POV - Enterprise Security Canvas

January 14, 2019
Enterprise Security Canvas
A Value-at-Risk approach for making smart cybersecurity decisions
ROBERT GREINER – POINT OF VIEW – 2019

2 Pariveda Solutions, Inc. Confidential & Proprietary.
You are not as secure as you think you are.
Malicious actors are constantly
probing for vulnerabilities within
the global attack surface and
enjoy the benefit of cutting edge
innovation in exploiting systems.
Stolen information used to gain
access to Lockheed Martin VPN
The full extent of the attack is
still not known
(250 million issued tokens)
Attackers gained access to RSA’s
network via Phishing attack
High value information stolen,
including SecurID seeds and
database of serial numbers
Additional hacking attempts targeted at
defense contractors, breaking their
understanding of secure systems
RSA’s Highest Value-at-Risk
“There are two types of companies: those that have been hacked, and those
who don't know they have been hacked.”
-John T. Chambers, Former CEO – Cisco Systems

Traditional security methods are only effective in bounded environments.
Through the 20th century, the Defense-in-Depth approach was considered sufficient to secure the Enterprise. Today, organizations are enduring
increasing volatility and difficulty as they attempt to apply bounded methods to unbounded environments – resulting in suboptimal outcomes.
Traditional Defense-in-Depth Approach
Technical Approach & Rooted in “Kinetic Defense”
Enterprise
Illustrative
… But bounded environments don’t exist.

Suppliers
Provider & Supplier Gap
Customers
Traditional Defense-in-Depth Approach
Technical Approach & Rooted in “Kinetic Defense”
Enterprise
Customer & Product Gap
Illustrative
Integration Point
Value-at-Risk
Threat
Organizations are exposed to increased risk as automation and
connection points within a complex Value Network grow exponentially.
Threat

Building a bigger moat is no longer sufficient to secure the Enterprise.
Organizations are struggling to effectively secure the Enterprise as the ever-evolving complexity in the global threat landscape continues to
expand and trend towards increased machine-to-machine automation, resulting in a macro-shift that is incompatible with legacy security methods.
Trusted Partners
Trusted Customers &
Products
Trusted Providers
Enterprise
Trustworthiness Implicit Trust (Risk)
Value-at-Risk
Global Attack Surface within Value Network
Illustrative
Volatility
Uncertainty
Complication
Ambiguity

Public security incidents
may cause increased
security “fear spend” or
make products less
attractive to customers.
To mitigate value destruction at scale, organizations must implement a
security approach that considers players and interactions in the Value Net.
SUPPLIERS
COMPLEMENTORSCOMPETITORS
CUSTOMERS
ENTERPRISE
Value network players
complement each other
as they improve their
own security posture or
provide products that
enhance security.
Suppliers must effectively steward
privileged access to systems and data
across players in the network.
Customers must be protected from
compromised products, theft of sensitive
data, and disruption of services.
Source: Co-opetition

Value Takers are malicious players that exploit and magnify VUCA and
can’t be mitigated using legacy categorization-based security approaches.
Updated Value Network Model (Complex Environment)
VALUE TAKERS
SUPPLIERS
COMPLEMENTORSCOMPETITORS
CUSTOMERS
ENTERPRISE
Exploits:
Volatility
Uncertainty
Complication
Ambiguity
Steals / Destroys Value
“Leaders who try to impose order in a
complex context will fail, but those who
set the stage, step back a bit, allow
patterns to emerge, and determine
which ones are desirable will succeed.”
-David Snowden
Cynefin Framework
Sense Making
Approach
(Data Precedes Framework)
Categorization
Approach
(Framework Precedes Data)
Most security tools and approaches are
limited to an Enterprise focus and do not
account for all players and interactions
within the Value Network

Due to the complexity inherent in the Value Net, organizations must
orient themselves at a level of analysis appropriate for their security goals.
Value Network
Value Chain
Enterprise
Business Unit Business Unit
Applications
Systems
(Human)
Infrastructure
Applications
Suppliers
Systems
(Software)
Process

Pariveda’s approach to security moves past the moat and castle.
Organizations must adopt an approach to security that accounts for the volatility, uncertainty, complication, and ambiguity present at all levels in
the Value Network. To accomplish this outcome, we recommend a triple-loop approach that evolves as the environment is probed for new insights.
01 02 03 04 05
1. ORIENT
Leverage workshops and
instruments to identify areas
to explore in order to
effectively manage risk within
the Value Network.
2. PROBE
Design and implement
experiments aimed at gleaning
critical information about the
security environment.
3. SENSE
Process data from
experiments based on
quantitative and
probabilistic methods.
4. RESPOND
Make decisions based on
data gleaned from careful
and quantitative
experimentation.
5. REVISE & REPEAT
Continually repeat, refresh,
and evolve models and
processes to further reduce
risk within a complex
environment.
✓ Loop 1 – Update decisions based on new information
✓ Loop 2 – Revise individual models and processes
✓ Loop 3 – Revise, refactor, and recreate the set of models and processes
Pariveda’s Security Process
Canvas

