CYBERFLIP Approach

CYBERFLIP Approach

CYBERFLIP Approach is a Security Governance framework designed to enhance Organizations Cyber Resilience in an efficient and cost effective manner. It is based on a reverse approach of NIST Cybersecurity Framework.

What is the NIST Cybersecurity Framework:

Drafted by the US National Institute of Standards and Technology (NIST), the NIST Cybersecurity Framework (CSF) is a full set of best practices and standards through which an Organization can design its Cybersecurity Program. The CSF categorizes the Cybersecurity Functions into 5 categories (Identify, Protect, Detect, Respond , Recover) which tranditionally are followed sequentially from the Organizations’ adopting the framework.

Our 'flipped' approach:

 

Due to the exponential increase of Cybersecurity incidents during the last decade, we consider that it is a matter of ‘When’, not ‘if’, a breach will occur. Thus, we assume breach and we follow a reverse(‘flipped’) approach by prioritizing the design of the Recovery Capability, which includes all processes that an Organization should have in place in order to minimize incident’s impact.

Specifically:

Step 1 – Identify Organization’s Crown Jewels throughout the business value chain.

Step 2 – Build the Recovery capability by focusing on how an Organization would minimize the impact from an incident over the critical assets and resources.

Step 3 – Enhance the Response capability and the level of readiness through established Business Continuity and Incident Management processes including industry tailored Incident Response Playbooks.

Step 4 - Utilize the Zero Trust concept to design and build the necessary controls, as to timely Detect potential threats and reduce incidents occurence.

Step 5 – Utilize the Zero Trust concept to design and build the Protect Capability, through which an Organization will achieve to further minimize the overall cybersecurity risk.

Zero Trust is an architecture approach based on the principle of “never trust, always verify". It helps to prevent security compromises by eliminating the concept of trust from an Organization’s internal network and considering it insecure or breached. Security focus is shifted from the ‘Perimeter’ to the ‘Actions’ of a specific ‘Identity’ from and over specific ‘Resources’ (I.e. all data sources and computing services).
The necessity of Zero Trust approach is more important than ever, considering that we live and work in an inter-connected world where the adversaries discover on a daily basis new advanced methods to achieve breach. Furthermore, appropriate adoption of Zero Trust facilitates the Organization’s digital transformation journey, since apart from security it adds flexibility over integration between different parties (external systems or contractors regardless the location).

Traditional approach versus Zero Trust:

The Zero Trust Security approach ensures that the right people have the appropriate level of access, to the needed resources, in the right context, while that access is assessed continuously — and transparently to the user experience. Specifically, Trust is continuously assessed through controls based on the following concepts:

1. User authentication through advanced methods beyond username/password: To ensure that an attacker cannot utilize stolen/breached user credentials.

2. User authorization based on activity context: To ensure that even a breached account will be detected due to abnormal activities (e.g. first time to connect from another country or out of working hours).

3. Device authorization based on baseline security: To ensure that an insecure device will not connect to corporate resources. Applicable to all devices, corporate and personal.

4. All communications are secured regardless the network.

5. All data are secured based on their criticality and regardless the network and the storage location.

6. Network Microsegmenation and least-privileged user access are utilized to ensure that an attacker who successfuly breached into the internal corporate network cannot perform lateral movements and can be easily detected.

7. The aforementioned are reviewed and enforced on a continuous basis through respective policies designed to fascilitate business and enhance security.

Scenario 1: An employee who typically logs in to Company's systems on weekdays from her home and occasionally on weekends from a coffee shop. Last Saturday night, a successful login with her username and password was performed from USA.
Traditional approach: Most possible would allow the connection since the basic control would be user's credentials through Company’s VPN.
Zero Trust approach: Since access is validated with additional contextual criteria (e.g. Login from new country for this specific user), it recognizes the inconsistency, automatically denies the access request and raises an alert. Automated response capabilities could be triggered to temporarily disable the user’s account, given the likelihood that its credentials have been compromised.

Scenario 2: Finance Department needs to access the ERP application.
Traditional approach: Access from internal network would be granted following the provision of user's credentials. Access from external network would be provided with a combination of user's credentials and VPN/certificate.
Zero Trust Approach: Network devices should ensure that traffic going to the ERP comes from a secure device belonging to someone in the Finance Department. The authentication solution should validate that authenticated users are from the Finance Department. If the user is authenticating from a new device, the user should provide a one-time password sent to a known device while the new device should meet the minimum compliance criteria set by the Organization (e.g. updated OS, data at rest encryption, endpoint protection, etc) The aforementioned are continually evaluated for every interaction, as context changes, such as device, location, network and identity data

Through the CYBERFLIP framework and the reverse approach, we focus on impact minimization from potential incidents by prioritizing the development of the Business Recovery capability instead of having to expect the full Security Framework implementation.