Read on Twitter
Great points. A few ways we approached the task of documenting control purpose and subsequent control portfolio rationalization...
1. Build up a picture of credible attack paths the overall portfolio needs to protect against (cyber / physical / social - internal / external) https://twitter.com/philvenables/status/1259246169571590144
1. Build up a picture of credible attack paths the overall portfolio needs to protect against (cyber / physical / social - internal / external) https://twitter.com/philvenables/status/1259246169571590144
2. Use incident data to understand the nature of threat actors and tactics that have caused a response.
3. Look across incidents and triage the controls that, across all incidents, were most effective and preventing compromise or material impact / undesirable disruption.
3. Look across incidents and triage the controls that, across all incidents, were most effective and preventing compromise or material impact / undesirable disruption.
4. Based on this, use efficacy measurements across your control portfolio to identify:
'At what points along an attack path were controls effective, and what was the cost to e.g. prevent or deliver a high fidelity detection?'
'At what points along an attack path were controls effective, and what was the cost to e.g. prevent or deliver a high fidelity detection?'
With that data you can then...
5. Look at where you've made investments, and understand
- what attack paths they correspond to
- the efficacy of the control to disrupt a threat actor at a specific step of an attack path.
(Helpful tools = Mitre Att&ck + Cyber Defence Matrix)
5. Look at where you've made investments, and understand
- what attack paths they correspond to
- the efficacy of the control to disrupt a threat actor at a specific step of an attack path.
(Helpful tools = Mitre Att&ck + Cyber Defence Matrix)
6. Ask whether it is possible to
- repurpose investment to disrupt an attack path earlier / faster / cheaper
- remove a control without detriment to current or future adaptive capability
- a mixture of both (with appropriate consideration of effort, impact and friction etc)
- repurpose investment to disrupt an attack path earlier / faster / cheaper
- remove a control without detriment to current or future adaptive capability
- a mixture of both (with appropriate consideration of effort, impact and friction etc)
Ultimately, this needs to be a 'scientific method' that measures and tests in the dimensions of commerical, compliance, threat and tech context to establish if a a better control pattern is achievable.
Unfortunately decisions to remove controls are often taken either on a purely financial basis (i.e. cost cutting) or in an effort to simplify vendor management (i.e. 'one butt to kick').
One of the challenges we face in security is creating shared mental models with colleagues in other teams, so that decisions to 'turn off x' are made in the aggregate context of relevance / effectiveness / efficiency of current control patterns (and trade offs) vs other options.
