How Does Syber-Dash Help Acme Corp?
Syberdash solves a problem that most people don't realize they have; tracking cybersecurity requirements are nearly impossible and thus most projects rely on their cybersecurity analysts to just keep track of everything and then resolve issues as they are found. This reactive approach to cybersecurity doesn't have to be the only way; Syberdash allows an organization to be proactive and decide which discrete requirements they will actually implement long before an audit or red team test.
Case Study: Using Syber-Dash to Manage Security Requirements
Acme Corp is building a large Data Processing System for the US Government. The Gov’t has provided Acme with the requirement to implement NIST SP 800-53 and assist with gaining an Authority To Operate (ATO) from the Gov’t Authorization Official (AO). No additional requirements for cybersecurity were given in the cybersecurity section of the system requirements.
Acme has a few choices to make with regards to how they will implement the security requirements.
Wait until all major development is completed then lock down the servers and workstations using SCAP tools.
Lock down all servers and workstations prior to beginning development.
Formalize the thousands of cybersecurity requirements and add them to their DOORs database.
Formalize only the top 100 NIST requirements and add them to their DOORs database.
Do nothing and wait for the Gov’t to provide a punch list of items to resolve.
Each of these options brings its own set of benefits and detractors. For instance, locking down all computers and servers during development can have time consuming consequences for the developers as well as implementing unnecessary lockdowns. Doing nothing could result in a loss of Fee or reputation issues with the Gov’t program office. Entering all requirements into the database would obfuscate the functional requirements and overload the requirements team. The optimal approach is to monitor ALL requirements but that is simply too resource intensive. Syber-Dash makes that untenable approach simple and affordable.
Regardless of project management methodology (waterfall, agile, dev-ops), high level functional requirements must be broken down into their discrete parts where NIST SP800-53 has 253 total controls and enhancements those must be broken down into their individual discrete requirements (statements in each control/enhancement) then into each computer/software implementation of that control. Each control has, on average, 5 discrete requirements, or 1,265 requirements. Consider the need for 20 servers and 100 workstations of varying differences and that 1,265 discrete requirements grows. Now add the ~100 technical requirements for each piece of technology and you have over a million requirements. These numbers are used for illustration purposes as the 20 servers will most likely be several clones, and the workstations would only have one or two types that require a different set of implementations (group policies, init scripts, etc…). To enter these into DOORs, or other requirements database, would require thousands of labor-hours to complete and thousands more to maintain. Syberdash does this correlation and tracking in minutes. Syber-Dash is programmed to do just that, decompose requirements and then monitor their implementation. This setup takes just a few minutes.
The more critical component of cybersecurity is the technical mitigations implemented on the various technologies (e.g. the username/password and auditing and etc.). that configured for each computer and software technology. Many tools exist for scanning a network for compliance with differing security standards but none are integrated with any sort of requirements management, so they become a snapshot in time. Syber-dash does not replace those tools, it integrates with them. As your cybersecurity team scans the network for vulnerabilities and configuration item non-compliances those results are uploaded into Syber-Dash and tied back to the overarching requirements. For those that require some level of development or integration testing our integration with JIRA will allow your team to plan for the required effort.
From our dashboard you can monitor your systems implementation through all of your iterations. Each test is stored separately so the status at any given time in the past can be recalled; this is useful for monitoring progress from one phase to another or in reviewing third-party found issues (Gov’t development testing).
Prioritization and Risk Assessment
Many times a high priority security requirement will seem to be useless in a given context, at least to a developer. For instance, why would you need antivirus on a linux computer? Our automated risk assessment process allows your team to identify those useless requirements and prioritize them lower in the backlog or decline them all together. This process takes into account the network connectivity of the system, the criticality of the 3 tenants of cybersecurity (Confidentiality, Integrity, Availability), and the relative complexity of access to a system. These areas are then combined with threat data about each vulnerability to provide you with an individual empirical risk score of 0.0 to 10.0. When there is a difference of opinion between developers and security professionals they can focus their discussion on these inputs to come to an agreed upon priority.
Each Gov’t agency, program management office, security auditor, etc. requires a different format for their security data. Syber-Dash implements a robust reporting mechanism that allows you to customize your reports to any necessary format. This could be as simple as an MS Excel output, or as complex as a recursive XML file, or as beautiful as a professional PDF file. These reports can then be used for uploads into other systems or used to communicate total risk of system operation.