managing cyber risk in the face of sophisticated...
TRANSCRIPT
Managing cyber risk
in the face of sophisticated adversaries
A Microsoft U.S. Government white paper
October 2010
www.microsoft.com/govsecurity i
This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2010 Microsoft Corporation. All rights reserved.
www.microsoft.com/govsecurity ii
Contents
Executive summary ............................................................................................................................................. 1
Challenges of a complex threat ........................................................................................................................... 2
A three-step strategy for addressing the cyber threat ......................................................................................... 4
Starting with a risk-based plan for cybersecurity ................................................................................................. 5
Implementing a strategy of persistence ............................................................................................................... 6
Moving to innovation: Assessing infrastructure maturity ..................................................................................... 7
A final word on the ROI of a cyber attack ............................................................................................................ 9
Microsoft and the cyber threat landscape ......................................................................................................... 10
Endnotes ............................................................................................................................................................ 11
List of figures Figure 1 Three steps to helping improve cybersecurity ...................................................................................... 4
Figure 2 Cybersecurity life-cycle model.............................................................................................................. 6
Figure 3 The Cybersecurity Maturity Model ....................................................................................................... 8
Figure 4 Advanced tactics for reducing profit for cyber adversaries .................................................................. 9
www.microsoft.com/govsecurity 1
Executive summary
Our nation’s security is at risk from sophisticated
adversaries who target IT systems to steal terabytes of
intellectual property data, trade secrets, and classified
military and government information. With so much at
stake, national security organizations must take a
strategic look at how to manage risks associated with
21st-century missions.i
With the rapid expansion of the national information
infrastructure—and our nation’s dependence on it—our
vulnerability to cyber attack has grown. Today, great potential exists for determined, well-
prepared nation-state actors, spies, terrorists, and cybercriminals to employ sophisticated and
sometimes coordinated tactics against the national information infrastructure for their own gain—
whether economic, military, or other. More recently, some of these attacks have been dubbed the
advanced persistent threat (APT). APT is just one aspect of a larger cyber threat that the United
States and countries around the world have been facing for some years.
To address the threat, Microsoft proposes a strategic, risk-based approach to managing
cybersecurity in three steps by focusing on reducing attackers’ return on investment (ROI) and
thus helping to deter them. To discourage even determined adversaries from targeting critical
infrastructures, national security organizations must become more persistent in deploying
defense depth in addition to breadth. With a holistic approach to IT security, enterprises can
promote resiliency, help reduce risk, and provide better mission assurance. Microsoft offers a
national Cybersecurity Maturity Model as a framework for a strategic, risk-based assessment of
infrastructure requirements. The model complements a life-cycle approach to cybersecurity.
The focus of this document is to provide a high-level look at cybersecurity considerations for
national security organizations. Because the threat landscape is complex and mitigation
strategies require a holistic view of an enterprise and its mission, IT organization leadership
should consider engaging a trusted partner like Microsoft to advise them and to deliver
foundational and innovative cybersecurity solutions.
“There is little doubt that the
Internet, with its global
connectivity, anonymity, and lack
of traceability, poses
considerable challenges to those
in the private
and public sectors who are
tasked with protecting it.”
Scott Charney
Microsoft Vice President Trustworthy Computing Group
Rethinking the Cyber Threat
www.microsoft.com/govsecurity 2
Challenges of a complex threat
For more than two decades, security experts have struggled to understand and
defend against the cyber threat. Despite their expertise in the air, on land, at sea,
and in space, national security organizations continue to face challenges that
impede their ability to secure the cyber domain.
The U.S. Cyber Command is the latest step in a series of actions beginning with the
Comprehensive National Cybersecurity Initiative (CNCI) driven by the last two administrations,
the 60-Day Cyber Review led by the 2009 White House, and other related activities across the
executive and legislative branch to address the threat. The task for national security professionals
is to take a strategic, risk-based approach to thinking about and responding to malicious cyber
events.
An existential threat to mission-critical infrastructures
The effectiveness of our nation’s security response systems is contingent on knowing facts that
may be unavailable in the cyber domain. Steven Chabinsky, deputy assistant director of the FBI’s
cyber division, recently called cyber attacks an existential threat to the United States that could
significantly alter our nation’s potential. Not only are there many
actors and motives in the cyber threat landscape, but also the
anonymity and lack of traceability on the Internet mean that
attributing attacks—a fundamental element of traditional
deterrence and defense—is very difficult. National security
organizations also face unique categories of threat.
In addition to cyber attacks motivated by traditional criminal
purposes, critical government IT infrastructures are under attack
24 hours a day, 7 days a week, by perpetrators of military
espionage, economic espionage, and cyber warfare.
