Crown Jewel Cyber Electra

HOW TO LEVERAGE NIST CYBERSECURITY FRAMEWORK TO SECURE DIGITAL CROWN JEWEL ASSETS

 

 

 

 

Ayhan Tek

VP, Information Security

Cyber Electra

Digital Crown Jewel Assets (DCJA) are digital assets (data, application, system etc.) that if compromised or lost would result in a high financial, operational, or reputational risk which might be beyond the organization’s risk appetite. Almost all organizations with digital footprint have digital crown jewel assets such as Identity Access Management Systems, mission critical applications, core infrastructure assets, databases, payment processor systems etc. 

Not all assets are created equal! Therefore, DCJA should be protected more carefully from creation to disposal. To protect the DCJA, people-process-technology supported layered security approach is needed with adequate controls around identify, protect, detect, respond, and recover pillars. 

People: A core DCJA team is defined. Core DCJA team is composed of representation from each line of business, enterprise architecture, information security, and audit teams.

Process: Necessary process and procedures for each pillar are defined and documented.

Technology: Existing technologies that support each pillar are identified and implemented.

 

Identify:

You cannot protect something that you don’t know. The goal is to identify DCJ that your organization owns, identify governance around them and document associated threat and risk for the DCJA.

 

People:

Core DCJA team + Security consultancy team

Identifying DCJA is a daunting task where disparate stakeholders must work in harmony. Most organizations’ DCJA assessment fails at this point due to lack of communication, consideration and care from stakeholders. For this reason, we recommend getting help from a trusted cyber security consultancy company (I highly recommend Cyber Electra because, well, I work there) that build bridges between disparate stakeholders by enabling them to work together.

 

Process:

1. Define what DCJA means to the organization. Identification of DCJ can be done by determining confidentiality, integrity and availability of DCJA as well as regulations around the asset protection.

2. Define DCJA attributes that will be collected and inventoried. Attributes may include name of DCJ asset, owner of the asset, information classification, asset value. We recommend using ISO-19770 to define the attributes.

3. Develop an asset management policy and standard with roles and responsibilities.

4. Develop current state architecture artifacts for the DCJA.

5. Perform threat modeling to identify threat and risks associated with each crown jewel. 

6. Conduct vulnerability scans to identify defects for each DCJA.

 

Technology:

1. Asset discovery and inventory technologies

2. Threat Modeling Technologies

3. Risk Management Technologies

4. Vulnerability Management Technologies

 

Protect:

The goal is to implement people-process-technology related protective controls for each DCJA.

 

People: 

Core DCJA team + legal, procurement, and HR teams

 

Process:

1. Document business use cases, and governance aspects of (access, ownership, maintenance, business continuity, etc.) of the DCJA.

2. Develop target state architecture for DCJA

3. Develop protective security controls by considering abuse cases and threat modeling results.

4. Document protection process and procedures that include:  Identity Management and Access Control, awareness and training, data security, maintenance, and Protective Technology 

5. Define and document roles and responsibilities around protection process and technologies.

6. Document how the audit activities will be performed to ensure controls are working effectively.

7. Develop legal verbiage in external and internal contracts with vendors, providers, suppliers and employees around the protection of DCJA.

 

Technology:

Identify whether there are any technology gaps around protective technologies and acquire them to protect DCJA. Pay special attention to the following technologies:

1. Automated cryptography, key management, and tokenization tools

2. Strong Authentication and Privileged Identity Access Management tools

3. Network security, application security, database security

4. Micro-segmentation technologies

5. Automated patch management technologies

6. Endpoint protection technologies

 

Detect:

The goal is to implement people-process-technology related controls to detect the occurrence of a cybersecurity event in a timely manner.

 

People:

DCJA team + Operation Support Teams (SOC, server, and endpoint maintenance teams, etc.)

 

Process:

1. Define and document roles and responsibilities to detect and communicate security events 

2. Document current detection process and procedures including anomalies and events that will be investigated and continuous monitoring activities

3. Develop detection controls and reporting capabilities

 

Technology:

Identify whether there are any technology gaps around detective technologies and acquire them to protect DCJA. Pay special attention to the following technologies: Security Information Event Management (SIEM), Entity and User Behaviour Analysis (EUBA), Deception Technologies.

 

Respond:

The goal is to implement people-process-technology related controls to take appropriate action regarding a detected cybersecurity incident. Adequate people-process-technology should be in place to contain the impact of a potential cybersecurity incident.

People:

DCJA team + Incident Response Teams

 

Process:

1. Define and document roles and responsibilities to respond to the incidents

2. Document current incident response plan, process, and procedures

3. Develop incident response controls and reporting capabilities

 

Technology:

Incident Response Technologies, Threat Intelligence Technologies

 

Recover:

The goal is to develop and implement appropriate resilience and restore capabilities so that your organization can recover to normal operations as soon as possible from a cybersecurity incident. 

People:

DCJA team + Business Continuity and Disaster Recovery Team

 

Process:

1. Define and document roles and responsibilities to recover from incidents

2. Document Business Continuity and Disaster Recovery Plan for DCJA

Technology:

Business Continuity and Disaster Recovery Technologies