The Defendable Network

Effective cyber defenses ideally prevent an incident from taking place through the use of proactive controls rather than reactive approaches.  A cyber defense plan is necessary to deter TARGETED cyber-attacks being launched by nation states, cyber criminals, and other actors.  Due to the speed and adaptability of attacks, preventative controls are necessary to combat the hundreds of attacks which occur on a daily basis.

The Defendable Network is framework Critical Start created to simplify complex and sometimes confusing approaches like NIST, ISO 27001, and the Cybersecurity Executive Order for Critical Infrastructure. We created a list of 35 Cyber Defense Capabilities for the protection against advanced persistent threats and repeated attacks.   This framework is about defending against attacks versus compliance.  The chart below shows an example of how a few sample Defendable Network security controls are prioritized using different criteria.  An actual client implementation would vary according to the details of how each control would be implemented.

Framework Example

The goal of the Defendable Network is to protect critical assets and information by creating an Information Technology infrastructure capable of being protected against attack and disruption.   This is done by minimizing attack surface, blocking known threats, and restricting lateral movement of attackers while providing continuous, automated monitoring of IT infrastructure.  Following our framework will dramatically reduce compromises, minimize the time required for recovery efforts, and lower associated costs for a given level of security.

This approach cost effectively improves security because it allows organizations to prioritize efforts based on budget and available resources.  Our prioritized roadmap considers factors like security impact, change to the user experience/business approach, budgets, implementation effort, and operational costs.  None of the security frameworks take into account these common sense requirements.  We don’t believe in product roadmaps, but instead focus on security capability that includes process, configuration, and technical controls.

The Defendable Network is an ever progressing framework updated regularly based on:

  • Changing tactics, techniques, and procedures of attackers (TTP)
  • Shifts in the technology landscape that allow addition of new security capabilities
  • Critical Start experience with real world clients and penetration testing
  • Client feedback and suggestions
  • Regular review of other industry leading frameworks

The result is a solid, prioritized program for making fundamental computer security defenses a well-understood, repeatable, measurable, and consistent process. The Defendable Network applies to many different kinds of computer attackers, such as malicious internal employees, contractors, individual external actors (hacktivists), organized crime groups (cybercriminals), terrorists, and nation-state actors.

Although our approach will block the vast majority of initial system compromises, nothing will block all attacks.  Just as much effort should be applied to detecting already-compromised machines and preventing or disrupting attackers’ follow-on actions.  Much of the Defendable Network is dedicated to reducing the initial attack surface by hardening security, identifying compromised machines to address long-term threats inside an organization’s network, restricting lateral movement, and providing comprehensive infrastructure visibility for detection/remediation.

Core Cyber-Defense Capabilities of the Defendable Network

  1. Reduce the Risk of Initial Compromise and Disruption
    1. Minimize the attack surface as much possible without impacting business operations and user productivity.
    2. Block known threats to reduce amount of reactive time spent on security
  2. Protect Critical Assets and Information by Restricting Lateral Movement of Attackers.
  3. Monitor Infrastructure to Gain Visibility Needed for Quick Detection and Response to Incidents, Data Exfiltration, and/or Illicit Transactions.
  4. Commitment to Security Governance – the foundation to building a security program.  The policies, processes, and resource commitments are critical to consistent success.

The Inspiration for the Defendable Network

Everyone asks why another framework is required?  While there is a tremendous amount of overlap, most of the frameworks do a poor job of allowing an organization to effectively prioritize the different security controls.  After seeing many clients struggle to implement a security strategy, we developed the Defendable Network as a mechanism to relay the results of security assessments, penetration testing, and security roadmap engagements.  Key inputs to our framework includes some fantastic efforts from people around the world.

  • Top 35 Strategies to Mitigate Targeted Cyber Intrusions by Australian Signals Directorate (ASD).  This is the best overall framework in our opinion and is the biggest influencer on the Defendable Network.  The Strategies to Mitigate Targeted Cyber Intrusions are ranked in order of overall effectiveness and includes a methodology for prioritization, which is unique for most of the other widely used frameworks. 
  • 20 Critical Security Controls by SANS is our second most recommended framework for tactical controls
  • ISO 27001/27002 are highly recommended for building a great security governance program.  The ISO standards include a lot of the people/process items that aren’t addressed by SANS and ASD Top 35.
  • National Security Agency/Central Security Service Publication, “Reducing the Effectiveness of Pass-the-Hash”, March 19, 2013.
  • National Security Agency/Central Security Service Publication, “Spotting the Adversary with Windows Event Log Monitoring”, February 28, 2013
  • Security Compliance Manager (SCM) 3.0 that provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practice. http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
  • US-CERT TARGETED CYBER INTRUSION DETECTION AND MITIGATION STRATEGIES (ICS-TIP-12-146-01B), February 6, 2013. http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
  • Critical Start experience with real world clients and penetration testing
  • Client feedback and suggestions
  • Regular review of other industry leading frameworks
p5rn7vb