The DUNDA approach

Ken Kojima,Chief Information Security Officer at California Department of Corrections and Rehabilitation

Ken Kojima,Chief Information Security Officer at California Department of Corrections and Rehabilitation

Intro

After 12 plus years of working within a correctional organizationand the majority of that time spent in the information security office, I’venoticed distinct overlap inphysical and cybersecurity approaches.Both require properly trained staff, various technologies, established policies and consistent processes to implement a robust and effective program to meet their specific security needs. Throughout history, people have had hundreds, if not thousands of years to make iterative improvements to various concepts including physical barriers, specialized armies, and strategically placed outposts and guard towers.  Many of these concepts still apply today so why shouldn’twe apply this methodology to cyber security?

Visibility - Fences, Towers, and Guards, oh my!

Most people who have been to or seen a “secure” facility like a prison or military base, will recognize some kind of boundary or fence that clearly indicates where the security perimeter of the compound begins or ends depending on how you view it.History shows that civilizations and countries often took advantage of environmental barriers such as bodies of water, mountain ranges, or desserts to establish boundaries because it was a natural way to make it more difficult to travel through or over thus making aperimeter more easily defensible from threats.To add, manmade technologies that have developed over time include walls (the Great Wall of China), fences (electrified with barbed wire), gates (sally ports), and even moats (castles).In the cybersecurity realm, this is a bit more nebulous since the perimeter is not as easily visualized and technological innovation continues to muddy the water. That being said learning from history, security analysts and organizational management must work with the leadership to define and establish some kind of perimeter. Without this cleararea of responsibility, the organization’s security people and funding resources are likely to not be optimized resulting in overspending or understaffing.One of the best methods in establishing a cyber-defense perimeter is to leverage the zero-trust architecture (ZTA) approach. This actually creates multiple perimeters, but is effective because it provides systematic approach in establishing clear lines of responsibility for various areas of the organization. The way I’ve learned to remember and recall these boundaries is through the acronym DUNDA which represents the data, user, network, device, and application perimeters.  Some questions that should be asked when helping to define these areas of focus are:

• Data – Where does the organization’s data reside? What type of data is being stored?
• Users – How do you identify your users? How do users interact with the data?
• Network – Does yourinfrastructure have both internal (private) and external (public) networks?
• Devices – Which devices need protection?How do these devices connect to your services?
• Applications – Whereare the applications hosted? Where are the applications developed?

"Security analysts and organizational management must work with the IT leadership to establish a well-defined perimeter."

These are just some of the questions that can help you establish that cyber perimeter and where you need to build your de-“fences.”

Now that you know your area of responsibility, how do you keep an eye out for threats against the perimeter?Well, ships have crow’s nests;castles have towers; and the modern military have radar and sonar. These technologies are ways to monitor for when potential threats approach or cross the established boundary. In the cyber space, these “towers” are aggregators, port mirrors, monitoring appliances, and endpoint agents.   Here are a few ways to address each perimeter:

• Data – Implement data loss prevention (DLP) gateways at key perimeter nodes to track and monitor important data moving through the organization.
• Users – Sufficiently log the three (3) A’s of identity management: Access, Authorization, and Authentication and REQUIRE MFA (can’t stress this one enough).
• Network – Ensure that network appliances (i.e. proxies, firewalls, routers, switches) are in the right locations. Also, be sure system logs are active, collecting the right information, and set to retain the events for the appropriate amount of time.
• Device - Deploy agents to endpoint devices to monitor for threats. In addition, the agents should have the capability to retrieve machine telemetry both passively and actively.
• Application –Implement practices such as code-validation, code scanning, code-libraries management, and application penetration testing.  In addition, work with developers to enable robust transactional log features with the intent of being able to recreate events in the event of a potential security incident.

Once the perimeter isset and you are collecting information from your “guards,” a Security Information Event Manager (SIEM) or similar aggregation and analysis platform will be necessary to help make sense of the vast volume of data.  It is feasible that organizations could generate billions, if not trillions, of logs events each day. It is not realistic to hire enough humans to process, communicate, and act on the data without this platform or service.  Imagine the Warden of a prison being responsible for briefing peace officers for 100 towers three (3) times a day—one for each daily shift—that  would be unheard of.    So, strategically reduce the number of towers or have the reports from the tower filtered through the ranks.  After proper dataanalysis, the security staff can provide reports to the right people in the chain of command,allow them to make decisionsand take appropriate action as needed.

The goal is to mature the organization so that theright people continually review reports to govern decisions to reduce negative impacts to the company’s mission.  Without the information in the right context, leaders will make uninformed and potentially costly decisions.  The specifics of how to make these decisions is another ballgame, but organizations should first focuson having a clearly defined perimeter with proper visibility that allows the collection of reliable datain order to maintain good cyber hygiene.  Analyzed output yielded from this collected data will be critical in helping the decision makers take educated action thus reducing the organization’s overall risk against cybersecurity threats.

Read Also

Improve Diversity and Cybersecurity Hiring in One Fell Swoop

Improve Diversity and Cybersecurity Hiring in One Fell Swoop

Michael Carr, JD, CISSP, CCSP, CIPP/US/E Adjunct Faculty, Cincinnati State and Andrew Opare, Security+, Ohio Army National Guard
Businesses at Risk: Survey Exposes Gaps in Crisis Readiness among UK Firms

Businesses at Risk: Survey Exposes Gaps in Crisis Readiness among...

Jim Steven, Head of Crisis & Data Breach Response Services, Experian Consumer Services
Ingredients for Success in Transformation

Ingredients for Success in Transformation

Eric Martin, Vice President, Information Technology and Digitization, Groupe Deschenes
Implementing an Identity and Access Management Program

Implementing an Identity and Access Management Program

Devan N. D’Silva, Manager, Identity and Access Management, Vice President, Baird
The Hidden Risks of Work From Anywhere

The Hidden Risks of Work From Anywhere

Joshua Brown, VP and Global CISO at H&R Block