
According to Research Report, the threat intelligence market is growing at 18.4% compound annual growth rate (CAGR) and should reach $8.94 billion in 2022. Read the entire report at: //markets.businessinsider.com/news/stocks/threat-intelligence-market-growing-at-a-cagr-of-18-4-during-2017-to-2022-says-a-new-research-at-reportsnreports-1002223536. Presently, there are nearly 30 providers of cybersecurity intelligence services of various flavors. Some services focus on providing intelligence on professional hackers and hacktivists, while others focus reporting on emerging threats and vulnerabilities based on your attack surface. Approaches vary widely from those firms that provide human intelligence harvested from the deep web to others who provide sophisticated platforms that integrate threat intelligence directly as a feed to your security information and event management (SIEM) solution.
A comprehensive list of threat intelligence service providers is available in Appendix A.
3.7.2 Cyber Threat Intelligence Program Use Cases
If you are still wondering how an intelligence capability would benefit your organization, I have highlighted several tactical use cases.
Countermeasures alignment: Countermeasures rely on rules, filters, and signatures to be effective. Intelligence provides advanced warning of specific threats that countermeasures can address if properly configured. Using high quality intelligence reduces false positives.
Incident response (IR): The IR team can use threat intelligence to validate indicators that triggered alarms accelerating response time. The intelligence can provide valuable data about a threat?s origin, behavior, and associated adversaries.
SecOps: Threat intelligence can assist SecOps personnel to triage SIEM alerts through the attachment of risk score tags. Threat intelligence systems can interface directly with the SIEM to automate alert prioritization.
System hygiene: Patching systems is a significant effort for any organization and knowing what and when to patch can save precious resources, time, and budget. Most organizations operate on a patching backlog and prioritizing patching efforts allows you to focus on your most at-risk systems.
Why a Second Edition?
When I was writing the first edition of this book, I knew that certain aspects of it would become dated owing to rapid changes in the cybersecurity industry, threat landscape and providers. Two years later I take full measure of all that has evolved in the cybersecurity world. Increasing zero-day attacks, growth of state-sponsored adversaries and consolidation of cybersecurity products and services all converged to shape where we are today. We have also witnessed some of the world?s largest data breach events, increasingly destructive ransomware attacks and changes in legal and regulatory statutes.
Aside from substantial updates of standards, source links and cybersecurity products here is what?s new in the second edition:
50+ callout boxes highlighting cyberattacks and important resources.
60 self-study questions to hone your knowledge.
25 overviews of cybersecurity technologies.
Expanded coverage of the intersection of cybersecurity and privacy.
Expanded coverage of security training strategies.
A new security talent development section.
Discussion of cyber insurance policies.
A new security testing strategies section.
New adversary profiles.
Expansion of attack surface discussion.
Inclusion of new threat frameworks.
Inclusion of a service management catalog.
Introduction to emerging cybersecurity technologies.
17 powerful templates to document your cybersecurity program.
I have always envisioned keeping this book regularly updated to ensure you would have a reliable cybersecurity reference source. I see this book as a forum to express my views on protecting assets and information. I also see it as a way to share what I learn through teaching Chief Information Security Officers (CISOs). Teaching affords me a platform to learn how some of the largest companies in the world address cybersecurity. I look forward to sharing future updates with you.
Tari Schreider
Course Adoption
Comprehensive Instructional Materials NOW AVAILABLE!*
* (for qualified academic adoptions)
Building an Effective Cybersecurity Program 2nd Edition is available for evaluation for course adoption for colleges and universities.
I?ve had the pleasure of learning directly from Tari, but this book allows everyone to learn what his years of experience can offer. What I love about this book is how it is really a step-by-step guide with practical examples and a true roadmap for anyone who needs to build a cybersecurity program. If you are new in this area this is a great book to learn from. Whether you need to build a program or just want to understand the basics you can do either with this book. It is written in a way that someone new to the industry can understand, but does not speak down to someone with years of experience. You can follow the book like a blueprint or look at the table of contents, pick a topic you want to learn more about and just go to that chapter. Either way you will gain valuable insights and useful information.
? Sharon Smith,Cybersecurity Strategy and Advisory Consultant, Verizon
Tari is a seasoned professional that has seen and done it all. I?ve actually had the pleasure of working with him on several projects focused on building security programs for various companies over the past 15 years. He?s worked with organizations of all different sizes and has a knack for helping security professionals build their programs and creating value for their companies. This book is an excellent reference guide of how to practically and pragmatically build a security program. Tari provides guidance on multiple approaches that can be used or combined to build a strong program and supporting processes. Additionally, Tari recently updated it to address emerging risks and practices used in more advanced security programs. It is my go-to resource anytime I?m looking to build, re-build, or re-factor parts of my organization?s security functions and processes. I recommend this book to anyone that is or wants to build out a program or define process.
