Cybersecurity First Principles E-Book

Table of Contents

Cover

Title Page

Who We Are

Foreword

Introduction

Who Is This Book For?

What the Book Covers

Writing Conventions

Road Map

1 First Principles

Overview

What Are First Principles?

What Is the Atomic Cybersecurity First Principle?

Conclusion

Notes

2 Strategies

Overview

Strategies vs. Tactics

What Are the Essential Strategies Required for a First Principle Infosec Program?

Zero Trust Strategy Overview

Intrusion Kill Chain Prevention Strategy Overview

Resilience Strategy Overview

Risk Forecasting Strategy Overview

Automation Strategy Overview

Conclusion

Notes

3 Zero Trust

Overview

The Use Case for Zero Trust: Edward Snowden

Zero Trust: Overhyped in the Market but…

Cyber Hygiene, Defense in Depth, and Perimeter Defense: Zero Trust Before We Had Zero Trust

Zero Trust Is Born

Zero Trust Is a Philosophy, Not a Product

Meat‐and‐Potatoes Zero Trust

Logical and Micro Segmentation

Vulnerability Management: A Zero Trust Tactic

Software Bill of Materials: A Zero Trust Tactic

Identity Management: A Tactic for Zero Trust

Single Sign‐On: A Zero Trust Tactic

Two‐Factor Authentication: A Tactic for Zero Trust

Software‐Defined Perimeter: A Tactic for Zero Trust

Why Zero Trust Projects Fail

Conclusion

Notes

4 Intrusion Kill Chain Prevention

Overview

The Beginnings of a New Idea

The Lockheed Martin Kill Chain Paper

Kill Chain Models

Cyber Threat Intelligence Operations As a Journey

Red/Blue/Purple Team Operations: A Tactic for Intrusion Kill Chain Prevention

Intelligence Sharing: A Tactic for Intrusion Kill Chain Prevention

Conclusion

Notes

5 Resilience

Overview

What Is Resilience?

Crisis Handling: A Tactic for Resilience

Backups: A Tactic for Resilience

Encryption: A Tactic for Resilience

Incident Response: A Tactic for Resilience

Conclusion

Notes

6 Risk Forecasting

Overview

Superforecasting, Fermi Estimates, and Black Swans

Bayes Rule: A Different Way to Think About Cybersecurity Risk

Risk Forecasting with the Bayes Rule: A Practical Example

Conclusion

Notes

7 Automation

Overview

Why Security Automation Is Essential

Early History of Software Development Philosophies

DevSecOps: An Essential Tactic for Automation

Compliance: A First Principle Tactic That Cuts Across All Strategies

Chaos Engineering for Automation and Resilience

Conclusion

Notes

8 Summation

Overview

Zero Trust

Conclusion

Index

Copyright

Dedication

About the Authors

About the Technical Editors

Acknowledgments

End User License Agreement

List of Illustrations

Introduction

Figure 1 Cybersecurity first principles road map

Chapter 3

Figure 3.1 An example of a Gartner Hype Chart

Figure 3.2 Single sign‐on via OAuth

Figure 3.3 Single sign‐on via SAML

Figure 3.4 Two‐factor authentication tools on the road to Nirvana

Figure 3.5 Comparison: external actor access methods

Figure 3.6 NIST logical components of zero trust architecture

Chapter 4

Figure 4.1 Phased progressions from the original 2010 paper

Figure 4.2 The unusual suspects: cyber motivations, modified and updated fro...

Figure 4.3 The original Diamond model from the 2011 paper

Figure 4.4 The Diamond model superimposed on the Kill Chain model

Figure 4.5 Comparison: SASE, perimeter defense, SSE

Figure 4.6 2004 version of the U.S. Army's intelligence process

44

Figure 4.7 Example: CIR into many PIRS

Figure 4.8 Example: one PIR into smaller IRs

Chapter 5

Figure 5.1 Continuity plan relationships

11

Figure 5.2 Linear responsibility charting examples

14

Figure 5.3 RACI chart for a Middle Earth fellowship to destroy the one ring1...

