Skip to main content
main-content
Top

About this book

Enterprise Cybersecurity empowers organizations of all sizes to defend themselves with next-generation cybersecurity programs against the escalating threat of modern targeted cyberattacks. This book presents a comprehensive framework for managing all aspects of an enterprise cybersecurity program. It enables an enterprise to architect, design, implement, and operate a coherent cybersecurity program that is seamlessly coordinated with policy, programmatics, IT life cycle, and assessment.

Fail-safe cyberdefense is a pipe dream. Given sufficient time, an intelligent attacker can eventually defeat defensive measures protecting an enterprise’s computer systems and IT networks.

To prevail, an enterprise cybersecurity program must manage risk by detecting attacks early enough and delaying them long enough that the defenders have time to respond effectively. Enterprise Cybersecurity shows players at all levels of responsibility how to unify their organization’s people, budgets, technologies, and processes into a cost-efficient cybersecurity program capable of countering advanced cyberattacks and containing damage in the event of a breach.

The authors of Enterprise Cybersecurity explain at both strategic and tactical levels how to accomplish the mission of leading, designing, deploying, operating, managing, and supporting cybersecurity capabilities in an enterprise environment. The authors are recognized experts and thought leaders in this rapidly evolving field, drawing on decades of collective experience in cybersecurity and IT. In capacities ranging from executive strategist to systems architect to cybercombatant, Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, and Abdul Aslam have fought on the front lines of cybersecurity against advanced persistent threats to government, military, and business entities.

Table of Contents

The Cybersecurity Challenge

Frontmatter

Chapter 1. Defining the Cybersecurity Challenge

Abstract
It appears that lately cybersecurity is in trouble, or at least going through a difficult time. If you are reading this book, you are one of the people trying to make cybersecurity work despite daunting challenges and information technology (IT) environments seemingly ill-suited to facing those challenges. The authors share your concerns.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 2. Meeting the Cybersecurity Challenge

Abstract
Chapter 1 discussed the challenges facing today's cyberdefenders. So how does an enterprise successfully defend itself against cyberattackers? This chapter will discuss the challenges in building an effective cyberdefense, some of the major approaches that are currently available for addressing those challenges, and some of the difficulties with those approaches. Finally, it will introduce a technique for dealing with those challenges.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

A New Enterprise Cybersecurity Architecture

Frontmatter

Chapter 3. Enterprise Cybersecurity Architecture

Abstract
This chapter describes the enterprise cybersecurity architecture in more detail.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 4. Implementing Enterprise Cybersecurity

Abstract
This chapter describes how to implement an enterprise cybersecurity program. It discusses how to:
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 5. Operating Enterprise Cybersecurity

Abstract
This chapter examines the operational processes for enterprise cybersecurity. There are 17 major operational processes and 14 major information systems that support cybersecurity operations. This chapter explains how they all work together to operate an effective cybersecurity program. Additional detail on the operational processes and supporting information systems is in Appendix E.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 6. Enterprise Cybersecurity and the Cloud

Abstract
Cloud is one of the major IT trends today, and it is transforming the way businesses everywhere approach building IT solutions. Rather than hiring technical staff to build data centers and configure servers, businesses are outsourcing these functions "to the cloud" and simply procuring applications, platforms, and computing capacity from mega-providers who operate them for hundreds or even thousands of other customers. Cloud enables new levels of business agility by giving a small startup access to computing and application capabilities that would have been described as "supercomputing" only a few years ago.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 7. Enterprise Cybersecurity for Mobile and BYOD

Abstract
Mobile devices and bring-your-own-devices (BYODs) are major trends impacting how enterprises think about their own IT. Thanks to rapid developments in computing power and power consumption, a supercomputer from the 1970s fits into our pockets. With multi-processing, graphical user interface, and gigabytes of memory all at our fingertips, 24 hours a day, the face of IT is changing almost daily. These devices come in all shapes and sizes, including notebooks, tablets, sub-notebooks, "phablets," music players, and, of course, cellular phones.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