? Michael Speas, VP, Chief Information Security Officer, Western & Southern Life
Extremely valuable and clear guidance as to what are the most effective methodologies for cybersecurity program development. Definitely an indispensable read for industry practitioners.
– Andrea Watson-Rich, Program Manager, Hewlett-Packard Enterprises
This book is really a great, such an easy read. It is really well structured and laid out and details all the steps needed to create a well developed and well designed cybersecurity program. It contains a lot of useful links to various sites as well so provides some very practical help and tips. Would recommend.
– Angela Bird, Security Architect
There are a myriad of cybersecurity books available these days. However, none like this. This book is the differentiator. It provides sensible and powerful insights/guidance towards establishing a sound, effective cybersecurity program. Even if you work for a company with an already established information security program, Tari’s years of experience and expert advice provides indispensable building blocks – compilation of cybersecurity reference architecture – to help you mature aspects of your cybersecurity capabilities where you may need it. Simply a “must have” to complete every cybersecurity professional’s or aficionado’s reading compendium.
A must read for any professional that either (1) desires to build a world class enterprise cyber program (2) are continuously challenged by Boards of Directors. The content is very easy to digest and is laid out nicely where topics segue into the next appropriate one. I have been in cyber for 20 years and found it very educational and still able to learn from the contents within. I have said it before and I will say it again. When I transitioned from being a police detective to cyber, I was incredibly fortunate to be next to the best and the brightest the industry had to offer at Internet Security Systems (ISS), Tari being one of them. A special thanks to Tari Schreider for putting this together and making it available for novice or avid practitioners. – Carter Schoenberg??Executive Vice President – Cybersecurity Solutions, IPKeys Power Partners
The digital age is not immune to cybercrime. Global economies cannot maintain status quo infrastructures. With that said, industries need top notch experts such as Tari Schreider. In his latest book, Building an Effective Cybersecurity Program 2nd Edition, Tari details every step needed for a successful implementation of building Cybersecurity programs from the ground up. He comes with 30 plus years of knowledge and is an invaluable resource for CISOs, managers and students alike.
I highly recommend the section which highlights attack surface and new threat frameworks. A must read if you consider yourself to be ?one of the good guys.” If you are a seasoned CISO then you already are familiar with Tari?s work but if you are new to the field you are in for a treat. It is not often that you will find someone as precise and dedicated to improving the cyber world we live in today.
– Vanessa Fulton, Assistant Director of Loans, Georgia Institute Technology?
One of the best Gartner? advisory documents ever written was?Toolkit: The New CISO’s Crucial First 100 Days?by Christian Byrnes and Michael J. Corby. They write that a new chief information security officer (CISO), like any new manager, can expect a?honeymoon?period. But this period is likely to be very brief?typically the first 100 days or so. The new CISO must make the most of this critical period because it represents the first and sometimes last opportunity to set the enterprise’s security processes and technologies on an effective course.
Two of the key findings in the report are that most CISOs who fail do so because they do not meet business requirements and expectations?and don’t effectively communicate how they have met those expectations?not because of technical or operational reasons, and that the successful CISO is primarily a leader, a manager and a communicator, not a technologist.
The report does a fantastic job of laying out the foundations of how a CISO can be successful. But what happens on day 101? In?Building an Effective Cybersecurity Program?(Rothstein Publishing ISBN-13: 978-1944480530), author Tari Schreider has written a tactical guide that a CISO can use to take those core ideas of the first 100 days and put them into play to build out an effective information security program.
While the Gartner document is more conceptual, this book is thoroughly practical and pragmatic. In the seven chapters of the book:
Designing a Cybersecurity Program
Establishing a Foundation of Governance
Building a Cyber Threat, Vulnerability Detection, and Intelligence Capability
Building a Cyber Risk Management Capability
Implementing a Defense-in-Depth Strategy
Applying Service Management to Cybersecurity Programs
Cybersecurity Program Design Toolkit
…Schreider provides a detailed and real-world roadmap on how to create an effective information security program. He also brings his practical experience to every chapter, detailing what works and does not, the pros and cons of items suggested and more.
Numerous templates are provided to assist in these build-outs. There does not seem to be an online portal to use these templates, which would have been quite helpful. It also lists products for each technology listed, which makes it helpful for the reader to know what it is available.
