Clearly understanding the organization’s critical dependencies upon its information and underlying IT infrastructure is essential to making informed cybersecurity decisions, both proactive (investments) and reactive (incident response).
For effective decision-making, Context is Everything. Without it, you’re just guessing.
This is especially true with the often-frenetic decisions made during Incident Response (refer to “Consequence Analysis” capabilities discussed later in this Top 20 list).
As with the first and second SOC Capability Areas described in earlier articles, mapping the organization’s mission-critical dependencies should not be the responsibility of the Security Operations team. Network Operations should already be responsible for capturing and managing this contextual knowledge as part of Business Continuity Planning (BCP), Continuity of Operations (COOP), and Disaster Recovery Planning (DRP).
Perhaps due to today’s continuous evolution of business processes and enabling technologies, few organizations seem to have the discipline to maintain a detailed dependency knowledgebase through efforts such as Enterprise Architecture. Unfortunately, this often leaves the typical Security Operations team to make urgent decisions, such as event triage and prioritization, based primarily on anecdotal, tribal knowledge of the environment. Resulting in a “whack a mole” mode of operation that most of us recognize all too well.
This knowledge gap is a major factor contributing to Analyst ramp-up time, burnout, and turnover. It is also the major inhibitor to effectively communicating with business leaders, the C-team, and the board.
Experienced cybersecurity professionals (e.g., CISSP, CISM, etc.) typically address this knowledge gap with Business Impact Analysis (BIA) where resources permit. For military organizations, we have described this as Mission Impact Analysis (MIA) but it is more commonly referred to there as "mission mapping".
Whatever process is followed, and whoever executes it, effective Security Operations efforts rely upon a capability to manage this contextual knowledge and to apply it to decisions and communications, in real time. Without the Context provided by such a capability, your Security Operations team can only speculate (yes, guess) about the business consequences of any threat, vulnerability, or incident.
It’s worth noting that many APT actors invest heavily in reconnaissance to map your organization’s dependencies. The information is often critical to them achieving their effects. It ought to be equally important to you in preventing those effects.
Again, Context is Everything.