Our differentiated model enables effective security in complex domains.
We have elevated the traditional Enterprise Security model across several dimensions, adapting to the current hyper-connected global threat
landscape and creating an approach compatible with addressing future advancements in cyberthreats.
Core Enterprise Security CanvasV
T
PS
Leverage quantitative assessments of risk, paired
with a bi-modal value assessment, in order to
facilitate smarter cybersecurity decisions.
Value-at-Risk
Codify and automate critical security rules and
infrastructure across the Enterprise. Consistent
and reliable reporting and data architecture.
Tooling & Automation
Proactive assessments, investments, monitoring,
analysis, and action to address security threats.
Adaptive security methods based on monitoring.
Proactive Security (Zero Trust)
EP
PC
Pr
Wide-spread training, education, and collaboration
around security best-practices. Recurring
rationalization of trusted connections.
Ecosystem Partnership
Leveling-up the security capabilities of humans in
the Enterprise. Instill a culture of security minded
humans with compatible metrics and measures.
People-Centric Security
Protect customers, partners, and the Enterprise
against compromised physical products and devices
(webcams, POS systems, etc.)
Product Security

Organizations must define and quantify their Value-at-Risk and security
posture in the Value Net in order to make smart cybersecurity decisions.
VLeverage quantitative assessments of risk, paired
with a bi-modal value assessment, in order to
facilitate smarter cybersecurity decisions.
Value-at-Risk

Bi-Modal Value & Risk Mapping
Manage the dichotomy between the value the Enterprise
sees in data and systems with the value hackers seek to
exploit. Leverage quantitative risk analysis and decision
making to maximize Return on Mitigation.
Continuous Experimentation
Continually develop and run experiments to reduce uncertainty
and risk in security posture. Magnify experiments that work (e.g.
Penetration Testing) and dampen experiments that don’t.
Improve quantitative methods, metrics, and estimates to
facilitate directionally correct cybersecurity decisions.
Component-Level Value Reduction
Re-architect datasets to create exponential reductions in
value of instantiated/stored data without diminishing the
composite value of data and systems across the Enterprise.
Calibrated Value & Risk Assessment
Leverage quantitative and probabilistic methods for
measuring risk and uncertainty. Define Value-at-Risk
through decomposing potential security incidents within
Confidentiality, Integrity, and Availability commitments.
Probe Path-to-Value
Any pathway to valuable data is a constituent element of
value – which is rarely attacked directly. Identify
interconnected systems that rely on high-value data and
assigned edge-and-node value.
Pariveda’s Value-at-Risk approach helps organizations manage and
reduce risk and uncertainty in complex environments.
Pariveda’s Enterprise Approach to Value-at-Risk

VUCAWe have developed an Enterprise Security Canvas that improves the
security posture of our clients.
Enterprise Security Canvas
Pariveda’s Enterprise Security Canvas provides a
mechanism to develop and analyze uncertainty reducing
experiments and socialize the results in order to make
smarter cybersecurity decisions.
Value-at-Risk Lens
Illustrative

Enterprise Customers Suppliers Competitors Complementors Value Takers
Confidentiality
(Authorized Access)
[A] Can I demonstrate
unauthorized actors do
not have access to
confidential data and
systems?
[C] What are the costs
of “penance programs”
required to implement
after a breach (e.g.
credit monitoring)?
[A] How is my
organization exposed to
risk due to a breached
supplier (or vice-versa)?
[A] Is my IP protected
against corporate
espionage?
[U] What are my
projected investigation
costs after a breach?
[A] Unauthorized access
to confidential data and
systems through
Remotely Exploitable
Vulnerabilities
Integrity
(System Accuracy)
[A] Am I certain my data
and systems have not
been modified for
unintended use?
[C] Is customer data at
risk of loss due to data
backup policies?
[C] Are indemnification
& insurance provisions
in place in the event of a
security incident?
[U] Are competitors
given an advantage
based on reputation
loss due to a breach?
[C] Are my operations
protected and insured
against financial theft?
[U] Unauthorized
modification of
systems
Availability
(Exposed Value)
[V] Are the tools
employees need to be
productive hindered?
Have I already been
hacked?
[V] Are my customers
protected against critical
system outages?
[V] What are the
impacts of
manufacturing
downtime due to an
outage?
[U] Are my customers
impacted through
dependencies in
downstream systems?
[U] Can a key
partnership reduce the
impact of critical system
outages?
[V] Critical services
disrupted due to
malicious activity
impacting obligations
throughout Value Net
Non-
Repudiation
(Fulfilled Obligations)
[U] What are the
remediation costs
associated with
repairing impacted data
and systems?
[U] What is the impact
associated with notifying
affected parties of a
breach?
[C] Are security controls
sending and validating
receipt tokens from
trusted sources?
[A] Are my systems
exposed to un-detected
data changes in transit
or at rest?
[C] What is my exposure
to legal liabilities and
fines due to a data
breach or non-
compliance?
[C] Actions taken in bad
faith or with the
intention of breaking an
obligation
yyy Enterprise Customers Suppliers Competitors Complementors Value Takers
Confidentiality
(Authorized Access)
not have access to
systems?
credit monitoring)?
[A] How is my
against corporate
espionage?
[U] What are my
systems through
Vulnerabilities
Integrity
(System Accuracy)
been modified for
unintended use?
backup policies?
security incident?
[U] Are competitors
given an advantage
based on reputation
[U] Unauthorized
modification of
systems
Availability
(Exposed Value)
[V] Are the tools
Have I already been
hacked?
system outages?
[V] What are the
impacts of
manufacturing
downtime due to an
outage?
impacted through
dependencies in
downstream systems?
[U] Can a key
outages?
disrupted due to
malicious activity
Non-
Repudiation
breach?
receipt tokens from
trusted sources?
[A] Are my systems
or at rest?
faith or with the
obligation
Enterprise Customers Suppliers Competitors Complementors Value Takers
Confidentiality
(Authorized Access)
not have access to
systems?
credit monitoring)?
[A] How is my
against corporate
espionage?
[U] What are my
systems through
Vulnerabilities
Integrity
(System Accuracy)
been modified for
unintended use?
backup policies?
security incident?
[U] Are competitors
given an advantage
based on reputation
[U] Unauthorized
modification of
systems
Availability
(Exposed Value)
[V] Are the tools
Have I already been
hacked?
system outages?
[V] What are the
impacts of
manufacturing
downtime due to an
outage?
impacted through
dependencies in
downstream systems?
[U] Can a key
outages?
disrupted due to
malicious activity
Non-
Repudiation
[U] What are the
remediation costs
associated with
repairing impacted data
and systems?
breach?
receipt tokens from
trusted sources?
[A] Are my systems
or at rest?
[C] What is my exposure
to legal liabilities and
fines due to a data
breach or non-
compliance?
faith or with the
obligation
Value Network
SecurityCommitments
Leveraging the Enterprise Security Canvas to decompose potential
security incidents using a Value-at-Risk lens.
Enterprise Security Canvas – Value Network Core Metaview
Illustrative

Our security approach fills the gaps left by traditional risk-based methods.
Traditional security measurement and decision methods, focusing on a low fidelity matrix of probability & impact, do not materially improve the
organization’s ability to make smart security decisions. In fact, evidence suggests the risk matrix is no better than choosing investments at random.
Traditional Risk-Based Methodology
Enterprise Focused
(McKinsey Example)
Quantitative Method for Risk
Value Network Focused
(Pariveda’s Approach)
What is more risky, 7 ”Mediums” or 1 “High”?
How many “Medium” risks can I mitigate for $1MM?
Based on our current security posture there is a 43% chance of
exceeding a $3MM loss over the next 5 years.
Complicated Environments
Complex Environments
Source

Where do I start?
Pariveda’s Business Security Workshop helps our clients develop a practical understanding of quantitative Value-at-Risk measures and how to apply
them to make smarter cybersecurity investment decisions.
9:30am9:00am 11:00am
Welcome
Introductions & Overview
Value-at-Risk
Value-at-Risk Approaches
Exercise
Shared Understanding of Risk
Exercise
Risk in Value Networks
2:00pm
Detailed Workshop Overview
Open
• Kick-Off Workshop • Exercise Overview and Rules • Presentation Started • Exercise Overview and Rules • Kick-Off Next Steps Discussion
KeyActivities
• Introduce workshop attendees
and facilitators
• Discuss expectations and success
criteria for the day
• Build list of open security
questions to answer throughout
the day
• Breakout sessions
• Group collaboration and exercise
• Develop a shared understanding
of how to address risk
• Improve calibration capabilities
• Discuss and assess how
traditional security approaches
and risk measurements affect
Value-at-Risk
• Address open questions outlined
in introductions
• Understand residual objections
• Group collaboration and exercise
in breakout sessions
• Develop perspective on risks
associated with value networks
• Presentation on decisions made
• Vote on next steps
• Orient on focus area
• Validate perspectives generated
during the workshop and agree
on next steps
• Improved dialog between
security practitioners, technical
leaders, and executive sponsors
TopicsCovered
• Introductions
• Workshop Agenda & Logistics
• Workshop Schedule
• Workshop Ground Rules
• How Did We Get Here?
• Objective vs. Subjective Risk
• Confidence Intervals
• Calibrated Estimates
• Complex vs. Complicated
Environments (Cynefin)
• Probe-Sense-Respond
• The Moat is Obsolete
• Traditional Risk Matrix Issues
• Quantitative Risk Approaches
• Bi-Modal Value-at-Risk
• Anatomy of Target Breach
• Value Networks & Risk
• Business Risk Appetite
• Quantitative Risk Expression
• Loss Exceedance Curves
• Measuring Uncertainty
• Multi-Layer Value Net
• ”5 Connections” - Decomposition
• Additional Resources (curated list
of items to assist after workshop
is delivered)
• Feedback from Group Collected
(future workshop improvement)
• List of Potential Next Steps
Close
• Lists Generated • Feedback & Debrief on Results • Answered Open Risk Questions • Feedback & Debrief on Results • Next Steps Defined & Agreed On
Workshop Artifacts
• List Success Criteria
• List Open Questions to Answer
• Completed Exercises
• Provided Feedback on Results
• Presentation Reference Materials
Delivered (use after workshop)
• Completed Exercises
• Provided Feedback on Results
• Focus Areas Defined (2-3)
• Success Criteria Addressed
Closing
Next Steps & Resources
3:30pmBreak (15m) Lunch (60m) Break (30m)
BusinessSecurityWorkshopAgenda