The Art of Cyberdefense

Frontmatter

Chapter 8. Building an Effective Defense

Abstract
The cybersecurity architecture described in this book has been developed to be an excellent framework for running an enterprise cybersecurity program. However, a good framework alone is not going to stop cyberattackers who are targeting an enterprise and attempting to defeat its cyberdefenses. Well-organized cybersecurity capabilities are not going to protect an enterprise from advanced attacks alone. To be effective, those capabilities have to be applied in ways that disrupt, detect, delay, and defeat targeted cyberattacks.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 9. Responding to Incidents

Abstract
Some cyberattackers penetrate enterprise cyberdefenses no matter how well the defenses are designed, implemented, and maintained. Responding to these incidents (in other words, incident response) and the related costs are facts of life in the modern cyberenvironment. An enterprise often accepts a number of minor cyberincidents provided those incidents are contained. Enterprise endpoints and servers are destined to be compromised. It benefits the enterprise to embrace this reality and simply deal with these compromised systems as quickly and as cheaply as possible.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 10. Managing a Cybersecurity Crisis

Abstract
When does a cybersecurity incident become a crisis? Generally, when it has enterprisewide impact or when it requires activation of disaster recovery plans, it's a crisis. It's when a single compromised server becomes ten compromised servers, then a hundred, and pretty soon the entire data center is infected, damaged, or worse. Over the past several years, there have been several public instances of massive IT crises including Saudi Aramco in 2012 and Sony Pictures Entertainment in 2014. Smaller incidences occur every day, outside of the public eye. This chapter describes how things change when a crisis occurs and how enterprises behave under the duress of a crisis situation. The chapter also describes techniques for restoring IT during a crisis while simultaneously strengthening cybersecurity to protect against an active attacker who may hit your enterprise again at any moment.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Enterprise Cyberdefense Assessment

Frontmatter

Chapter 11. Assessing Enterprise Cybersecurity

Abstract
This chapter discusses several things related to assessing an enterprise cybersecurity program. First, it discusses the audit process and how auditing is used to evaluate enterprise cybersecurity. Second, it discusses how audits can and should be used to drive the cybersecurity control design process. Third, it describes how enterprise cybersecurity can be systematically evaluated using four different levels of assessment detail. Finally, it describes deficiency tracking, which is an integral component of any formal auditing or assessment process.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 12. Measuring a Cybersecurity Program

Abstract
Measurement for measurement’s sake is a waste of time and money. It is not unusual for people to measure things simply because somebody—some edict or some policy—stipulates that things should be measured. Yes, measurement certainly has a role to play in making successful cybersecurity happen. But unless this role is thought through, measurement can degenerate into a meaningless exercise. This chapter describes a measurement approach that can help an enterprise assess the effectiveness of its cybersecurity program.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 13. Mapping Against Cybersecurity Frameworks

Abstract
While designing an effective enterprise cybersecurity architecture is an admirable goal in and of itself, no architecture lives in a vacuum and being able to map to other cybersecurity frameworks is an important part of making sure the enterprise’s cybersecurity program is complete, and demonstrating that completeness to outside observers. This chapter details how an enterprise cybersecurity program can be mapped against other cybersecurity frameworks, some of which were introduced in Chapter 2. There are three main reasons for mapping an enterprise cybersecurity program against other frameworks:
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Enterprise Cybersecurity Program

Frontmatter

Chapter 14. Managing an Enterprise Cybersecurity Program

Abstract
Once the enterprise has its cybersecurity controls and capabilities, and can quantitatively assess its cybersecurity posture and operate its cybersecurity processes, it is time to engage with the business at a programmatic level and operate a comprehensive cybersecurity program. This chapter describes how the enterprise can use iterative assessments and prioritization to select, plan, resource, and execute progressive improvements to its cybersecurity posture. This cybersecurity program utilizes all of the management tools described in this book, including: (1) a framework for managing a cybersecurity program, (2) a quantitative method for assessing the program and identifying strengths and weaknesses, and (3) ongoing operations and cycles of improvements.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 15. Looking to the Future

Abstract
This book describes a pragmatic framework for managing a comprehensive enterprise cybersecurity program. This architecture uses 11 functional areas to organize all aspects of an enterprise’s cybersecurity, including policy, programmatics, IT life cycle and assessment. While this framework may provide a successful cyberdefense today, attackers and defenders are not standing still. Cybersecurity challenges and technologies continue to evolve quickly. How will this book’s framework hold up over time? Only time will tell. This concluding chapter examines how the authors expect that this book’s enterprise cybersecurity architecture may evolve over time.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendices

Frontmatter

Appendix A. Common Cyberattacks

Abstract
When people talk about cyberattacks, they generally think about the solitary hacker, penetrating computers in far-away countries and stealing data, changing records, or doing other dastardly deeds. In reality, there is a veritable smorgasbord of cyberattacks out there that use various techniques to get into the enterprise, maintain a presence, and move around within the enterprise to accomplish the attackers’ objectives.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix B. Cybersecurity Frameworks

Abstract
Many cybersecurity frameworks have been established over the past two decades and are in common use today. It is interesting to place these frameworks side by side and observe quite clearly how all of them are simply slicing and dicing the cybersecurity pie in different ways. This appendix provides an introductory overview of the following major cybersecurity frameworks that an enterprise may need to comply with or assess against:
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix C. Enterprise Cybersecurity Capabilities

Abstract
This appendix describes 113 of the major enterprise cybersecurity capabilities that should be considered in an enterprise cybersecurity program. While hardly an exhaustive list, the authors believe this list reflects the most important capabilities available at the time of writing. These capabilities are organized into 11 functional areas to make them easier to track, manage, and delegate. As new capabilities emerge and become important, they can be added to this list or incorporated into enterprises' own enterprise cybersecurity architectures. These capabilities are outlined in Figure C-1 below and on the next page.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix D. Sample Cybersecurity Policy

Abstract
A successful enterprise cybersecurity program begins with policy that is unambiguous, well organized, well maintained, and that balances the enterprise's security needs against its business priorities. It is important to organize this policy so that it is easy to write, understand, and maintain over time. Cybersecurity policy establishes the foundation upon which the enterprise’s cybersecurity program is built, and represents a contract between the enterprise’s cybersecurity practice and the business. Through cybersecurity policy, the business and cybersecurity agree on the ways and extents to which cybersecurity will be used in the business to practically implement and enforce protections of intellectual property and information system assets.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix E. Cybersecurity Operational Processes

Abstract
To maintain an effective cybersecurity posture, the Chief Information Security Officer (CISO) maintains a number of enterprise operational processes to include the following:
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix F. Object Measurement

Abstract
An enterprise wants to protect itself from cybersecurity attacks that are constantly morphing. Consequently, successful enterprise cybersecurity is a continual improvement exercise designed to address the evolving cyberthreats. Measurement is a means for effecting this improvement.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix G. Cybersecurity Capability Value Scales

Abstract
This appendix provides an example set of object measurement value scale definitions for 113 enterprise cybersecurity capabilities grouped by functional area. Value scales help associate an enterprise's vocabulary with measurement. There is no one set of terms that defines value scales. In the end, an enterprise needs meaningful measurements. Meaningful here means the enterprise uses the measurements to determine whether and where cybersecurity needs to be improved.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix H. Cybersecurity Sample Assessment

Abstract
The purpose of this appendix is to bring together a previously introduced hierarchy of cybersecurity assessment concepts into three worked-out numerical examples. These worked-out examples show how an enterprise can obtain an answer to the following fundamental enterprise cybersecurity questions:
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Appendix I. Network Segmentation

Abstract
Enterprises frequently mistake complexity for "defense in depth." There are firewalls, intrusion detection systems, proxies, and packet capture—all in a single layer on the outside of the network. The enterprise states, "That's four layers of security protecting us," when the reality is that security is just one layer with four parts. Once a computer inside of the enterprise is compromised, there is nothing on the inside to provide additional protection or catch the attacker who has gotten in. Figure I-1 shows another example of defense in depth that also turned out to be inadequate when it was tested.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Glossary

Abstract
This glossary contains definitions of many of the cybersecurity terms used in this book, described as plainly as possible for the business reader or non-cybersecurity professional. This glossary assumes a general knowledge of information technology (IT) as it endeavors to explain cybersecurity concepts for the reader who is seeking to understand how cybersecurity fits into the overall IT picture.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam

Chapter 26. Bibliography

Abstract
The documents listed in this bibliography are a selected compilation of cybersecurity references. Along with the cybersecurity references, the bibliography may include list of references from other disciplines, such as network engineering and software engineering.
Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams, Abdul Aslam
Additional information