“They didn’t come up with anything, improvise” or Agile in information security
The title of this article is partially borrowed from one popular play and movie. “They didn’t come up with anything further, improvise” - after this phrase in the film there is an obscene reaction of a man who realized that he would have to improvise. In this situation, every professional in the field of information security has ever been or will be. This is the very moment when you stood at the helm of the IB in organizing a new profile for you, when the structure of the company changes in the level of mergers and acquisitions, or when suddenly at 8 pm on Friday, calls with messages about non-working ATMs start ringing ... sound this voice, giving the only right direction for further action.
Information security is an area that does not tolerate a free attitude. All risks must be identified, possible damage must be assessed, and a plan must be prepared for each unexpected event. In accordance with the threats and risks, organizational and technical measures should be taken to protect the company from IS threats. This approach is referred to in some sources as the “Castle model of cyber security” or the castle model. It was formulated in 2004 by Deborah Frincke and Matthew Bishop in Guarding the castle keep and has not changed much in the last ten years. Its main principles are the division of the entire information space into the internal, “safe”, and external, full of threats and intruders. These two segments are separated by "walls", possibly built in layers, in layered form, and the gateways provide the connection between the outside and the inside world. This approach is so deeply and firmly entered into our lives that we even call a piece of malicious software Trojans - in honor of the Trojan Horse, which helped external "intruders" to penetrate the walls of Troy.
')
We assume that by storming the walls, breaking through the moats and smashing the gates with a ram, external enemies will suffer losses. The cost of these losses, the cost of a possible attack, due to the height and number of walls, the depth of the moats and the strength of the gate, should make the attacker think and abandon the direct attack on the organization.
In reality, things are a little different. I will give an example - not from the field of cyber security, but very accurately reflecting the specifics of the castle approach. 1945, East Prussia, the city-fortress Königsberg. The three rings of fortified forts built at the end of the 19th century and substantially fortified in the middle of the 20th, multimeter brick walls, tons of concrete and earth on the fortifications — all this turned out to be useless in a real assault. Changes that have occurred over several decades, the evolution of the means of attack and tactics led to the city being taken in a few days, and the fortifications could not stop the advancement of the attackers. This historical sketch is an excellent illustration of the fact that those who are not ready for change do not win battles. This is true for both the real world map and the space of cyber threats.
When we talk about changes and how to effectively respond to them, the term Agile automatically appears in the head. In the past five years, he has become very popular, it is mentioned to the place and out of place.
Successful managers everywhere are introducing it to improve efficiency, there are claims that “Agile is our everything, the key to the future.” Most often, this term is used in the business environment in order to emphasize the desire for innovation, or to laugh at the chaotic and inefficient internal processes.
In fact, Agile is just a value system that does not give any practical advice. In order to describe it, there is no need for weekly courses or a radical restructuring of our way of thinking. The whole point of Agile is in four sentences. And here they are:
In cybersecurity, the Agile ideology found its response in the Agile Cybersecurity Action Plan methodology - a flexible way to manage cybersecurity. It is contrasted with the “castle model” of building cybersecurity and is designed to help CISO to maximally effectively “work out” changes in the landscape of threats and risks. The process involves the active joint work of cross-functional and cross-organizational teams for:
The main features of Agile:
The methodology is not limited to the listed elements, it is a fully described process with steps and results on the implementation of each of them. At the same time, ACAP can hardly be called a universal approach: both ACAP itself and Agile values are not applicable in order to totally change the approach to managing cybersecurity. Of the four main elements of the life cycle - Predict, Prevent, Detect, Respond - Agile can work only at the stages of Predict and Prevent, where the tasks related to strategic planning, risk assessment and the development of the way to solve them fall.
So if someone comes to you and says that he is going to “translate information security to Agile rails,” ask him the question that most likely spins in your language: “How, all?” And if a person confidently answers: “Of course , all! ”, my opinion - you should not expect from the author of such statements amazing results. Ask him to clarify how and in what specific processes he is going to apply Agile values. Listening to the answers, you will not only be able to form an idea of the professional qualities of the interlocutor, but also find out how well he can improvise. After all, beyond this, so far nothing has come up ...