Target Case Study – The Anatomy of a Mega Breach

The impact of security breaches is amplified as humans leverage tools and devices.
Physical Devices
Software
Tools
Human
Actors
Humans targeting
key assets using
manual or social
methods
Devices compromised to steal
sensitive information or use for
unintended purposes.
Tools leveraged to
scan, exploit,
and/or automate
malicious activities.
A coordinated phishing attack
exposed sensitive emails for
presidential candidate.
Automated tools identified
passwords that were not
encrypted properly.
POS devices compromised in
order to steal credit card data.

You are not as secure as you think you are.
As organizations become more connected they find themselves at increasing risk of cyberattack due to the implicit trust placed in customers and
suppliers within a complex value ecosystem. In addition, the scale and sophistication of cyberattacks is growing rapidly, compounding the problem.
Scale & Sophistication of Attacks
Impact&AmplitudeofSecurityBreaches
Damagelimited
tothescaleofan
individual.
Impactexpandedto
adjacenttrusted
connections.
Impactsendsripple
effectthroughout
connectedecosystem.
Human Actors
Software Tools
Physical Devices
Human Actors
Software Tools
Human Actors
Notable Security Breaches

Target’s recent breach reveals the need for a holistic security approach.
Attackers penetrated Target’s network and ultimately infected their point-of-sale systems with malware. As a result, 70 million customer records and
40 million credit card numbers were captured and exfiltrated to Russia over an thirty-day period before the breach was closed.
Business Technical Product
People Structure Process Applications Frameworks Infrastructure Suppliers Products Customers
CEO Resigned
Weak access control
policies (vendors)
Target network
accessed using
stolen credentials
Phishing attack
targeted HVAC
contractor
Credit card and
customer data sold
~$500 million total
impact
FireEye tool
misconfigured
(auto delete)
Attackers attempt to
access Target
network remotely
Target quarantined
malware
Target implemented
FireEye tool
(6 months before)
Keylogging software
installed on
contractor machine
Security alerts
ignored
(signal over noise)
Target network
probed for
vulnerabilities
Malware installed on
POS systems
(RAM Scanner)
Activity noticed by
Israeli security firm
$100 million
investment in
security upgrade
Weak network
segmentation left
systems open
File/Web server
compromised
(custom code)
POS Systems not
security hardened
Target network
account credentials
stolen
Security software
flagged malware
Credit card and
customer data
exfiltrated-file server
Target
Source
Human Actors
Human Actors
Software Tools
Human Actors
Software Tools
Physical Devices
Threat
12
3
4
5
6
7
8
9
14
18
17
13
19
20
21
22
12
15
11
10
16
Target’s Mega Breach

Target’s recent breach reveals the need for a holistic security approach.
Attackers penetrated Target’s network and ultimately infected their point-of-sale systems with malware. As a result, 70 million customer records and
40 million credit card numbers were captured and exfiltrated to Russia over an thirty-day period before the breach was closed.
CEO Resigned
Weak access control
policies (vendors)
Target network
accessed using
stolen credentials
Phishing attack
targeted HVAC
contractor
Credit card and
customer data sold
~$500 million total
impact
FireEye tool
misconfigured
(auto delete)
access Target
network remotely
Target quarantined
malware
Target implemented
FireEye tool
(6 months before)
Keylogging software
installed on
contractor machine
Security alerts
ignored
(signal over noise)
Target network
probed for
vulnerabilities
POS systems
(RAM Scanner)
Activity noticed by
$100 million
investment in
security upgrade
Weak network
segmentation left
systems open
File/Web server
compromised
(custom code)
POS Systems not
security hardened
Target network
account credentials
stolen
Security software
flagged malware
Credit card and
customer data
Target
Source
Human Actors
Human Actors
Software Tools
Human Actors
Software Tools
Physical Devices
Threat
12
3
4
5
6
7
8
9
14
18
17
13
19
20
21
22
12
15
11
10
16
Value-at-Risk not
aligned with
business processes
or codified in tools
People lacked
security know-how
to manage
expensive tools
Insufficient
vendor security
monitoring &
accountabilities
Target’s Mega Breach

