Introducing the 4D Metaphysical GRC Database. David Lacey

Transcription

1 Introducing the 4D Metaphysical GRC Database David Lacey

2 What is the greatest challenge to CISOs today?

3 Computer Weekly interview with John Meakin (2007) David Lacey: What is the biggest challenge to you? Is it the growing sophistication of the threat or the growing vulnerability of the infrastructure? John Meakin: The biggest challenge for me is not any particular change in the threat landscape but more the complication of putting together all the pieces of the security jigsaw that helps to protect the organisation

4 Ashby s Law of Requisite Variety (1956) If a system is to be stable, the number of states of its control mechanism must be greater than or equal to the number of states in the system being controlled Only variety destroys variety (Cryptographers might recognize this as consistent with Shannon s 10th Information Theorem)

5 Fifteen years later in Santiago, Chile Stafford Beer implements the first e-government system based on Ashby s Law, Bayesian controls, and neural networks Note the Star Trek style Tulip chairs and the ICL tango colour In 1973, the CIA sponsors a coup d'etat in Chile. The client dies, and the system is destroyed Project Cybersyn control room

6 Combinations of states are surprisingly large A computer with the mass of the entire Earth operating at Bremermann's limit ¹ could theoretically perform approximately mathematical computations per second In contrast, the number of possible images on a HDTV screen with 1920 x 1080 pixels and 32 bits for colour is approximately Yet we manage to control screen displays. How is this? ¹ Bremermann's Limit is the maximum computational speed of a self-contained system in the material universe

7 Lessons from Ashby s law Scale up the variety (number of states) in the management mechanism as far as you possibly can Place strict boundaries around the system you wish to control Restrict or classify the available states in the system itself Categorize entities and relationships in the system Restrict the type of relationships between types of entities Otherwise, the system will be unstable, out of control

8 Fast forward to BSI publish a Code of Practice for Information Security Management Shell is the only company to implement it (for many years) and the first in the world to gain accredited certification Today it is the basis of ISO and ISO 27002

9 Why and how cybersecurity has failed Cyber security relies on thousands of individual initiatives across an enterprise Security is based on numerous, interwoven, abstract concepts, which makes it extremely difficult to join up BS7799 provided an initial blueprint, but subsequent standards introduced new terminology, categories, and structures The lack of a single, perfect categorisation of controls results in an unmanageable situation Modern technologies (Java, AI, Graph databases) cannot deliver a satisfactory solution

10 The rise of Governance, Risk & Compliance (GRC) GRC is now by far the biggest driver of security GRC functions are growing rapidly, especially in banks (thousands of staff) GRC has a bigger scope than cyber security (includes laws and regulations) GRC is immature and massively inefficient, as currently practised GRC categorizations do not work (e.g. BCBS¹ Operational risk) GRC relies too much on tick-box evidence, not enough on actual measurement GRC is rarely perceived as adding value to business (only through automation) Cyber security has to be addressed within a GRC context ¹ Basel Committee on Banking Supervision

11 How to fix the problem Join up the GRC and Security metadata How hard is it? Extremely difficult. Do not underestimate the challenge! Can it be achieved? Yes, but the solution demands deep, rare skills, knowledge and techniques, as well as huge patience and determination First, believe it is possible (many academics don t) Trust that Aristotle was right, and Nietzsche was wrong Then take time to get it right A rigorous, objective categorization takes a long, long time (circa 10,000 hours) Avoid short cuts and fashionable technologies Old science is the answer (metaphysics, mereology, set theory, cybernetics, relational database)

12 Aristotle versus Nietzsche "Truth means knowing existent objects and falsity does not exist, nor error, but only ignorance." There are no facts, only interpretations Aristotle Nietzsche

13 What s wrong with this categorization? 1. Internal Fraud 2. External Fraud 3. Employment Practices and Workplace Safety discrimination 4. Clients, Products, and Business Practice 5. Damage to Physical Assets 6. Business Disruption and Systems Failures 7. Execution, Delivery, and Process Management (These are BCBS Operational risk categories)

14 Why was this structure chosen? 1. Security policy 2. Security organization 3. Assets classification and control 4. Personnel security 5. Physical and environmental security 6. Computer and network management 7. System access control 8. System development and maintenance 9. Business continuity planning 10. Compliance (These are the original BS7799 control groups)

