As we enter into the new year of 2015, it is timely to consider what lessons we might have learned from the previous year. One that seems to be of major importance is that large corporations can increasingly expect to get hacked, and when they do they need to investigate how, by whom and why it happened. Take for example the recent Sony embarrassment. A major film stolen (IPR theft on a large scale), threats of attack on public cinemas (leading to withdrawal of the public release because of safety considerations) and as a result world governments exchanging insults in a major diplomatic incident. That’s quite an impact!
It seems that many enterprises are still way behind the curve in their thinking. Far from being a ‘Black Swan’, this was a predictable attack scenario, but it seems that many still have their heads buried deep in the sand with no real appreciation of the possibilities or the consequences. So in this issue we shall explore the concept of ‘forensic readiness’ as another SABSA Business Attribute.
It is well established that digital forensics is an important tool in our armoury of security controls. There are many specialists offering services in this area. However, when they reach the scene of the crime they often find that evidence is either hard to find or badly contaminated. If we are to identify exactly what happened and by whom the attack was mounted, then we can do much to prepare for collecting evidence and protecting its integrity as being ‘admissible’ – another important SABSA Business Attribute. Legal and diplomatic proceedings need to be based on sound, incontrovertible forensic evidence, the integrity of which can be demonstrated beyond reasonable doubt.
This is not just ‘another control’ – it is something that needs to be designed into the entire systems architecture, but legacy architectures are not well conceived in this respect. It highlights the need for a business-driven security architecture that is based on a business risk assessment rather than a mere technical risk view. The impacts from the Sony incident are massive, but expert technical security analysts would never predict that without close engagement with their business colleagues, because they do not think in those business terms.
Developing successful security architecture is a multi-disciplinary activity that requires input from business stakeholders, experts in several specialised technical fields and architects who should be able to bring all of it together into one holistic view of how to manage business risk in a digital environment. The main architectural concept needed here a layered control strategy, as described in SABSA publications. Most organisations focus too much attention and investment on ‘preventive controls’, but a much more balanced approach is required. The diagram illustrates a layered ‘defence-in-depth’ control strategy in which evidence collection and preservation features as and integral part of the architecture.
It seems that we are still a long way from achieving this level of architectural sophistication in the real business world, and that SABSA thinking needs to be promoted to a much wider community. Well, that’s the job of The SABSA Institute, recently launched for public membership, and one day that goal will be realised.