Thought leaders in the realm of cybersecurity are challenging traditional archetypes including the C.I.A. Let’s take a closer look!
Introducing the D.I.E. Triad
Towards the beginning of my career, I worked as a cyber threat analyst for the Modeling, Simulation, Wargaming, and Analysis division at Booz Allen Hamilton. One of my mentors at Booz was Sounil Yu. Sounil is a leader in the cybersecurity industry and is working to change the way we think and approach cybersecurity. Specifically, he’s revamping the Cyber Defense Matrix and introducing new cybersecurity concepts such as D.I.E (Distributed, Immutable, Ephemeral) to solve cybersecurity challenges of the 2020s.
For years, we’ve thought about cybersecurity in terms of a risk-based approach. The National Institute of Standards and Technology has produced numerous special publications for approaching, mitigating, and reducing risk. Despite these standards and “best practice” approach, cybersecurity continues to be a challenge for almost every business. If your company utilizes technology to facilitate your business processes, the price you pay is risk. Remember, we calculate risk by multiplying the likelihood of a negative cybersecurity event times the impact that would have on the data and systems. Then, we can extrapolate and conclude how these likelihood factors would impact the business. So are we ready to change the way we think about cybersecurity? Let’s find out.
In a recent podcast Sounil states the following.
“The 2020s is a recovery problem. We will see challenges that inhibit our ability to recover (from an attack). We can choose to either go with the C.I.A. triad or build systems toward the D.I.E triad. If we build systems with the D.I.E. triad, you do not need the C.I.A triad.”Sounil Yu
We’ll have to start breaking down D.I.E into more simple concepts before understanding how it applies to cybersecurity. According to the Merriam-Webster dictionary, Distributed computing means having at least some of the processing done by the individual workstations and having information shared by and often stored at the workstations. This means we’re using multiple nodes to process and store data. Immutable means not capable or susceptible to change. Think of something in a fixed state. Finally, Ephemeral, meaning lasting a short time.
Sounil argues the following: Distributed (Availability solution) networks and data are the best solutions against distributed attacks (DDoS). Next, Immutable (Integrity Solution) networks and data are easier to detect and reverse. Finally, Ephemeral (Confidentiality solution) data and systems make persistence difficult and reduce concern for assets at risk. Ultimately, the purpose of a D.I.E model is to solve the issue of recovery when an attack happens. However, D.I.E must be implemented during the design of the information system. In my opinion, we’re still a ways away, but it is exciting nonetheless.
Are we ready for the D.I.E.?
When thinking about risk, we determine the impact in several ways, but one of the most foundational is the concept of the C.I.A. (Confidentiality, Integrity, and Availability). This means, to adequately determine risk and impact, we must use these terms to answer the question: “What systems and data are most important to my business?” Sounil argues that we’ll be able to use D.I.E to replace traditional C.I.A thinking. I’ll push back a little and argue that it can supplement C.I.A. after we first answer the above question (in the meantime). D.I.E can be a solution to finding our C.I.A. determinations and reducing the impacts to our C.I.A. C.I.A. thinking allows us to determine where we should put our efforts, ultimately leading to a risk-based approach. Consider the following:
- Which system is most important to me and should be configured in a distributed environment?
- What data do I want to insure the integrity of by using immutable solutions?
- How do I ensure my data and systems are ephemeral and less susceptible to attacks?
With the current state of technology at many companies, we will still need C.I.A. to conclude answers to the above questions.
D.I.E. fits better into the SDLC
One challenge is that D.I.E. must be considered at the start of the system development life cycle of an information system. It would be great if every developer was on board and understood the needs of the concept. However, I think we are a ways off from having D.I.E. accepted in the mainstream cybersecurity methods of developers or adopted by legacy systems. Because of this, C.I.A. will continue to be a useful method for determining cybersecurity risks.
In NIST 800-39 (Managing Information Security Risk), the following table is displayed on page 9.
In the table, we can assess risk using a top-down approach or a bottom-up approach. Mostly, we observe companies that need to use a bottom-up approach. D.I.E. can replace C.I.A, if we start at the top of the risk model. While I agree with Sounil about the value of D.I.E, I think the approach negates this the fact that for most companies, cybersecurity thinking is not their priority and for these companies, a bottom up approach using C.I.A. will continue to be useful and provide great value.
Use C.I.A. Now to Understand Your Risks.
Since we must still rely on C.I.A. while D.I.E concepts catch up and replace, working towards assessing risk is a great first step. Part of assessing risk is understanding vulnerabilities, so a vulnerability assessment will help provide a clearer picture of where your company stands. See the contact form below for additional information. Experts are standing by ready to answer your critical business cybersecurity questions.