As the cyber landscape changes, new threats arise, old threats evolve, and vulnerabilities are constantly putting companies and agencies at risk. The concept of “cybersecurity” has evolved from total defense, to layered defense, to cyber resiliency, based on risk analysis and a cold calculus of our own risk profiles. One way to approach this is through outcome-based cyber, an emergent practice I have helped shape.
Outcome-based cyber is a more holistic approach to cyber security than compliance-based cyber. Compliance-based cyber is a comforting checklist of determining a risk profile, setting controls, and measuring compliance to controls. That’s become foundational to cyber security programs, but it’s obviously not sufficient. Outcome-based cyber occurs when an organization is actively and continuously assessing their network and systems and reacting proactively and responsively to what is discovered. The U.S. government is now recognizing this in the Department of Defense’s mandate to suppliers to transition to the new Cybersecurity Maturity Model Certification (CMMC).
This evolution doesn’t remove the need for classical cyber security controls. If an organization is not following some of the NIST SP 800-53 compliant standards, including configuration and privilege management, then that organization will not be secure, and won’t meet CMMC guidance.
Outcome-based cyber measures the value and validity of an organization’s cyber defenses and enterprise based on active analysis against the organization’s total risk profile. Because each organization is different, outcome-based cyber is an organization’s independent and strategic decision to implement. Most organizations with security operations centers already determine what they need to measure and what they need to react to, but those measures must evolve continuously.
Risks are discovered through analysis and red teams, a group from outside a network who come in as “friendly” adversarial insiders. They use hacking tools, social engineering, and physical access evaluations to assess targets’ security profiles. Red teams deploy cyber scenarios and hopefully find vulnerabilities before they become issues.
True outcome-based cybersecurity requires organizations to stay dynamic and reactive. The controls put in place on Day X may not apply on Day X+180, and must be re-examined to ensure they’re addressing major new threat vectors. For instance, when data centers started deploying virtualization, threats started attacking hypervisors, and new policies and technologies appeared to defend against these attacks. The same is true with the latest Intel and AMD processor vulnerabilities, wired into the very hardware of the CPUs in our systems.
As researchers discover new vulnerabilities, leadership has to determine the risk these pose to the organization. If a CPU vulnerability can be accessed through a Web page drive-by attack, it’s high priority and has to be patched; if a hypervisor vulnerability can only be executed by people with access to certain enterprise resources, adding monitoring to those resources may be the appropriate response.
The key to outcome-based cyber is the process of risk analysis. For example, what are the odds that a malicious actor can get to one server that houses critical business information? It might be low. Add 500 people with electronic access to that same server and the risk goes up significantly. Organizations must assess the cost of mitigating the risk against the cost and impact of the outcome if not responding to a vulnerability.
Outcome-based cyber is about continuously evaluating an organizations’ status and the risk environment. Last January, the U.S. Cybersecurity and Infrastructure Security Agency sent a notification about Mozilla’s Firefox zero-day vulnerability that included the severity, commonality, and the fact it was already used in the wild by malicious actors. Through threat intelligence and information sharing, companies were able to identify the flaw, understand it as they assessed risk, and install patches.
Vulnerabilities, like that Firefox bug, must be patched, while other issues might be accepted, temporarily, as part of a risk analysis, and still others are addressed through installing compensating controls around them.
Security operations centers are responsible for analyzing new and emerging threats and building more powerful rules. Companies should be taking that information and sharing it both for internal and external partner organization use, including the Department of Defense Cyber Crime Center (DC3) and IT-ISAC. This will lead to increased global cyber resiliency, a topic that the Cyberspace Solarium Commission’s report addresses.
The Department of Defense’s CMMC will be the new standard for doing work with the Pentagon, and it mandates an outcome-based cyber approach. Beyond the basic levels, and entity must be capable of identifying and intercepting advanced per-system threat level cyberattacks, and assessing risks to emergent and anticipated threats. This is one of the purposes of outcome-based cyber. It’s a philosophy, not a toolset – a philosophy that balances risk to the enterprise, the company, and the community.
John Cosby is director of solution architects within BAE Systems’ Intelligence & Security sector.