While the book is geared toward CISOs and security managers, it is of value to anyone tasked to build out an information security program. What makes the book so valuable is that it is light on theory and heavy on practical guidance.
Schreider has decades of information security and risk management experience in numerous environments and industries. He brings that experience to every chapter in this valuable guide.
There’s no shortage of books with pages of theory, which is a good thing. But not enough with practical and hands-on advice. For those looking for a go-to guide to assist them in building out their information security program,?Building an Effective Cybersecurity Program?is just what they need.
– Ben Rothke, CISSP CISM, Principal Security Consultant, Nettitude
Book Review: Building an Effective Cybersecurity Program
For me, when choosing a technical book to read, the author?s credentials carry significant weight. I usually spend some time researching their previous publications and work history. I want to know they are an expert in the field, or at least have sufficient knowledge to warrant considering their ideas and opinions.?The author of Building an Effective Cybersecurity Program, 2nd Edition, Tari Schreider, C|CISO, CRISC, ITIL? Foundation, MCRP, SSCP, is well-credentialed. Tari is a nationally known expert in the fields of cybersecurity, risk management, and disaster recovery. He was formerly Chief Security Architect at Hewlett-Packard Enterprise and National Practice Director for Security and Disaster Recovery at Sprint E|Solutions. He is an instructor for EC-Council, where he teaches advanced CISO certification and risk management courses.?For those readers that like getting right to the point and dislike reviews that hide the final recommendation somewhere near the end of the article, let me say that I recommend reading this book ? if. I recommend reading this book if you want to be the smartest person in the room, even if new to cybersecurity, when discussing your organization?s cybersecurity program. This book will become your go-to-field manual to guide or affirm your decisions about the organization?s program.??In the preface, Schreider identifies three reasons why this book is needed:
Few managers have ever had to build a cybersecurity program from the ground up. This deficit has resulted in programs based on ?insular opinions? rather than sound architecture and design principles.?
The cybersecurity skills gap has created a generation of managers ill-equipped to build a cybersecurity program.
To help inexperienced managers avoid falling under the spell of what he calls ?security theater? ? succumbing to cybersecurity technologies proffered by the thousands of vendors and consultants with little regard for cybersecurity basic blocking and tackling.?
This work contains seven chapters, an appendix, and an index ? not to mention a preface, foreword, introduction, and dedication. Schreider has not scrimped on content in this book. At over 340 pages, don?t expect to rush from one cover to the other. Most readers will want to take their time getting through it once and then use it as a reference source after that.
With about an equal amount of attention paid to each, the primary sections of the book cover:
Designing a cybersecurity program
Establishing a foundation of governance
Building a cyber threat, vulnerability detection, and intelligence capability
Building a cyber risk management capability
Implementing a defense-in-depth strategy
Applying service management to cybersecurity programs
Cybersecurity program design toolkit
Employing a fairly casual, yet endearing, first-person narrative style, Schreider lays out each chapter with a useful roadmap, checklists, and self-study questions. These stylistic tools enable the easy consumption of what could otherwise be technical and dry material.?
Adopting and applying the characteristics of a journey, Schreider guides the reader through the mileposts of building a cybersecurity program, start to finish. Even so, the book is organized so it can easily be used as a reference guide, providing detailed information for any point along the route.?
This book includes ample visual graphics to illustrate the complex ideas addressed in the text. These graphical representations help the reader to comprehend and retain the information presented. It should be noted that there are a large number of hyperlinks in this book. Many readers will find a digital copy with active hyperlinks most useful.
Sprinkled throughout the book are helpful tips, such as ?Never be that person who is unable to provide me with a blueprint of your cybersecurity program.? These tips are a useful device to help the reader take stock of their strengths and weaknesses and serve to illustrate where more information is needed to guide their learning.?
Many readers will find reassurance in Schreider?s insistence that a sound cybersecurity program must be based on the firm foundation of tried and tested policies and procedures. Throughout the book, he reinforces his conviction that even the best programs cannot predict every situation and that at some point, every organization must rely on their employees to do the right thing consistently.??
The technologies employed by cybersecurity vendors are evolving at an ever-increasing speed. With hyper-focus on everything from artificial intelligence and machine learning to new philosophies like integrating security practices within the DevOps process, basic security principles can easily be overlooked or even pushed aside. With this book, Tari Schreider is an essential voice in that he provides a blueprint for designing and implementing a sound cybersecurity program. Something that should not be overlooked, short-circuited or abbreviated.
Steven Bowcut, CPP, PSP is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, Instagram, and LinkedIn.