15 Why is categorization so difficult? Concepts such as control, risk, trust, vulnerability, attack vector are surprisingly difficult to model Abstract concepts conflate and confuse entities and relationships Instances of these terms can be quite different, with varying attributes and relationships Some concepts (e.g. trust ) do not exist as entities in the real world Terminology is ambiguous Intrusion detection could be a hardware device, software download, appliance function, requirement, activity, role, etc. Common terms such as site may cover a multitude of widely different objects: a building, plot of land, city, space station, etc. GRC data exists in the past (e.g. audit trails, evidence) and present (e.g. incidents, current configurations) as well as the future (risks, requirements, mitigation plans) Need for a 4D data modelling approach

16 What s wrong with fashionable technology? Java mixes code and data structures, and is hierarchical, so cannot cope with real world structures AI is no more than guesswork based on previous experience, resulting in excessive entropy (i.e. lots of false positives and missed matches) Big Data/NoSQL/Graph databases are no more than simple tables with limited functionality and application Good for processing time series and friend-of-a-friend relationships, but not suitable for more complex applications Allowing free relationships between instances massively increases entropy (avoid!) A relational database can be converted to a Graph database, but not vice versa Blockchain is a solution looking for a real business problem to solve Bitcoin or similar financial applications in general use would have to be controlled by governments and regulators, as they enable tax evasion and money laundering Blockchain in its current form has intrinsic security, governance, and performance flaws

17 What is the 4D Metaphysical GRC Database? A pure metaphysical enterprise data model, incorporating 4D data modelling techniques Based on state-of-the-art, ontological data patterns (Dr Matthew West s latest HQDM 1 structures) and strict data modelling principles Around three years in development Quality assured by one of the world s greatest data modellers: Dr Matthew West Designed for the Governance, Risk & Compliance (GRC) marketplace Joins up data from compliance requirements, risk assessments, incidents, audits, gap analyses, audits, and discovery process 1 High Quality Data Modelling 4DMGRC

18 How does it work? Based on a pure high-level ontology of around 400 entities, onto which is mapped every entity that is likely to be encountered in GRC and security Around 10,000 classes of linked, matched, and overlapping sets of reference data Once-only translation of control requirements and questionnaires into a requirement specification expressed in first-order predicate calculus Control requirements can be precisely mapped onto properties of states of real-world objects, as well as onto other standards and legal requirements A control is a pattern of multiple, existing and future states of physical entities and classes Controls cannot be effectively categorized without a large set of enterprise reference data 4DMGRC

19 Top-level ontology Thing Abstract Object Spatio-temporal extent Class Relationship Event State Requirement Individual Activity Association Physical object Intentionally constructed object Possible world

20 Upper level ontology

21 What can it do? Match up your risk assessments, incidents, vulnerabilities, compliance requirements, and physical controls Automatically generate your compliance status and answers to audit questionnaires Underpin compliance claims with evidence of implementation Massively reduce the time, effort and resources required for governance and audits In short, it represents the industrialization of GRC

22 Components of the 4D Metaphysical GRC Database UUI Unified User Interface ERD Enterprise Reference Data CCD Compliance Control Definitions HQDM GDX High Quality Data Model GRC Data Model Extensions

23 Key functionality of 4DM GRC Database 4DMGRC Unified user interface Unified GUI with smart (filtered), drill-down to data Standard or bespoke interfaces to EUC and Web services Comprehensive portfolio of useful reports Control matching capability Accurate matching of controls from different sources Precise mapping of controls to properties of physical objects Automatic gap analysis generation GRC data warehouse Records all properties of all states of objects: past, present, and (possible) future SQL and Big Data interrogation capabilities Accommodates new kinds of objects without changes to data model

24 Objects that exist now Activity or incident Responsibility, entitlement, or association Buildings & infrastructure Data file or document Equipment, systems & software Objects related to the future Organizational unit Person, role or position Findings and assessments Illustration of a typical interface that might be presented to a 4DM GRC user Action plan Business scenario Risk, threat or hazard Audit/review finding Control gap analysis Policy or legal requirement Requirement for resource Risk, threat or vulnerability assessment