In the past two years, attacks against government targets have
grown exponentially. Across the public sector, incidents involving
compromised records are increasing almost five times faster than
business breaches.ii Whether the goal is espionage, fraud,
financial gain, or something else, adversaries use common attack
vectors, which mask their nature, the actors, and their motives.
Moreover, these actors and their activities are commingled with
innocuous and even constitutionally protected activities on the
Cyber challenges
Because the Internet is shared by
citizens, businesses, and
governments alike, segregating
lawful users from unlawful use is not
easy. Microsoft’s Charney concludes
that governments and law
enforcement agencies need clearer
rules for responding to both non-
attributed and attributed attacks.
For more information, see the white
paper by Microsoft Vice President of
Trustworthy Computing, Scott
Charney: Rethinking the Cyber
Threat—A Framework and Path
Forward.i
www.microsoft.com/govsecurity 3
shared domain of the Internet. It’s easy to see why past policies and tactics for response have
fallen short. In a complex and ever-changing threat landscape, deft and persistent measures are
needed to provide mission assurance.
An organizational challenge for national security
Complicating the external cyber threat are the unique, organizational challenges that national
security professionals face, such as governance issues, budget competition, and the sheer
complexity of the heterogeneous IT systems they run. All too often, organizations fail altogether to
deploy basic system defenses consistently. They may want to innovate and optimize practices
but find themselves supporting incompatible legacy applications that have taken years to develop
and that require intense maintenance. An IT group may also try to adopt the latest security
technology only to find that their infrastructure fails to meet prerequisite conditions.
Advanced cybersecurity solutions have their place in an informed strategy. However, attention to
the basics—proper security training and tools, along with configuration management—is a
challenge for many organizations. A methodical approach to mitigating the cyber threat requires
an understanding of such organizational vulnerabilities and dependencies.
Anatomy of a cyber threat
In the cyber domain, adversaries use multiple-stage intrusion techniques that are difficult to detect and combat.
Intrusion commonly follows these stages:
Reconnaissance and targeting. Adversaries use many of the same techniques to gain an understanding of an
organization and its members and to collect intelligence they can exploit. Armed with this information,
adversaries can choose how best to gain access to an organization and often rely on effective social
engineering tactics.
Initial beachhead. Adversaries target vulnerable individuals, systems, or applications to establish an initial point
of presence in a network, which is used for further exploitation and access over time.
Network mapping, persistence, and access, and control or compromise of critical assets. Attackers survey an
organization’s network for vulnerable hosts. They establish additional points of presence and attempt to gather
internal artifacts and to exploit users and administrators. After it has been established, the malicious software
or malware-injected code is often adaptive and dynamic, evading antivirus technology. An exploit can make
use of existing system libraries to propagate multiple malware images and to adapt them in ways that can
persist even after detection. Data is exfiltrated using outbound encrypted communications, which cannot be as
easily monitored or controlled as inbound network traffic.
www.microsoft.com/govsecurity 4
A three-step strategy for addressing the cyber threat
Although you cannot eliminate the cyber threat, you can manage risk—and to do
so, a strategic plan is imperative. Implementing the plan requires that your
organization protect its IT foundation with persistence. This foundation can then
evolve over time while you innovate strategically to meet the changing threat.
Figure 1 Three steps to improving cybersecurity
1
From a risk-management perspective , an organization must
focus on mitigating the threat to key systems. The first step is
a risk-based analysis of cybersecurity that identifies priorities
based on your enterprise’s risk appetite. Which systems are
most vulnerable? Which are most important to the mission?
What is your organization’s threat environment? Then, your
organization can set short-term, medium-term, and long-term
IT security objectives that become your strategy for reducing
and better managing cyber risk. Prioritized solution tactics can
enhance your organization’s cybersecurity by reducing
attacker ROI and by providing a deterrent.
2 The second step in a strategic approach to risk management
is to ensure that your IT infrastructure is strong at its
foundation. A life-cycle approach to continuously managing
security at the foundation is the key to defensive persistence
and agility in the face of a determined adversary.
3
Take an evolutionary perspective on innovations in
cybersecurity, and move gradually toward infrastructure
optimization. After establishing the baseline state of your
network and IT assets as a reference architecture, compare it
to a maturity model so that you can prioritize future
investments. The Microsoft Cybersecurity Maturity Model can
be used as a guideline to IT investments that give you more of
a strategic advantage while helping reduce the ROI for would-
be attackers, thus deterring them.
www.microsoft.com/govsecurity 5
Starting with a risk-based plan for cybersecurity
The complex nature of national IT infrastructures and
the broad range of threats facing them have led many
government and industry leaders today to increasingly
focus on proactive risk management.
To assess risk, an organization must look at its information and
communications infrastructure as a whole, defining assets not
simply in physical terms but, more importantly, in terms of critical
functions. Stakeholders then manage these risks through
disciplined and regularly updated policies and the use of best
practices.
A risk-based cybersecurity plan takes a holistic view of an
organization’s mission, threat environment, risk tolerance, and
infrastructure to determine strategic short-term and long-term
steps. In this way, your organization develops a strategic
cybersecurity plan that identifies necessary prerequisites, creates
a strong foundation of defense in depth and breadth, and opens
the door to cybersecurity innovation.
With a plan in place, you can also prioritize your cybersecurity
investments based on risk. By contrast, a reactive approach simply
focuses on new technologies, which often cost more over time and
provide only a patchwork deterrence.iii
Risk management for critical
infrastructures
The discipline of risk management
applies a strategic methodology for
addressing the cyber threat. A
thorough risk management plan
addresses virtually every aspect of an
organization, including physical
assets, operations, and finances.
Addressing these and related
management risks requires, among
other things:
Appropriate governance, where a
fully committed leadership group is
made up of various relevant
sectors to help address, prioritize,
and manage risks.
Regularly updated policies
regarding the handling of physical
assets, cyber assets, and
personnel.
Risk management approaches that
are suitable to different agencies’
needs.
Continual sharing of relevant
information and best practices.
For more information, see Critical
Infrastructure Protection Concepts
and Continuum.iv
www.microsoft.com/govsecurity 6
Implementing a strategy of persistence
National security organizations must get better at
cybersecurity basics. In the same way that basic
training prepares military recruits for the more complex
roles by drilling basic skills, cyber defense starts with
basic protection, detection, response, and recovery
tactics. A cybersecurity foundation covers the basics
and ensures that prerequisites for advanced solutions
are met.
Like an alert border guard can stop a suspected terrorist from
entering the country, scrupulous attention to continuous monitoring
is the foundation of a sound cyber defense strategy. When it
comes to cybersecurity, getting the basics right matters. By basics,
we mean the fundamental principles of good infrastructure
management—know your network, guard your perimeter, and keep
systems up to date.
Many IT organizations overlook fundamental security measures in
their haste to adopt the latest cybersecurity solution being pushed
by the press or marketed by vendors. However, a persistent
adversary requires an informed and persistent defense. National
security professionals must take a life-cycle approach to
cybersecurity as the foundation of their strategy.
A life-cycle model of cybersecurity identifies the people, processes,
and technology needed to protect systems, detect intrusions,
respond to security events, and recover systems. Through
proactive assessment, planning, and preparation each step of the
way, your organization can mitigate the risks associate with cyber
threats and improve its strategy going forward in a cycle of
continuous improvement.iv
Defending the enterprise
A life-cycle approach treats
cybersecurity as a continuum rather
than as individual, isolated, network-
defense components In this four-
stage framework, each step in your
strategy informs the next in a
continuous process of improvement.
To apply this model, you identify the
people, processes, and technology
needed to fulfill the four steps shown
in Figure 2.
For more information, see Microsoft
Cybersecurity Advisor Services.v
Figure 2 Cybersecurity life-cycle
model
www.microsoft.com/govsecurity 7
Moving to innovation: Assessing infrastructure maturity
By evaluating current capabilities within a maturity
model framework, your organization can develop a
strategic path forward with innovation as the goal. The
model shows you how to help reduce cyber risk by
investing in standardized, structured, and optimized
solutions, processes, and practices.
With a long-term, risk-based perspective on cybersecurity, your
organization can optimize its cyber defenses strategically. The
Microsoft Cybersecurity Maturity Model shows a continuum of IT
security capabilities, from basic, manual processes and protections
to a dynamic, automated risk-management approach. The model is
a yardstick against which you can assess your existing IT
architecture and then determine which investments offer the
greatest yield in terms of ROI, risk mitigation, and agility.
Depending on where your baseline infrastructure falls in the model,
you have a reference point from which to innovate strategically.
For example, an IT organization without basic security processes,
such as ongoing update management, does not benefit from more
advanced cybersecurity measures, whereas an enterprise with
routine patch management can consider a more cost-effective
automated solution.
Figure 3 shows the Cybersecurity Maturity Model and the various
security measures that may be used by an organization, given its
existing reference architecture and the types of investments that
can help optimize its infrastructure.
Stages of cybersecurity maturity
Basic. An organization has a
rudimentary approach to risk
management characterized by
manual processes. Policies,
standards, and controls are
typically improvised and reactive.
Standardized. A threat-aware
organization develops structured,
centralized policies, standards, and
controls. It recognizes the need for
consistent patch management,
even if security-management
procedures are not fully
automated.
Rationalized. When an
organization takes a holistic view of
cyber risk, it implements advanced
policies, standards, and controls
and tightly integrates them with
highly automated IT operations.
The organization plans or has
already deployed advanced
cybersecurity capabilities as part of
a risk-based approach to
management.