Figure 5.4 Incident response life cycle

52

Figure 5.5 Framework core structure

53

Chapter 6

Figure 6.1 A typical qualitative heat map

Figure 6.2 Math Problem 1: generic outside‐in Fermi estimate

Figure 6.3 Bayes' rule

21

Figure 6.4 How the Enigma machine worked

26

Figure 6.5 Math problem 2: the IC3 estimate of U.S. complaints that should h...

Figure 6.6 Math problem 3: the IC3 estimate of U.S. unreported material comp...

Figure 6.7 Math problem 4: the estimated total number of material complaints...

Figure 6.8 Math problem 5: the first prior that any officially recognized or...

Figure 6.9 Example loss exceedance curve

39

Figure 6.10 Math problem 6: the Contoso Corporation's next prior using insid...

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Authors

About the Technical Editors

Acknowledgments

Who We Are

Begin Reading

Index

End User License Agreement

Pages

iii

xxi

xxii

xxiii

1

2

3

4

5

6

7

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

341

342

343

344

345

346

347

348

349

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

iv

v

vii

viii

ix

x

xi

xii

xiii

375

Cybersecurity First Principles

A Reboot of Strategy and Tactics

Presented by  

WHO WE ARE

I didn't want to write a book, even a short one like this, that would leave me feeling like either a literary gasbag or a transcendental asshole. There are enough of those books—and those writers—on the market already, thanks.

—Stephen King, author

Foreword

During my career, I have had the privilege of working as the CEO with some exceptional teams in two great companies, VeriSign and Palo Alto Networks. In some cases, I had the distinct pleasure and good fortune to work with the same people in both companies, Rick Howard being one of them and a standout in both. Back when VeriSign was a significant security player in addition to a leading Internet infrastructure provider, Rick ran a business for me called iDefense. It was in this role that I first got to see Rick at work both as a security practitioner, evangelist, leader, and storyteller, which is a rare combination in any discipline, let alone security. I was very fortunate to benefit from Rick's expertise, advice, and his ability to explain very complicated issues in a down‐to‐earth and understandable way. Rick has a way of seeing the big picture while never losing sight of the tyranny of the urgent that plagues cybersecurity professionals. Turns out that is a very helpful and valuable skill set in an industry that moves at extremely high speed and where the bad actors are on the bleeding edge. So, it may be no surprise that when I joined the Palo Alto Networks team in 2011 that I was soon trying to recruit Rick to the team as our first CSO. Despite being a pretty small company at the time and my inability to give him a solid job description of the CSO role, Rick joined us on our vision and mission of protecting our digital way of life. He quickly became an integral part of the team and was in high demand with our customers, prospects, and the industry at large. Along the way, he was instrumental in the formation and success of some bedrock organizations like Unit 42 (the company's first public‐facing cyber intelligence team), the Cyber Threat Alliance, the first security vendor ISAO, the CyberSecurity Canon Project, and the Joint Service Academy Cyber Summit. Through that journey, Rick demonstrated his amazing ability to summarize all of cybersecurity history, make that history relevant to you now, and give counsel and advice on what the future likely holds. With that kind of ability and passion, it is natural that Rick currently is the CSO, senior fellow, and chief analyst at The CyberWire, and that his writings and podcasts are incredibly popular and eagerly anticipated. I often tell individuals just starting in cyber that if they want to understand what is going on, go listen to Rick. And, when people write books like The Perfect Weapon and This Is How They Tell Me The World Ends, they call the likes of Rick first. Rick's new book, Cyber Security First Principles, is chock full of wisdom, experience, relevant advice, and, above all, the importance of first principles in cyber. I'm sure you will enjoy it and find it valuable reading. And, make sure to check out all of Rick's podcasts at CyberWire. They are all great listening. But if you listen to only one, make it “A CSO's 9/11 Story: CSO Perspective.” This one will tell you all you need to know about Rick personally. Back at our common alma mater, West Point, they say the leaders are the ones who run to the sound of the shooting, not away. Rick is that leader.