Target’s established security methods provided a false sense of protection.
Target had a limited view of their security posture, resulting in unknown gaps that were eventually exploited at great cost to the organization. Most
security tools and frameworks are product-focused and fail to create a comprehensive view of the risk landscape facing organizations.
Business
Targeting People
Technical
Targeting Apps & Infrastructure
Product
Targeting Products & Suppliers
Does the
organization
foster a culture
of personal
accountability
and awareness?
RACI defined &
communicated
across the
organization
with measures &
expectations?
Is employee and
contractor
security training
established,
executed, and
refreshed?
Are compliance
and audit
requirements
regularly
reviewed and
achieved?
Is it easy for
customers and
employees to
discern
authentic
communication?
Are the
organization’s
people
augmented with
capable and
easy to use
security tooling?
Is active threat
monitoring
implemented
with automated
actions/alerting?
Are
organization’s
products
adequately
secure and
updatable if
needed?
Are customers
protected from
misbehaving
products?
Firewall
implemented
and configured
to restrict
external access?
Are static and
dynamic security
scans
implemented
internally and
externally?
Target
Source
Human Actors
Human Actors
Software Tools
Human Actors
Software Tools
Physical Devices
Illustrative – Hypothesis View
FireEye industry leading security and threat management tool -
Partial DIY implementation

However, Target’s fractional perspective resulted in unidentified gaps.
A more complete hypothesis-view of Target’s threat landscape prior to their breach identifies several critical areas that were left unaddressed.
High Risk
Business
Targeting People
Technical
Product
Does the
organization
foster a culture
of personal
accountability
and awareness?
RACI defined &
communicated
across the
organization
with measures &
expectations?
Is employee and
contractor
security training
established,
executed, and
refreshed?
Is organization
equipped with
the technical
know-how to
leverage security
tools?
Are compliance
and audit
requirements
regularly
reviewed and
achieved?
Comprehensive
systems, data, &
infrastructure
documentation
with security
definitions?
Taking
responsibility to
level-up security
of 3rd party
vendors and
suppliers?
Is organization
socializing
security best
practices within
the connected
ecosystem?
Is it easy for
customers and
employees to
discern
authentic
communication?
Are the
organization’s
people
augmented with
capable and
easy to use
security tooling?
Is security
evaluated using
a Value-at-Risk
approach with
associated
priorities?
Are security
outcomes
codified using
top-down focus
on business
objectives?
Are security
alerts and
associated
thresholds
actively
managed?
Is principle of
least privilege
the default
security method,
with a trust-but-
verify
implementation?
Is active threat
monitoring
implemented
with automated
actions/alerting?
Are common
best practices
coordinated
with partners
including
expectations
and contracts?
Are
organization’s
products
adequately
secure and
updatable if
needed?
Are customers
protected from
misbehaving
products?
Is security
evaluated using
a Value-at-Risk
approach with
associated
priorities?
Are investments
in cybersecurity
effectively
placed based on
holistic security
landscape and
value chain?
Are secure
onboarding and
offboarding
procedures
documented
and automated?
Is data
adequately
sharded and
protected in-
flight and at-
rest?
Is Identity and
Access
Management
fully defined and
implemented
across the org?
Is the network
appropriately
segmented
across various
systems of
value?
Is the risk of
implicit trust
relationships
within the
ecosystem
adequately
mitigated?
Are static and
dynamic security
scans
implemented
internally and
externally?
Are risks and
vulnerabilities
mitigated within
the value-chain
through
suppliers and
customers?
Target
Source
Human Actors
Human Actors
Software Tools
Human Actors
Software Tools
Physical Devices
Medium Risk Low RiskLegend: High Value-at-Risk
Example Enterprise Security Canvas Executive Summary
Illustrative – Hypothesis View

Target would have avoided catastrophe if the Security Canvas was used.
As organizations adopt and evolve the Enterprise Security Canvas, they will more effectively prevent malicious or unintentional actions required for
successful exploits to occur. Ultimately, resulting in a more effective and future-proof security posture.
CEO Resigned
Weak access control
policies (vendors)
Target network
accessed using
stolen credentials
Phishing attack
targeted HVAC
contractor
Credit card and
customer data sold
~$500 million total
impact
FireEye tool
misconfigured
(auto delete)
access Target
network remotely
Target quarantined
malware
Target implemented
FireEye tool
(6 months before)
Keylogging software
installed on
contractor machine
Security alerts
ignored
(signal over noise)
Target network
probed for
vulnerabilities
POS systems
(RAM Scanner)
Activity noticed by
$100 million
investment in
security upgrade
Weak network
segmentation left
systems open
File/Web server
compromised
(custom code)
POS Systems not
security hardened
Target network
account credentials
stolen
Security software
flagged malware
Credit card and
customer data
Target
Source
Human Actors
Human Actors
Software Tools
Human Actors
Software Tools
Physical Devices
Threat
Supplier Gap
12
3
4
5
6
7
8
9
14
18
17
13
19
20
21
22
12
15
11
10
16
Process GapPeople Gap
Could have been prevented if Canvas was used

