CySA+ domain #13: Security architecture review and compensating controls
Security architecture is the unified security design that stipulates how information security safeguards and controls are deployed in IT systems to ensure the confidentiality, integrity and availability of the data that is being stored, used and processed in those systems.
An effective security architecture design doesn’t provide porous holes or cyber-vulnerabilities that can lead to data breaches. Therefore, reviewing the security architecture design and then implementing compensating controls based on the weaknesses found during the review is indispensable to avoid future disasters.
By keeping the CySA+ exam objectives into consideration, in this post, we will gain insight into security data analytics, manual review of different categories of logs and defense-in-depth strategies.
Security data analytics
In some cases, organizations outsource their security data analytics to a third-party company, often as part of their Security-as-a-Service (SECaaS) offering. The outsourcer employs security suites and appliances to capture hosted and onsite data, then utilize central tools to analyze such data and prepare reports. They also notify security analysts in the event of discovering new issues.
Below are some controls used for security data analytics.
Data aggregation and correlation
This control involves two steps: data aggregation and data correlation, as the name implies. Data aggregation is the act of collecting data from different sources and then storing it at a central point. Data sources may include server logs, application logs, hypervisor logs and network device logs.
Once the data aggregation completes, data correlation comes into play. Data correlation assesses the sequence of events within available data collected through data aggregation and then identifies anomalies which may indicate a cyberattack or security weaknesses. Usually, Security Information and Event Management (SIEM) is an appropriate and effective security tool used widely for data aggregation and correlation.
For security analysis, trend analysis provides behavioral insights to find unexpected changes that don’t match expected decreases or growth. Trend analyses work by analyzing the state of systems, devices or events and looking for changes based on the trends.
The historical analysis involves the usage of data over time, usually for incident response activities. We have already saved the record/data of previous incidents in the “incident summary report.” Historical analysis digs out such data to match the information of the current incident with a similar event or events related to the incident that occurred in the past.
The manual review involves individuals to review logs and other data such as firewall logs, syslogs, authentication logs and event logs. Manual review is effective when you have small quantities of data.
However, if this is not the case or you have big data, the manual review can be a daunting task. You will need to deploy a comprehensive security suite that can handle a large volume of data.
Security architecture design incorporates host security, network design, standards, policies and processes, as well as personnel security. Implementing defense-in-depth in security architecture is vital in order to steer clear of security weaknesses. Over the next few sections, we will examine the essential components of defense-in-depth controls.
Personnel-related controls are directly concerned with individuals such as organizational employees or other workforce. These controls include:
In addition to the security data analytics and manual review controls, taking the human layer of security into consideration is also crucial. A security training program for the workforce is essential to protect confidentiality, integrity and availability of data in immensely networked systems.
The security training program is often a part of an organization’s security policy. The core components of security training may include role-based training, anti-phishing best practices, as well as training with regard to information classification, data labeling, handling and disposal, compliance with laws, best practices and standards, new threats and new security alerts/trends, and the use of P2P and social networking.
In some cases, the organization may assign a sensitive task to two individuals to protect sensitive functions or information. For example, two Air Force pilots are required to fly certain crafts. In a Security Operation Center (SOC), multiple analysts collaboratively work together to perform certain tasks.
Separation of duties
Complex responsibilities trigger a conflict of interest and unwanted risk. Today’s regulations, such as the General Data Protection Regulation (GDPR), now require businesses to pay more heed to duties and roles to avoid compliance issues.
Separation of Duties (SoD) is the act of disseminating tasks and their associated privileges for a specific security process among multiple employees. For example, purchase orders usually require multiple approvals. Making payments to a vendor and reconciliation of bank statements also involve SoD.
Cross-training involves learning employees’ skills to perform tasks that their staff members and other coworkers normally take on. The purpose of doing so is to prevent a single point of failure due to the termination or suspension of an employee.
Cross-training ensures business continuity by providing critical responsibilities backup. In addition, it also helps during mandatory vacations and succession planning.
A mandatory location is an organizational policy that requires all employees to take a specific amount of time, usually from days to weeks, away from work to refresh themselves. A company should not depend on one person to perform critical tasks. That’s why mandatory vacation comes into place.
In addition to giving the refresh time, mandatory vacation also fills the skills gap and satisfies the need to have duplication or replication at all levels.
Successive planning is a strategy for creating a new talent to replace leadership or other employees when they are elevated or demoted to another role, fired, retire, die or leave the company. Successive planning assists in creating a talent pipeline of successors that will ensure business continuity with less or no interruption at all when staff changes take place.
Security architecture design is developed to deal with threats and fulfill security-related requirements. Due to the technological advancement and the emergence of new, fast and sophisticated threats, security architecture design must be updated in accordance with the latest trends in cybersecurity. Doing so will require organizational processes or capabilities to review, improve and even retire when they are useless or no longer needed. The following sections elaborate on some critical security processes.
Scheduled reviews are necessary to identify loopholes in security architecture design. The number of reviews in a specific period depends on some factors, such as how quickly the organization’s systems, network and processes are changed, as well as if regulatory requirements are changed.
Continual improvement simply addresses the loopholes in security by changing the outdated processes with the latest ones.
Retirement of processes
Instead of updating the outdated security processes and policies, they may need to be retired due to some reasons. These reasons include the irrelevance of processes with the current security design, the development of new processes or the reluctance of organization to use the process anymore.
Cybersecurity technologies are quickly growing to help analysts protect their internet-connected systems, including hardware and software, from cyberattacks. In a nutshell, these technologies ensure the protection in the face of unauthorized access to data centers and various other computerized systems. The following sections will take a deep dive into some cybersecurity technologies that are required to grasp for the CySA+ exam.
Automated reporting, security appliances and security suites
In previous sections, we saw that a small amount of data can be handled with mere manual reviews. However, in the event of big and complex data, manual reviews are not sufficient to effectively analyze data.
Instead, security practitioners use automated reporting and automated analysis tools, typically found in security appliances and several other security suites. The core features of security appliances and security suites are the collection, analysis, and reporting.
Outsourcing is the act of hiring a third-party vendor, company or individual to handle operations, perform tasks, or offer services (Security-as-a-Service) that are typically done or had previously been completed by the organization’s own workforce.
In response to the ever-growing, fast and sophisticated cyberthreats and attacks, the companies should either beef up their own IT infrastructure or look for outsourcers such as Managed Security Service Providers (MSSPs) — or maybe both. According to analysts, outsourcing cybersecurity is a wise approach. Managing everything internally requires technical skills and staff while outsourcing help to reduce budgets, time and effort.
The cybersecurity skills gap is already widening — nearly 40% of Chief Information Officer (CIO) survey respondents revealed they expect to have difficulty in hiring and retaining cybersecurity job roles, according to the 2018 State of the CIO report from CIO magazine. Under such circumstances, outsourcing is an alternative choice.
Cryptography is the study of secret codes that enable the sender and only the intended recipient of a message/email to view his or her content. Encryption is the widely-used cryptography technique that converts the plaintext into ciphertext before sending it to the intended recipient. Two popular forms of encryption are asymmetric encryption and symmetric encryption. The public and private keys are used for encryption purposes.
Network design and segmentation
Network design model often includes a single firewall, multi-interface firewall and multi-firewall designs. In addition to the security boundaries created by the firewall or other security devices, network segmentation is used either physically or logically to create such boundaries.
Network segmentation prevents segmented systems from being attacked by those who have already been compromised. Moreover, using this approach also helps to achieve the availability factor of the CIA (Confidentiality, Integrity and Availability) by limiting the impact of an attack or issue.