Happy Reading,

Mark McLaughlin

Former President, CEO, and Chairman of the Board,Palo Alto Networks

Vice Chairman of the Board, Palo Alto Networks

Chairman of the Board, Qualcomm, Inc.

Member and former Chairman, U.S. National SecurityTelecommunications Advisory Council

INTRODUCTION

Map out your future—but do it in pencil. The road ahead is as long as you make it. Make it worth the trip.

—Jon Bon Jovi, American singer, songwriter,guitarist, and actor

Who Is This Book For?

This is about rethinking cybersecurity from the ground up using the idea of first principles. I will explain what I mean by that in Chapter 3, “Zero Trust,” but at a high level it's a list of fundamental truths that serves as the foundation for building your cybersecurity program. That said, my intention for writing the book was to target a broad swath of security practitioners in three groups.

The first group consists of security executives. These are my peers, colleagues, and the people who work for them in the cybersecurity industry supporting the commercial sector, government circles (both policy and technical), and academia. With this first principles notion, my intent is to challenge how these network defender veterans think about cybersecurity. I am going to suggest that for the past 25 years, we've all been doing it wrong and that a reexamination of first principles will guide us back to the right path and will help us disrupt our current thinking to pursue defensive postures that have a higher probability of success.

The second group consists of the newbies coming into the field. These would be young and fresh‐faced college graduates, government civil servants transitioning into the commercial sector, and career changers who are tired of what they have been doing and look to cybersecurity to be more interesting and lucrative. I am going to give this group a foundational framework based on first principles to build their knowledge, including the first principle historic background so that they can understand the current state of the cybersecurity landscape and an idea of where we all might be heading in the near future.

The last group will consist of teachers and students at the elementary through graduate levels. Within the cybersecurity discipline there exist numerous, valuable, and fascinating by‐waters of study that many students and educators feel are loosely connected and, because of the volume, quickly become overwhelming. First principles will be a framework for your curriculum. I will lay out how to tie everything back to cybersecurity first principles that will allow them to chart a course through the volume of material they need to get through.

That said, there are typically three kinds of organizations that network defenders work for: commercial, government, and academia. I can make an argument that there are two different categories of government network defenders too: traditional defense (like their commercial and academia peers) but also offensive cyber for espionage and continuous‐low‐level‐cyber‐conflict (cyber warfare purposes). I will discuss the former and not the latter.

Lastly, since the early Internet days, organizations typically fall across a network defense spectrum between the haves and the have‐nots, and where they fit within that range normally depends on how big the organization is (not always). On the have‐not side, these are organizations that are small (like startups and city/county governments) where they barely have enough resources to keep the lights on. On the have side, these are typically large organizations (like Fortune 500 firms) that have more resources than they know what to do with. I will cover first principle strategies and tactics that any infosec program should consider regardless of size. Fully deploying all of these strategies and concepts would be expensive, something reserved for the have side of the spectrum. That said, these ideas are not checklists. They represent ways to reduce the probability of material impact. Depending on your environment, some will work better than others. Especially for the have‐nots, where possible, I highlight where you can pursue these ideas on a shoestring budget.

What the Book Covers

First principles in a designated problem space are so fundamental as to be self‐evident; so elementary that no expert in the field can argue against them; so crucial to our understanding that without them, the infrastructure that holds our accepted best practice disintegrates like sandcastles against the watery tide. They are atomic. Experts use them like building blocks to derive everything else that is known in the problem domain. All new knowledge gained in the problem domain is dependent on our previously developed first principles. That means there is an absolute first principle, the principle that starts everything.

