Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015  

 

"This is a global problem. We don't have a malware problem. We have an adversary problem.” ~ Tony Cole, VP, FireEye.

Out Thinking the Barbarians:

Agile Cybersecurity Action Planning (ACAP)

John W. Link & Jo Lee Loveland Link

The bad news is… there are Cyber Barbarians at the gate. The worse news is… the Cyber Barbarians are really wily, creative and more adaptive than your organization.

Cybersecurity today is driven primarily by a “Castle Model” of Cyber defense. Current Cybersecurity defense strategies are focused on building relatively static firewalls, applications, and rigid monitoring processes in hopes that, with some tweaking and remediation, these protections will hold. These defenses are checked and assessed for compliance against standards based on static “best practices.” The problem is that current best practice models may not be up to the emerging threats and risks. Conventional security often detects Cyber-threats too late (if at all), reacts too slowly to new threats, does not see changing conditions, and resolves incidents too slowly. Cybersecurity teams often have a fragmented and incomplete view, so emerging broader threat trends are often “strategically invisible.” The challenge is that the “Cyber barbarians” -- whether state intelligence or non-state actors (young hackers, criminals or hacktivists) -- are constantly looking for back doors, flaws and human failure. Chinks in the castle mortar as it were. The Cyber-attackers are disturbingly creative and adaptive in use of social engineering to gain access. From Target, to Ebay, to Sony and more, we have seen resourceful and wickedly clever examples of Cyber intrusions. The threats are multi-variant. Cyber-attackers are as different in their methods as in their origins. And their methods are constantly evolving. The answer is to out think them by using the Agile Cybersecurity Action Plan (ACAP).

What is New about the Agile Cybersecurity Action Plan (ACAP)?

The purpose of the Agile Cybersecurity Action Plan (ACAP) is to launch a fresh, dynamic, and holistic approach to quickly align the organization’s

 

                                                           Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015   2  

technical and organizational capability, processes, and policies to meet today’s rapidly changing universe of Cybersecurity.

To accomplish this, ACAP uses a hybrid approach integrating: • Adaptive Strategy/ Culture Development • Stakeholder/User Engagement • Collaborative Problem Solving • Strategic Planning • Threat and Risk Management • Network Operations Center Best Practices • And critically -- Agile Software Development and Planning

ACAP’s Agile DNA In 2001, a group of leading technology stars of that time published the Manifesto for Agile Software Development (http://agilemanifesto.org), which forged a new path for technology with its principles:

1. Individuals and interactions over processes and tools 2. Working software over comprehensive documentation 3. Customer collaboration over contract negotiation 4. Responding to change over following a plan.

Gradually over the intervening years, the wisdom of the Agile approach has become increasingly apparent, and is now forcefully recommended in both industry and government guidance.

In February 2015, the Government Accountability Office released a report on current Federal IT High-Risk Projects (http://www.gao.gov/products/GAO-15-290). Previously, in May 2014, the American Council for Technology Industry Advisory Council (ACT-IAC) released its 7 S’s for Success Framework for Major IT Programs (https://actiac.org/sites/default/files/7-S_for_Success_0.pdf). Through all of these influential documents on how to improve government (and other) IT, two consistent threads run paramount: Large-scale IT failures result from poor program and organizational management, and Agile Software Development is no longer a “nice-to-have” but mandatory for IT success in today’s pressurized, emergent environments. ACAP is iterative, collaborative, and adaptive to changing conditions -- not on attaining some “peak of perfection.” ACAP is about moving from plateau to plateau of “better than good enough, right now,” following the Agile perspective.

Managing the Thorny Human Problem The consequence of failing to acknowledge the human dimension in IT is seen as a core flaw in IT programs. Unfortunately, technologists and

 

                                                           Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015   3  

managers alike have hitherto shared an unrealizable fantasy: technology can cure its own ills. Yet former DHS and IRS CIO Richard Spires has said, “This is not really a technology problem as much as a skill and cultural one. Culture is the biggest issue.” The current Cybersecurity turbulent technology environment and operational tempo just heightens the need for ACAP. ACAP bolsters the current Cyber approaches with the paradoxical approach of fusing linear and non-linear process designs. ACAP is not just a technical process – ACAP ensures people and technology work together to provide a Cybersecurity strategy, culture and infrastructure adaptive to emergent and unexpected threats.