Dynamic. By optimizing a strategic,
risk-based approach, an
organization can adapt to a variety
of cyber threats in a highly agile
manner. Governance, risk
management, and compliance
emerge naturally from an
organizational culture of security.
www.microsoft.com/govsecurity 8
Figure 3 The Cybersecurity Maturity Model
In this model, an organization with a basic level of cybersecurity maturity might use rudimentary
desktop and data protection solutions, such as anti-malware clients, standard desktop images,
and full-volume encryption. By contrast, a rationalized or dynamic organization would support
automated solutions for desktop and server security with a life-cycle approach to managing
enterprise identities and policies.
As an organization matures in this model, it becomes more efficient in its risk-management
tactics. A culture of security develops where a risk-based management approach factors in
people, processes, and technologies. Over time, organizations can improve services and lower
costs while reaching for their cybersecurity goals.
www.microsoft.com/govsecurity 9
A final word on the ROI of a cyber attack
Many cyber adversaries are motivated by ROI—they want a return for the
investment of time and energy. An effective defense can reduce the benefits of a
successful attack, making a target in essence too expensive to attack so that the
rewards are not worth the investment.
To reduce ROI for the cyber adversaries threatening national security organizations, IT
organizations can work within the maturity model framework to strengthen the key areas shown in
Figure 4. By hardening centers of gravity, enabling a more trusted infrastructure, and providing
advanced security automation and management, both sides of the cyber adversary ROI equation
are impacted. That is, the cost of attacking and the potential for attribution and punishment
increase as the benefits and returns decrease.
Figure 4 Advanced tactics for reducing profit for cyber adversaries
Key tactic Strategy
Harden centers of
gravity
Anywhere that valuable assets and resources are concentrated in your
network and infrastructure can be gravitational centers in need of
protection. A risk-based cybersecurity strategy prioritizes key systems
and hubs of power for cybersecurity efforts.
Enable a trusted
infrastructure
Administrators can better control access and apply security policies
when there is a common way for identities to be authenticated inside
your organization, in other organizations, and on the Internet. Strong
authentication must extend across hardware, software, people, and
data to form a trusted infrastructure.
Automate and
manage security
It is vital to monitor and manage your systems continuously so that you
can stop attacks in progress and correct compliance issues as you
detect them.
www.microsoft.com/govsecurity 10
Microsoft and the cyber threat landscape
The threat from cyber adversaries is real, but today’s
networked enterprises are anything but defenseless.
Vigilance and persistence are needed to thwart
determined adversaries, whether on land or in
cyberspace. As an ally in the fight, Microsoft offers a
host of advisory and deployment services to help
national security organizations navigate the cyber threat
landscape successfully.
Microsoft is partnering with governments at all levels to promote
solutions that security professionals can use to defend critical
national assets. We provide hands-on support in the fight against
cyber adversaries. Through on-site consultations and workshops,
we work with national security organizations and civilian agencies
to help design, deploy, and defend our nation’s networks against
cyber attacks.
Expert Microsoft security architects can help with a range of
services—from strategic, risk-based planning to infrastructure
foundations to technology innovations.
Contact us for more information:
Help from Microsoft
A renewed sense of urgency is
focusing national security
organizations and their civilian
sector partners on cyberspace
security. That’s why Microsoft offers
cybersecurity architecture and
solutions delivery services to help
your organization successfully
navigate the cyber threat landscape.
Microsoft Services provides solutions
that enable a proactive network
defense strategy to defend against
the most determined intruder.
Contact
Learn more
Microsoft Cybersecurity Architect
Service provides trusted advice and
technology solutions planning.
Microsoft technology solutions for
cybersecurity play a critical role in
helping to ensure the safety and
integrity of the enterprise.
U.S. Government Configuration
Baseline (USGCB), formerly known
as the Federal Desktop Core
Configuration (FDCC), is designed to
provide a single, standard, enterprise-
wide, managed environment for
desktops and laptops running the
Windows XP, Windows Vista, and
Windows 7 operating systems.
www.microsoft.com/govsecurity 11
Endnotes
i Charney, Scott. “Rethinking the Cyber Threat—A Framework and Path Forward.” Microsoft. 2009.
http://www.microsoft.com/downloads/details.aspx?FamilyID=062754CC-BE0E-4BAB-A181-
077447F66877&displaylang=en&displaylang=en
ii Original research by INPUT. Used with permission. http://www.input.com
iii “Critical Infrastructure Protection Concepts and Continuum.” Microsoft. 2009.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=89f1036c-2136-49f7-84ae-
20cfd2298bf6&DisplayLang=en
iv “Microsoft Cybersecurity Advisor Service.” Microsoft. 2010.
http://download.microsoft.com/download/0/8/1/08163AEB-B515-4133-807B-
DEDACD7E03AC/CybersecurityServices.pdf