Read on Twitter
Great points. A few ways we approached the task of documenting control purpose and subsequent control portfolio rationalization...
1. Build up a picture of credible attack paths the overall portfolio needs to protect against (cyber / physical / social - internal / external) https://twitter.com/philvenables/status/1259246169571590144">https://twitter.com/philvenab...
1. Build up a picture of credible attack paths the overall portfolio needs to protect against (cyber / physical / social - internal / external) https://twitter.com/philvenables/status/1259246169571590144">https://twitter.com/philvenab...
2. Use incident data to understand the nature of threat actors and tactics that have caused a response.
3. Look across incidents and triage the controls that, across all incidents, were most effective and preventing compromise or material impact / undesirable disruption.
3. Look across incidents and triage the controls that, across all incidents, were most effective and preventing compromise or material impact / undesirable disruption.
4. Based on this, use efficacy measurements across your control portfolio to identify:
& #39;At what points along an attack path were controls effective, and what was the cost to e.g. prevent or deliver a high fidelity detection?& #39;
& #39;At what points along an attack path were controls effective, and what was the cost to e.g. prevent or deliver a high fidelity detection?& #39;
With that data you can then...
5. Look at where you& #39;ve made investments, and understand
- what attack paths they correspond to
- the efficacy of the control to disrupt a threat actor at a specific step of an attack path.
(Helpful tools = Mitre Att&ck + Cyber Defence Matrix)
5. Look at where you& #39;ve made investments, and understand
- what attack paths they correspond to
- the efficacy of the control to disrupt a threat actor at a specific step of an attack path.
(Helpful tools = Mitre Att&ck + Cyber Defence Matrix)
6. Ask whether it is possible to
- repurpose investment to disrupt an attack path earlier / faster / cheaper
- remove a control without detriment to current or future adaptive capability
- a mixture of both (with appropriate consideration of effort, impact and friction etc)
- repurpose investment to disrupt an attack path earlier / faster / cheaper
- remove a control without detriment to current or future adaptive capability
- a mixture of both (with appropriate consideration of effort, impact and friction etc)
Ultimately, this needs to be a & #39;scientific method& #39; that measures and tests in the dimensions of commerical, compliance, threat and tech context to establish if a a better control pattern is achievable.