“ACAP is not just a technical process – ACAP ensures people and technology work together to

provide a Cybersecurity strategy, culture and infrastructure adaptive to emergent and unexpected

threats.” ACAP’s Goals Are To:

• Re-imagine Cyber-defense • Reduce stovepipes and dysfunctional hierarchies within

Cybersecurity organizations • Strengthen information-sharing • Build strong communications bridges across the traditional

management/ technical divide • Accelerate agility and creativity in response to Cyber threats • Strengthen necessary technical and process discipline

How Does ACAP Work in Practicality? The Agile Cybersecurity Action Plan (ACAP) Process is a 1-3 day work session of a cross-functional, cross-organizational technical and leadership team, “The ACAP Steering Group” which gathers and shares information, surfaces insights, and makes decisions to: 1) Create and continuously update an evolving Current Threat/Risk

Profile. This needs to includes divergent, adaptive, creative thinking from diverse people and sources to surface as many emergent threats and vulnerabilities as possible.

2) Rapidly assess the organization’s Cybersecurity Infrastructure for real-time effectiveness and adaptability against the Current Threat/Risk Profile. This Cybersecurity Infrastructure includes: (a) Technology, (b) Monitoring and Response Processes/Plans, (c) Staff Capacity, and (d) Cybersecurity Policies.

 

                                                           Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015   4  

4) Identify process and system deficiencies or problems before they fail or are compromised. Establish fast-response approaches for current threats underway. Search for new paradigms of Cybersecurity defense.

5) Create a robust Action Plan to remedy and fix problems by taking advantage of best thinking of the ACAP Steering Group. This will require highly interactive management approaches and creative system interventions.

Here are the core elements of the ACAP Process:

• Iterated in 1 to 6 month cycles (depending on urgency and speed of Cyber incidents), much like Agile Development’s “Sprint” process (fast-track product development timeframe).

• A “Break-Glass” process that allows an ACAP session to be held out-of-cycle if a new “game-changing” technology threat, unpredicted intrusion, or some other “Cyber-ecology” event demands a response strategy.

• ACAP uses high levels of human skills, including information sharing, creative thinking, and structuring alternative scenarios to improve success in Cybersecurity prevention and response.

• ACAP creates a “Problem-Solving Culture” that opens inter-personal communication, information sharing and collaborative problem solving.

• Cybersecurity Strategy is seen as provisional, and always focused on emerging threats and risks, not just compliance to some fixed (and sometimes outmoded) standard.

Note: Though ACAP is not narrowly compliance focused, standards can provide checklists. No de-confliction of standards is needed to create a solid baseline checklist supporting Cybersecurity strategy because:

• ACAP is “framework-agnostic” – i.e., the ACAP Process can be adapted to work readily with a wide range of models and processes (e.g. FISMA-DHS/NIST, SANS, ISO, etc.).

• ACAP therefore can utilize whatever security controls and/or standards are in place or that the organization wishes to switch to.

The Basic ACAP Operational Steps 1. Review the Organization’s Strategy and Mission

Scrutinize current Mission and Strategy in light of establishing new Cybersecurity priorities.

2. Define Cybersecurity Mission & Vision Align Cybersecurity Strategy Mission with the Organization’s Mission. Otherwise, people will be “riding off in all directions” and splintering focus. (Steps continue below the Graphic]

 

                                                           Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015   5  

The ACAP Process (D) = Deliverable

Review of Organization’s Strategy and Mission

(D) Cybersecurity Protection Priorities & (D) Core CYS Performance Parameters

 

(D) Cybersecurity (CYS) Vision and Mission  

IT Architecture Assessment

IT Asset Inventory

Develop Adversary and Risk Portfolio

(D) ACAP Baseline Cybersecurity Threat & Risk Profile  

Monitoring Process Assessment

-Network Operations -Monitoring /Intrusion Response -Remediation Process -COOP & Recovery -Cybersecurity Knowledge Mgt.

 

       

Staffing Baseline Initial Policy Assessment Security

Technology Assessment

-Software -Hardware -Network

 

Identify Tech Gaps

Identify Process Gaps

Assess and Identify Staffing Needs

(D) CYS Tech Update &

Acquisition Plan

(D) Final CYS Policy Review & Update

(D) CYS Response, Remediation & COOP

Plan Update

(D) Continuous Monitoring Update

D) CYS Staffing Plan

(D) ACAP CYS Implementation Action Plan & Funding Request

 

                                                           Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015   6  

3. Define Protection Priorities Decisions have to be made regarding best use of limited resources in a crisis. This may mean some tough choices through thoughtful analysis of protection priorities, rather than incident-driven triage.

4. Define Level of Cybersecurity Performance Parameters What part of the Cybersecurity system is most vulnerable? Is any penetration acceptable? How much down time is acceptable? Which part(s) of the system must be at top performance? What scenarios could emerge that would change this?

5. IT Asset Inventory – Protection Set and Priorities You have to know what assets you are trying to protect. What makes which of these valuable?

6. IT Architecture Assessment – Problem Analysis Are their structural or technical problems such as weak firewalls, subnets or unknown routers with the organization’s architecture? Are there obvious structural vulnerabilities you can identify?