“There are two types of companies: those that have been hacked, and those who
don't know they have been hacked.”
-John T. Chambers, Former CEO – Cisco Systems
How do I gain insight into the big picture with a
holistic security view?
How can I manage 3rd party risk within the
Cyber Supply Chain?
How do I manage the
human factor?
How do I manage business risk
with a top-down approach?
How will global compliance and regulations
affect the organization?
What CISOs are Asking
Source: CSOonline

The ripple effects of breaches are amplified within a connected ecosystem.
Due to the trusted nature of data transactions between organizations, their customers, and products, attackers frequently impact companies that
are participants in the connected ecosystem, resulting in a cascade of consequences that is difficult to contain and quantify.
Malicious actors are constantly
probing for security gaps
Private account details exposed
for 50-90 million Facebook users
Facebook, and their partners,
do not understand the full
impact of this breach
Attackers discovered multiple
vulnerabilities in Facebook’s app
Exploit granted attackers security
token for any Facebook user
Security token was potentially
used to gain access to over 100
sites using Facebook login

Security incidents are growing at an unprecedented rate.
Organizations are scrambling to respond to the unprecedented growth in the level and severity of security incidents. As a result, security
investments increase as public breaches are disclosed with limited insight into the effectiveness or total cost of security implementations.
35xSecurity investments increase as public breaches
are disclosed. ~$1 trillion over next 5 years.
Cybersecurity spend is up
365Attackers seek to avoid detection through slowly
siphoning data from networks, increasing MTTI.
Detecting a major breach takes one year
90%Studies show over 90% of breaches that affect over
1 million records are criminal or malicious in nature.
Virtually all mega breaches are malicious
30%30% of organizations experience a recurring
material breach over the next 24 months.
Recurring breaches are likely
Disruptionof
Operations
Confounding cost factors – security breach
*Total cost of breaches are frequently underreported
Cybercrime damages will exceed an estimated
$6 trillion* worldwide by 2021
41%Security spend is mostly reactive. 41% of companies
feel their application security is sufficient.
Security spending is reactive

Business
Targeting People
Technical
Product
Confidentiality
(Authorized Access)
Are humans
trained on
regularly updated
and proper data
handling policies
and procedures?
Are organizational
units only given
access and
privileged access
required to
perform their
role?
Are clear
guidelines and
policies created to
govern and audit
the access of
sensitive
information?
Are the
interactions and
data across
custom, 3rd party,
and SaaS
applications
adequately
quarantined?
Are unauthorized
agents prohibited
from accessing
sensitive data
through system
architecture,
design, and
controls?
Are production
systems only
accessible through
an automated
approval
workflow?
Are suppliers
given adequate
privileged access
to data and
systems in order
to meet their
requirements?
Are customers,
employees,
partners, and
competitors
shielded from
sensitive product
data and features?
Are customer
accounts only
viewable by
authorized agents
in a transparent
manner?
Integrity
(System Accuracy)
Is the organization
protected against
human error
when accessing
key systems or
disclosing
sensitive data?
Are downstream
controls in-place
to detect
fraudulent activity
across
departments (e.g.
finance/audit)?
Are processes
defined and
followed to detect
unauthorized
activity or
modification of
data and systems?
Are Value
Network activities
monitored and
validated using
automated tools
and manual
review processes?
Is data encrypted
in-flight and at-
rest throughout all
repositories and
transactions?
Are the data
center and
associated SaaS
integrations
monitored for
unauthorized
modification of
data and systems?
Is there a clear
and transparent
transaction
agreement and
catalog between
the enterprise and
suppliers?
Are product
exchanges and
interactions
validated across
both parties?
Are customer
accounts
protected against
improper
destruction or
modification of
their private
information?
Availability
(Exposed Value)
Are transactions
between humans
and systems
monitored and
audited for
unusual behavior?
Are backup
measures in place
to facilitate
business
continuity in the
event of a security
incident?
Are tools
employees need
to be productive
being hindered by
unnecessary or
redundant security
controls?
Are critical
integration points
protected through
automated
disaster recovery
and backup
processes
(RTO/RPO)
Are cybersecurity
implementation
decisions weighed
against availability
and performance
of production
systems?
Are systems
protected against
malicious service
disruption actions
and threats (e.g.
DDoS)?
Are suppliers
given adequate
and timely access
to data and
systems in order
to fulfil their
commitments?
Are products
setup to continue
functioning when
disconnected from
key resources?
Can customers
access and use
data and
functionality in a
timely and reliable
manner?
We have developed an Enterprise Security Canvas that helps improve the
security posture of our clients through a Value Network lens.
SecurityCommitments
Enterprise
Enterprise Security Canvas – High-Level Questionnaire (EAF Lens)

Calibrated Value & Risk Assessment requires decomposition of potential
security incidents across the value Network using quantitative methods.
Illustrative
Decompose and Estimate Impact Update Exposed Risk Over Time
1. Leverage Enterprise Security Canvas to decompose
potential security impacts top-down.
2. Apply quantitative estimates (90% Confidence
Interval) of Probability of Occurrence and Expected Loss.
4. Update probabilities using Bayesian Analysis as we
collect more data about our security posture over time.
Baseline Risk vs. Tolerance & Socialize
3. Combine quantitative analysis methods and simulation
ranges to report potential losses vs. business risk appetite.

