“The emerging threat today is the advance persistent threat.”
-Dr. Kenneth Brancik, Northrop Grumman

Enterprise Security Architecture (ESA) is an elusive topic for many organizations, with only a minimal level of guidance in terms of industry sound and best practices. At the October IT Security Forum, Dr. Brancik discussed an on-going project he has been involved in to place a science around the topic of ESA.

Dr. Brancik is an INFOSEC luminary who has worked over the past quarter of a century within the Information Assurance space evaluating integrated Governance, Risk Management and Compliance (iGRC) activities for both the public and private sectors. Additionally, he has spent a number of years conducting technical IT infrastructure and application audits and examinations within the Federal Government and the private sector.

The following is an excerpt from the IMF Report on Dr. Brancik’s presentation “Enterprise Security Architecture”

Enterprise Security Architecture

There is currently no Cyber Security Architecture MetaModel (CSM) which aligns ESA lifecycle requirements with industry EA methodologies and various operation risk models or frameworks. There are Enterprise architecture frameworks that exist including TOGAF (The Open Group Architecture Framework), DoDAF (Department of Defense Architecture Framework), MODAF (Ministry of Defence Architectural Framework), but there is nothing for security architecture except for SABSA (Sherwood Applied Business Security Architecture). It is the de-facto security training standard and is very focused on ensuring that the security architecture fits within the business operations and activities.

In this meta-model that I want to create, there will be the enterprise frameworks with the overall IT infrastructure components, as well as a tier 2 layer, which would include user requirements and a design layer below those involving business operational processes and the assets that have been identified. The next layer includes technology enablers; the products that will help implement the layered defenses.

CSM integration should be incorporated into industry standards over security and EA methodologies and various operational risk guidelines, frameworks, and models. An effective CSM should evaluate key risk areas to address at the minimum, threat modeling assessments evaluate the probability and likelihood of various external, insiders, and advanced persistent threat (APT) vectors impacting an enterprise and the layered defenses need to mitigate those risks. Internal threats are one of the more elusive and insidious components of the threat landscape and represent a national security concern given its implications on all sectors of the critical infrastructure. There is minimal data available in the public domain that provides credible data on this significant threat component. Consequently, the threat modeling process has long overlooked this significant component of the equation and has left many organizations exposed to this threat. Some examples of internal threats include unauthorized system access, inappropriate use of confidential corporate data stored in one computer, computer data manipulation, ease of access into a computer system, software code manipulation, misuse of system’s capabilities, inadequate network journaling for forensic purposes, illegal data transactions, and loss of IPR. External attacks are the most commonly documented attacks of the three categories. The patterns have been memorialized primarily within MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC) repository and other data sources. Some high level external attacks include: bot-network operators, criminal groups, foreign intelligence services, hackers, phishers, spammers, spyware and malware, and terrorists.

To read the report “Enterprise Security Architecture” in its entirety please click here. (Members must be logged in to download)

Not a member? Learn how The Information Management Forum can help your organization succeed in its initiatives by clicking here.

Follow The IMF on Twitter @ITInfoForum