The Internet started to become useful to academia, government, and the commercial sector sometime in the early 1990s. As it did so, cyber bad guys discovered that the Internet might be valuable for their chosen activity too: crime, espionage, hacktivism, warfare, and influence operations. Organizations began hiring people like me, network defenders, to prevent these “black hats” from being disruptive. In the early days, the network defender community made a lot of assumptions about how to do that. Twenty‐five years later, many of those best practices turned out not to be first principles at all; mostly they were first and best guesses. Twenty‐five years later, it's time to reset our thinking and determine what our baseline cybersecurity first principles are and what the ultimate cybersecurity first principle is.

I make the case for the atomic cybersecurity first principle, explains the strategies necessary to achieve it, and consider the required tactics, techniques, and procedures for each.

Writing Conventions

Here are a few conventions I use in the book to aid in your understanding.

Cybersecurity

I use the term cybersecurity as a catchall for the work that practioners do. Over the years, the community has adopted manysynonyms that have the same meaning. Here are just a few:

Digital security

IT security

Information technology (IT) security

Information security (infosec)

For my purposes, they all refer to the same thing and I use them interchangeably.

Cybersecurity Professionals

The same goes for the phrases we all use when we describe each other.

Infosec practitioners

Network defenders

Security practitioners

Security professionals

For my purposes, I also use them interchangeably.

Organizations

There are generally three types of organizations that invest in the cybersecurity people‐process‐technology triad: commercial companies, government organizations, and academia. Where I refer to one of the three, assume that I am talking about all of them. When I'm not, I will call it out explicitly.

The Cybersecurity Canon Project

The Canon project (cybersecuritycanon.com) is a security professional community effort to identify all the books that cybersecurity professionals should read. I founded the project in 2013, and at the time of this writing, it is sponsored by Ohio State University. I refer to many Hall of Fame and Candidate books that the reader might find useful. On the web page, readers will find book reviews of those books and many others.

Rick's War Stories

I've been working in the cybersecurity industry for more than 30 years. Along the way, I have had experiences that some readers might like to hear about. I call them war stories. Many are only loosely connected to the topic at hand, and some may have no connection at all (I just liked them). I’ve re‐told some of them here. That said, I realize that some readers might want to just read the meat of the book (like one of my editors, Steve Winterfeld, who just wants to skip over the war stories). I have color coded the text of my war stories differently (in gray), like this section, to make it easier for the readers who stand with Steve.

Book Website

Whiles doing the background research, I created supplemental materials that helped me organize my thought process. They include the following:

Agile Manifesto

Bayes Success Stories (summarized from Sharon McGrayne's book,

The Theory That Would Not Die

)

Chaos Engineering Historical Timeline

Referenced Cybersecurity Canon Hall of Fame Books

Cybersecurity Historical Timeline

Cybersecurity Intelligence Historical Timeline

Encryption Historical Timeline

Equifax Hack Timeline

Identity and Authentication Historical Timeline

Kindervag's Nine Rules of Zero Trust

Red Team, Blue Team Historical Timeline

RSA Security Hack Timeline

SDP (Software Defined Perimeter) Historical Timeline

Research Summary on Why Heat Maps Are Poor Vehicles for Conveying Risk

You don’t need these materials to understand my main thesis, but some of them might be useful or at least interesting.

For more information, please visit thecyberwire.com/CybersecurityFirstPrinciplesBook.

Road Map

I cover a lot of material. If you find yourself getting lost in the blizzard of ideas and can’t remember where you are in relation to the overall thesis, refer to Figure 1. Read it from the bottom up. The first box is the foundation and absolute cybersecurity first principle (see Chapter 2). The next two rows are the follow‐on first‐principle strategies that you might use to pursue the ultimate first principle: zero trust (Chapter 4), intrusion kill chain prevention (Chapter 5), resilience (Chapter 6), risk forecasting (Chapter 7), and automation (Chapter 8). The remaining boxes are the tactics you might use to pursue each strategy. They show up as sections within the chapters. The gray lines show the connections between the strategies and the tactics. Note that the automation strategy and compliance tactic cut across everything. Chapter 8 tells you why.

Figure 1 Cybersecurity first principles road map