The Situation Attackers gained access to Target’s
network through a malware exploit aimed
at an HVAC supplier and stole privileged
credentials used to remotely support
heating and air systems.
Attackers gained direct access to user
accounts through exploit in “View As”
feature, generating authentication tokens
for unauthorized attackers.
Attackers gained access to online dispute
portal, which ultimately granted access to
other servers within Equifax’s network.
Attackers used stolen credentials from a
3rd party vendor to access Home Depot’s
network and install malware on POS
machines to steal credit card information.
The Result 40 million customer debit and credit cards
compromised
50-90 million user account details
compromised
150 million account details compromised
containing personal data
56 million credit card numbers and 53
million email addresses stolen
Financial Impact $420,000,000 TBD > $1B $439,000,000 $633,000,000
Other Impact • Settled lawsuits from 48 states • Senate hearing
• GDPR fines
• Lost contract with IRS
• Ongoing investigation FTC
• Settle lawsuit with banks
• Class action customer lawsuit
Root Cause • Poor password management practices
• Insecure vendor access policies
• Multiple application defects exploited
• Inside knowledge required
• Insufficient logging and auditing
• Identification & Detection failure
• Lack of proper data governance
• Production patching policies
• Poor network segmentation
• Lack of IAM policies
• Encryption and Antivirus missing
Key Finding “Once inside Target’s network, there was
nothing to stop attackers from gaining
direct and complete access to every single
cash register in every Target store.”
Facebook does not have insight into who
is responsible for the attack or the extent
to which accounts were compromised –
including 100+ 3rd party sites leveraging
Facebook login.
Attackers exploited a well known server
vulnerability after publicly scanning the
internet. Security experts agree this was an
“easy hack” that had extreme
consequences.
All of the tools and methods for the Home
Depot breach are commonly available
online, creating a low barrier of entry to
orchestrate sophisticated attacks on large
companies.
Security breaches don’t just affect technology companies.
As organizations become more connected and continue to increase the size and types of data captured on their customers, the impact and long-term damage
of security breaches will continue to grow. Organizations that experience a security breach also face hidden costs: reputational harm, business disruption, and
loss of data.

Pariveda’s Enterprise Architecture Framework
BUSINESS ARCHITECTURE
TECHNICAL ARCHITECTURE
S T R A T E G Y
PEOPLE
STRUCTURE
PROCESS
APPLICATIONS
FRAMEWORKS
INFRASTRUCTURE

Pariveda –illities Framework
Criteria Description Example Sub-Criteria
Business
Functionality Solution’s ability to deliver its required capabilities and meet the business needs
► Specific Features
► Reporting
► Specific Requirements ► Error Handling
Usability User’s productivity when working with the solution
► Assistance
► Learnable
► Modular
► Productive
► Structured
Affordability Solution’s overall cost including acquisition and on-going maintenance
► Hardware Costs
► Licensing Costs
► Implementation Costs
► Support Costs
► Training Costs
Technical
Maintainability
Level of effort required to keep solution running while in production including problem
resolution and ongoing support
► Manageable
► Operable
► Recoverable
► Analyzable
► Testable
► Upgradeable
Flexibility Solution’s ability to accommodate additional business processes or changes in functionality
► Adaptable
► Configurable
► Maneuverable ► Modifiable
Scalability Solution’s ability to support additional users while meeting quality of service goals
► Capacity
► Throughput
► Resource Utilization
► Response Time
► Reliability
Interoperability Solution’s ability to interact effectively with other systems or components ► Integration Protocol
► Loosely Coupled
► Tiered
► Legislative Compliance
Security
Solution’s ability to prevent unauthorized disclosure, loss, modification or use of its data or
functionality
► Access Control
► Encryption
► Secure Design
► Auditability
► Authentication
Compatibility
Solution’s conformance with existing and emerging infrastructure with internal and external
standards
► Standards Based ► Internal Tool Support ► Internal Skill Set
Vendor
Prominence Perception of the vendor in the marketplace
► Industry Support
► Market Share
► Maturity
► Product Viability
► Vendor Stability
Experience
Vendor’s familiarity in delivering solutions to similar organizations and with similar topical
focus
► Established Practice by Topic ► Industry Experience ► Focus Area Expertise
Capabilities
Vendor’s skills both in developing pertinent solutions and positioning their clients for future
success
► Depth of Skills by Topic
► Knowledge Transfer and
Training
► IC Reuse and Limitations
Community Vendor’s alignment with client’s culture ► Local Presence ► Cultural Fit ► Community