Information security is an area that does not tolerate a free attitude. All risks must be identified, possible damage must be assessed, and a plan must be prepared for each unexpected event. In accordance with the threats and risks, organizational and technical measures should be taken to protect the company from IS threats. This approach is referred to in some sources as the “Castle model of cyber security” or the castle model. It was formulated in 2004 by Deborah Frincke and Matthew Bishop in Guarding the castle keep and has not changed much in the last ten years. Its main principles are the division of the entire information space into the internal, “safe”, and external, full of threats and intruders. These two segments are separated by "walls", possibly built in layers, in layered form, and the gateways provide the connection between the outside and the inside world. This approach is so deeply and firmly entered into our lives that we even call a piece of malicious software Trojans - in honor of the Trojan Horse, which helped external "intruders" to penetrate the walls of Troy.
')
We assume that by storming the walls, breaking through the moats and smashing the gates with a ram, external enemies will suffer losses. The cost of these losses, the cost of a possible attack, due to the height and number of walls, the depth of the moats and the strength of the gate, should make the attacker think and abandon the direct attack on the organization.
In reality, things are a little different. I will give an example - not from the field of cyber security, but very accurately reflecting the specifics of the castle approach. 1945, East Prussia, the city-fortress Königsberg. The three rings of fortified forts built at the end of the 19th century and substantially fortified in the middle of the 20th, multimeter brick walls, tons of concrete and earth on the fortifications — all this turned out to be useless in a real assault. Changes that have occurred over several decades, the evolution of the means of attack and tactics led to the city being taken in a few days, and the fortifications could not stop the advancement of the attackers. This historical sketch is an excellent illustration of the fact that those who are not ready for change do not win battles. This is true for both the real world map and the space of cyber threats.
When we talk about changes and how to effectively respond to them, the term Agile automatically appears in the head. In the past five years, he has become very popular, it is mentioned to the place and out of place.
Successful managers everywhere are introducing it to improve efficiency, there are claims that “Agile is our everything, the key to the future.” Most often, this term is used in the business environment in order to emphasize the desire for innovation, or to laugh at the chaotic and inefficient internal processes.
In fact, Agile is just a value system that does not give any practical advice. In order to describe it, there is no need for weekly courses or a radical restructuring of our way of thinking. The whole point of Agile is in four sentences. And here they are:
- People and their interactions are more important than processes and tools.
- A working product is more important than comprehensive documentation.
- Cooperation with the customer is more important than agreeing the terms of the contract.
- Readiness for change is more important than following the original plan.
In cybersecurity, the Agile ideology found its response in the Agile Cybersecurity Action Plan methodology - a flexible way to manage cybersecurity. It is contrasted with the “castle model” of building cybersecurity and is designed to help CISO to maximally effectively “work out” changes in the landscape of threats and risks. The process involves the active joint work of cross-functional and cross-organizational teams for:
- creating and updating risk profiles,
- assessing the effectiveness of the company's IB infrastructure and its compliance with its existing risk profiles,
- identifying potential problems and deficiencies before they become incidents,
- creating a plan to eliminate the identified problems and deficiencies.
The main features of Agile:
- Iterations for work planning - sprints from 1 to 6 months.
- Break Glass process - launching an ACAP session out of turn if an abnormal situation occurs.
- Extensive use of the potential of human interaction.
- A “problem solving” culture, implying a high level of involvement of the process participants.
- The information security strategy is transformed from axiomatic to dynamic, corresponding to current risks and threats.
The methodology is not limited to the listed elements, it is a fully described process with steps and results on the implementation of each of them. At the same time, ACAP can hardly be called a universal approach: both ACAP itself and Agile values are not applicable in order to totally change the approach to managing cybersecurity. Of the four main elements of the life cycle - Predict, Prevent, Detect, Respond - Agile can work only at the stages of Predict and Prevent, where the tasks related to strategic planning, risk assessment and the development of the way to solve them fall.
So if someone comes to you and says that he is going to “translate information security to Agile rails,” ask him the question that most likely spins in your language: “How, all?” And if a person confidently answers: “Of course , all! ”, my opinion - you should not expect from the author of such statements amazing results. Ask him to clarify how and in what specific processes he is going to apply Agile values. Listening to the answers, you will not only be able to form an idea of the professional qualities of the interlocutor, but also find out how well he can improvise. After all, beyond this, so far nothing has come up ...
Source: https://habr.com/ru/post/328410/
All Articles