7. Develop Adversary and Risk Portfolio Examine historical Cyber-adversaries and potential new adversaries. What are their current and near-future capabilities? Explore unlikely, but potentially disastrous potential incidents. Be sure to involve original thinkers and perspectives from people of diverse populations, which may well include users.

8. Develop the ACAP Baseline Cybersecurity Threat and Risk Profile This combines both the known structural vulnerabilities and the most likely threats to them.

9. Build Cybersecurity Technology Assessment and Renew/Refresh Strategy After some technical deviancies have been identified and analyzed, needed technologies and technical upgrades are aggregated into a Cyber-Technology Refresh Strategy that will triage into three classes:

1. Must-Have Technologies & Updates 2. Should-Have Technologies 3. Would-like-to-have Technologies (but not now).

10. Conduct Monitoring Process Assessment and Mitigation Planning Once Cybersecurity Renew/Refresh Strategy is in place, the following assessment and strategy updates will become vital:

• Network Operations • Monitoring /Intrusion Response Processes • Cybersecurity Knowledge Management • Cybersecurity Remediation Process • COOP & Recovery Processes

11. Update the Cybersecurity Response, Remediation and COOP Strategy against the Organizational and Cybersecurity Strategies

 

                                                           Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015   7  

Assess these Cyber responses against the overarching strategies on a disciplined timeframe. Update as needed on a continuous cycle to insure that the right critical assets are protected.

12. Create Cybersecurity Staff Assessment and Staffing Plan Assess numbers, technical and process competency, and morale of the Cyber security staff. Identify issues and make needed changes.

13. Develop Cybersecurity Action Plan and Funding Request After establishing what are the needed changes across the Cybersecurity Infrastructure, the critical step is to create an ACAP Action Plan to implement needed changes. Members of the ACAP Steering Group monitor the implementation steps needed. Additional funding may be required to meet technical or staff upgrades.

Some Criteria for ACAP Success Senior Leadership That Really Leads Sponsor support by the Senior ACAP Steering Group – especially the CSO and the CIO -- will be imperative. Senior leadership will need to be fully prepared to serve as role models, frequent spokespeople, and internal champions for ACAP Steering Group to the organization.

ACAP Communications: Linking the Human Dimension Technical initiatives fail due to neglect of the human dimension, including communication. To achieve ACAP implementation and “organizational mobilization,” the right information must get to the right people at the right time, without hindrance. This requires an often-overlooked Communications Strategy as an adjunct for ACAP. In addition, an expanded cogent business case based on ACAP Proceedings may need to be created for new technology.

“This is human stuff and there is no app for that… The ACAP Steering Group itself will require high-level team dynamics capable of managing conflict and

sorting complex and emergent challenges.” Master-Level Professional Facilitation This is human stuff and there is no app for that. While the core ACAP process is not as complex as some process improvement approaches (e.g. Six Sigma, ITIL etc.), the kind of rapid, efficient momentum needed for peak human performance of the ACAP Steering Group will require expert professional facilitation. The ACAP Steering Group itself must operate with high-level team dynamics capable of managing conflict and sorting complex and emergent challenges.

 

                                                           Out  Thinking  the  Barbarians  @  John  W.  Link    &  Jo  Lee  Loveland  Link  2015   8  

Summary We are entering a new world. The speed and coverage of global and national IT systems provide greatly accelerated technology advantages, but open doors to unprecedented risks and threats. To meet this new challenge, ACAP provides Cyber defenders an agile process to coalesce their best thinking into an iterative adaptive strategy. ACAP will likely challenge and upend the current IT/Cybersecurity Budget cycle as leadership realize the level of danger the organization is in. The Cyber Barbarians are at the gate, so what are you going to do now? ---Out think them with ACAP!

John W. Link and Jo Lee Loveland Link • www.volvoxinc.com • 540-465-1491 © John W. Link and Jo Lee Loveland Link 2015

John and Jo Lee are masters of the “human stuff,” providing organizational management, communications and strategic consulting to corporate, government (DOD and IC) and non-profit clients. Jo Lee was for several years Visiting Scientist at Software Engineering Institute working with CMMI, Risk Management and Managing Technology Change at NRO, Warner-Robins AFB, and other agencies. John has worked for Army Chief of Staff for Installation Management CIO, FEMA, DOJ, and others. Both were Senior Members of the Governance Team for the DOD OSD CIO/NII Horizontal Portfolio Initiative, one of the first demonstrations of cloud-based Information-sharing initiatives in DOD/IC. They have worked with Lucent, Johnson & Johnson, ARINC, and George Mason University. They are co-designers/presenters for Chaos, Inc. ™, an original experiential laboratory and seminar.