"Left of Boom"
The allied military forces engaged in operations in Iraq and Afghanistan nearly 20 years ago were confronted with the challenge of Improvised Explosive Devices (IEDs), which were roadside bombs that detonated remotely and inflicted casualties and damage to military personnel and materiel. Major research efforts on how to detect these IEDs and detonate them harmlessly, or to infiltrate and disrupt bomb manufacturing, were referred by the idiom "Left of Boom." "Left" is the program management concept for the early side of the programmatic timeline, as in "Move this project to the left." Of course, "Boom" is self-explanatory.
The phrase "Left of Boom" was catchy and caught on in other domains, like healthcare and critical infrastructure, or any domain in which preventive and proactive measures should be taken to prevent or limit harmful consequences. "Left of Bang" would be occasionally interchangeable with "Left of Boom." About 15 years ago, the idiom began to be applied to cybersecurity, where the risk management continuum values the investment in protection to mitigate the negative consequences of a cyber incident.
We can never eliminate risk entirely, but we can manage it effectively with "Left of Boom" processes and procedures. The primary job of the Chief Information Security Officer (CISO) is to exercise continuous diligence in reducing risk, within the risk appetite and risk tolerance of the organization, so that the likelihood of a boom is low, and the corresponding magnitude of harm is limited. Achieving "Left of Boom" cybersecurity is a journey on which every CISO should be embarked.
Some "Left of Boom" Processes
An effective cybersecurity and risk management program encompasses numerous processes and procedures, and implements dozens of programs, capabilities, and tools, all being managed by competent and qualified cybersecurity professionals. When harmony is achieved among all the various elements, a holistic defensive posture can be demonstrated to senior leadership and oversight authorities. Getting started on such a path can be intimidating, especially for smaller organizations with limited resources, but these are some of the solid steps to be considered on the path to "Left of Boom."
Understand the hardware and software inventory, put in place the capability to increase the visibility of these assets, and develop meaningful and actionable metrics to determine the efficacy of cybersecurity and risk management in the enterprise.
In that inventory of information technology assets, understand what runs the essential business and mission operations of the organization. Prioritize these high value assets (HVAs) and make sure the necessary controls are in place and operating effectively to protect them from the tactics, techniques, and procedures (TTPs) that bad actors will use to attack them.
Move to the cloud. The major cloud providers are inherently more secure than almost anything that can be done internally, and they're getting more secure all the time.
Implement multi-factor authentication (MFA) as soon and as efficiently as possible. Any system or application that is protected only by a password is vulnerable to breach.
Put controls in place to secure the supply chain, and as far as the software industry is concerned, require a software bill of materials (SBOM) from suppliers.
Insider threat can be extremely damaging to the business operations and mission of the enterprise, and controls must be put in place and operate effectively to deal with the insider threat.
Reduce the attack surface and manage the endpoints. Strengthen controls on the endpoints, and remember, the human workforce and all its devices constitute the new perimeter of the enterprise.
Run very good anti-malware continuously, and make sure all systems are patched and updated continuously. In fact, do everything in cybersecurity continuously. Cyber hygiene is an essential aspect of effective risk management, and it must be continuous.
Backup all critical data at least daily, and preferably more often, to offline storage and protected with MFA and immutable encryption.
Build out a Zero Trust Architecture (ZTA), and adopt a "Zero Trust or Bust" mentality for cybersecurity and risk management. Zero Trust aims to ensure that all resources are accessed securely, applies a least-privilege strategy, and inspects and logs all traffic.
Practice makes perfect! Exercises and tabletops should be an ongoing aspect of incident response, disaster recovery, business continuity planning, and governance of cybersecurity in the enterprise.
Having insurance and the ability to pay a ransom is not the answer! If an incident occurs and insurance provides some degree of relief, that insurance will no longer be available and the controls that weren't in place prior to the incident will now be required to be put in place immediately and hastily.
Don't let compliance be the enemy of resilience! A few years ago, the word 'resilience' wasn't in the cyber vocabulary. Now, cyber resiliency offers the best chance for achieving mission and business goals in the face of increasing sophisticated cyber attacks.
It wouldn't be practical for any CISO to proclaim that "Left of Boom" is the security framework that will be implemented in the enterprise. It's a concept, and a catchy slogan, but it's not a framework. Fortunately, cybersecurity frameworks exist that, if implemented effectively, can provide "Left of Boom" proactive cybersecurity and risk management defenses. Here a few worth considering.
The NIST Cybersecurity Framework: The NIST CSF is a maturity model, not a compliance framework, providing five core functions of Identify-Protect-Defend-Respond-Recover, with four tiers of maturity within each. The Identify-Protect-Defend functions are decidedly "Left of Boom." In the healthcare sector, the HITRUST Cybersecurity Framework is the sector-specific version of the NIST CSF.
MITRE ATT@CK and MITRE D3FEND: MITRE is a non-profit Federally-Funded Research and Development Center (FFRDC) focused on the Federal market. MITRE ATT@CK documents the common cyberattack TTPs so that defenders might better understand how attacks are conducted. MITRE D3FEND complements the ATT&CK framework by providing a framework of techniques that can be applied to counter the TTPs detailed in the ATT&CK framework.
ISO 27001: The ISO 27K series sets the foundation for establishing an information security management system (ISMS). Its best practices include setting controls and processes based on organizational context, leadership, planning, support, operations, performance evaluation, and improvement.
Center for Internet Security (CIS) 20 Critical Controls: The CIS 20 intends to provide the 20 most important controls for any organization starting out from scratch. It includes categories for organizations with limited (Group 1), moderate (Group 2), and significant (Group 3) resources and expertise.
"Right of Boom"
If the approach to "Left of Boom" is considered the best way to approach cybersecurity and risk management in an enterprise, then what is "Right of Boom?" In most cases, operating "Right of Boom" is extremely consumptive of resources and counterproductive to the business operations and mission of the enterprise.
The reality is that "Right of Boom" happens and preparations must be in place to account for a "Right of Boom" situation. Fortunately, some "Right of Boom" processes and procedures can inform some "Left of Boom" activities, thus providing a valuable feedback loop. In fact, it can almost be argued that "Left of Boom" exists as an idiom because "Right of Boom" has happened too often.
Disaster Recovery Planning (DRP), Business Continuity Planning (BCP), and Continuity of Operations Planning (COOP) all are "Left of Boom" activities, but they get put to the test in a "Right of Boom" situation. It's extremely important to develop these plans, engage leadership and all stakeholders in putting them together and exercise them regularly, and then pray that they never have to be used.
If or when an incident occurs, all the "Right of Boom" processes must kick in effectively, including incident response, triage, systems isolation, systems reconstitution/restoration, forensics investigation, security event analytics, and lessons learned action plan. It's important to note that an unfortunate incident may have disrupted operations or impeded mission accomplishment, but also provided critically important information by which to fine tune the organization's "Left of Boom" capabilities.
"An Ounce of Prevention Is Worth a Pound of Cure"
Although he didn't realize it at the time, Ben Franklin actually may have been our nation's first CISO. His statement "An ounce of prevention is worth a pound of cure" is as "Left of Boom" as it gets. His point was that preparing for an event is far more efficient than responding to an event. Ben Franklin was an accomplished and knowledgeable Founding Father, and his wit and wisdom are well to us. Also attributed to him is the statements "By failing to prepare, you are preparing to fail," and "A little neglect can yield great mischief." Ben Franklin might not have actually been our nation's first CISO, but he certainly understood "Left of Boom."
We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels