Op-Ed: Unlock efficiencies and improve security by applying the 3C approach to enterprise security architecture

ESA represents a strategic and holistic approach to securing what matters most to organisations. It encompasses people, process, and technology controls. While there are multiple facets to ESA – including governance, architecture and acquisition principles, design reviews and approval processes – this article will explore one of the more pressing issues facing organisations: tool sprawl and unrealised value from investments in technologies.

In response to the rising cyber threats, organisations have invested significantly in the acquisition of security tools and technologies. However, they still continue to struggle to contain cyber threats and are not realising adequate value from their investments. Due to the lack of a strategic approach, organisations get stuck with a lot of point solutions that aren’t optimised, nor do they integrate with each other, creating challenges on the visibility, monitoring, and orchestration fronts.

Furthermore, it is not uncommon to see control areas with several overlapping technologies while other areas are largely not covered. A lot of organisations also stumble to get started on their ESA journey and get stuck with fancy diagrams and pictures with little to show in terms of tangible outcomes.

Adoption of the 3C approach for ESA can allow organisations to pragmatically unlock value from their investments and make progress. The 3Cs of the approach refer to coverage, configuration, and clarity.

1. Coverage

Everything starts with visibility and coverage. To enable the right coverage, organisations must first develop an understanding of the critical assets that matter the most to them. These assets align with the key business processes, services, and products that are material to the existence of the organisation. The critical assets or “crown jewels” view needs to be developed by working closely with business stakeholders. After all, cyber security exists to enable the business and is fundamentally a risk management exercise. Risk management cannot be adequately performed without an understanding of assets and the consequent impacts on them if threats are realised by exploiting vulnerabilities. Therefore, a register of key information assets and systems is vital. It does not have to be perfect but needs to have a reasonable degree of accuracy.

Another key input towards the 3C approach adoption is to develop an inventory of all the security tools and technologies that are present in the environment. These aren’t just tools operated by the security team but should include any tools that perform security-related functions such as identity and access management, database and endpoint protection, application security, etc.

Now, it is foundational that these security tools and technologies must have coverage over these assets. For example, does the web application firewall that filters malicious web traffic cover the key internet-facing systems, such as customer payment portals, banking applications, or e-commerce websites? Coverage is a key attribute to ensuring that investments in tools are actually protecting what must be protected.

VIEW ALL

2. Configuration

This category focuses on the effectiveness of security tools and technologies and comprises the following areas.

1. Control objectives and use cases: Are the security tools configured appropriately to ensure they are sufficiently meeting the control objectives and defined use cases? Any discussion around security controls needs to start with the objective and use cases, not just tools. Leading frameworks, such as the NIST Cyber Security Framework, can create a more complete view of control objectives to be considered. For example, a control objective could be to proactively identify and block the leakage of sensitive organisational data. Data loss prevention (DLP) tools can help achieve this objective. However, they need to be configured appropriately to protect the data types that are most important to the organisation. The rules need to reflect an understanding of the business rules, such as trusted external organisations, nature of data types involved, frequency of data exchange and so on, to ensure that business processes are not unduly impacted. The tool must also be configured to appropriately action when an alert is generated. For example, blocking the suspect activity or requiring additional acknowledgement.
   
   
2. Overlaps and gaps: The inventory of security tools and assessing their use cases will help identify if there are multiple DLP tools or capabilities present in the environment. If multiple tools exist, do they actually have specific objectives or use cases that justify their existence? This analysis enables opportunities for consolidation and value realisation. Tools need to have clear use cases to understand if they are truly delivering value or if investments are being wasted on expensive technologies effectively sitting on the shelf.
   
   The inventory and use-case analysis exercise accounting for a control objectives framework will also shed light on areas where material capability gaps exist. For example, the exercise may uncover that tools are all geared towards the on-premise hosted systems and lack adequate controls to protect assets in cloud environments. This exercise can then serve as an input to uplift overall cyber strategy and roadmap.
   
   
3. Integration: It is important that visibility is maintained across the various security events in the organisation to ensure that things don’t fall through the gaps. Key events, logs, and alerts from security tools should be captured and monitored through integration with tools such as security incident and event management (SIEM) solutions. Integrating with SIEM and building appropriate monitoring cases is an important control for good detection and response capabilities. At a more mature level, effective integration should also offer opportunities to orchestrate threat-driven policy controls across multiple areas as opposed to implementing them on each tool individually. This requires being purposeful about the acquisition of tools and may need trade-off decisions between best-of-breed point solutions or an adequate solution that natively integrates with the rest of the ecosystem. Good governance and acquisition principles would guide these decisions.

3. Clarity

It is imperative that every security control and technology has clarity of responsibilities and supportability regarding their implementation and ongoing management. For example, which team(s) are responsible for network security tools? What is the role of the security team in this area? Is it to provide governance and rules while the network team actually implement them and supports the tools, or does the security team own end-to-end management of network tools? This clarity is essential to realising value from investments. This includes establishing roles and responsibilities with managed services providers and ensuring there is in-house expertise to ensure service providers are delivering value and meeting the established agreements. In the absence of clarity of control ownership, responsibilities and supportability at an operational level, configurations aren’t managed, services are not optimised, and the effectiveness of tools is significantly lowered.

Applying the 3C approach to your ESA, combined with good governance processes and architecture principles, will enable building an effective foundation for improving the security posture along with operational efficiencies and value optimisation.

Chirag Joshi is the founder and chief executive of 7 Rules Cyber.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.