Security enablement within software development/QA process.
As the Enterprise Security Canvas is broken down into more granular chunks, we ensure comprehensive coverage across key value-delivery
activities within the Enterprise. The following example outlines a QA approach with security included as a first-class citizen for a major client.
37
Low-level unit tests that drive code
coverage at the developer level
Static and dynamic security and code
quality scans through tooling
Automated integration and API tests
that validate service-level features
Automated tests that drive features
through the front-end UI
Manual business-focused testing that
simulates end-user interactions
UI Tests
Integration & API
Quality & Security
Unit Tests
Exploratory
Business Dev
Selenium
Key Tools

Maturing the SDLC: Target Improvement Stages
Reactive response to
issues identified outside of
the group, no formal
process.
Activities are not
documented or
repeatable.
Clearly outlined security
checkpoints as defined
steps in SDLC and
ongoing operations.
Business stakeholders
understand security as a
process step to be crossed
before work can continue.
Security is integrated into
the complete SDLC.
Practitioners part of
backlog grooming,
prioritization, delivery,
validation, and
deployment stages.
Security more than just a
“checkpoint” but a
thoughtful dialogue.
Targeted investments in
technology and processes
to reduce the cost/effort
of achieving desired
security outcomes.
Business stakeholders and
dev teams achieve
balance in discussion by
reducing the perceived
‘false choice’ between
security and functionality.
Adhoc Minimum Expectation Defined Process Integrated to Delivery Optimization
Quality Circles
Stage 0
Stage 1
Stage 2
Stage 3
Stage 4
Clearly defined security
requirements and
accountable role on team.
Team performs spot-
checks on applications.
Business understands
security accountability the
team has and is aligned.

Cynefin Framework & VUCA
https://hbr.org/2007/11/a-leaders-framework-for-decision-making
https://hbr.org/2014/01/what-vuca-really-means-for-you

▪ https://gizmodo.com/facebook-could-face-up-to-1-63-billion-fine-for-latest-1829426100
▪ https://resources.infosecinstitute.com/defense-in-depth-is-dead-long-live-defense-in-depth/#gref
▪ https://www.nist.gov/cyberframework/online-learning/five-functions
▪ https://www.scrypt.com/blog/average-cost-data-breach-2017-3-62-million/
▪ https://cybersecurityventures.com/cybersecurity-market-report/
▪ http://www.morganstanley.com/ideas/cybersecurity-needs-new-paradigm
▪ https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/staying-ahead-on-cyber-security
▪ https://www.mckinsey.com/business-functions/risk/our-insights/a-new-posture-for-cybersecurity-in-a-networked-world
▪ https://www.mckinsey.com/business-functions/risk/our-insights/insider-threat-the-human-element-of-cyberrisk
▪ https://www.investors.com/news/technology/security-freeze-giants-ibm-cisco-squeeze-palo-alto-check-point/
▪ https://www.sans.org/reading-room/whitepapers/analyst/paper/36697
▪ https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292/
▪ https://www.digitalcommerce360.com/2018/09/04/the-cost-of-a-u-s-data-breach-7-91-million/
▪ https://www.tenable.com/blog/transforming-security-from-defense-in-depth-to-comprehensive-security-assurance
▪ https://www.sans.org/reading-room/whitepapers/warfare/paper/33896
▪ https://www.sans.org/reading-room/whitepapers/dlp/data-breach-impact-estimation-37502
▪ https://newsroom.ibm.com/2018-07-11-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses
▪ https://www.ibm.com/security/data-breach/
▪ https://www.securityweek.com/defense-depth-has-failed-us-now-what
▪ https://www.csoonline.com/article/2124452/identity-access/where-defense-in-depth-falls-short.html
▪ https://www.sans.org/reading-room/whitepapers/warfare/defense-depth-impractical-strategy-cyber-world-33896
▪ https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
▪ https://motherboard.vice.com/en_us/article/8q8dab/15-million-connected-cameras-ddos-botnet-brian-krebs
▪ https://people.carleton.edu/~carrolla/index.html
▪ https://www.csoonline.com/article/3256147/security/what-s-on-cisos-minds-in-2018.html
▪ https://www.amazon.com/Co-Opetition-Adam-M-Brandenburger/dp/0385479506
▪ https://www.amazon.com/How-Measure-Anything-Intangibles-Business/dp/1118539273/
References

POV - Enterprise Security Canvas

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to POV - Enterprise Security Canvas

Similar to POV - Enterprise Security Canvas (20)

More from Robert Greiner

More from Robert Greiner (15)

Recently uploaded

Recently uploaded (20)

POV - Enterprise Security Canvas