Definitions

Problem

Words matter, but the meaning of words matters even more. 

1. Too many terms in cybersecurity. 

2. They have multiple definitions. 

3. They are used interchangeably. 

4. No single source of truth even within one particular approach.

It's really difficult to achieve something if the words you use to set objectives do not have any rigidity. Core terminology and their definitions are supposed to be the foundation of the discipline. With the current situation, it's like building your castle on sand.

Solution

1. We have key terms to the minimum.

2. We gave those key terms singular definitions.

3. No more overlapping terms.

4. BRSE is the truth and you will replicate its definitions into your cybersecurity program which will become your source of truth and one and only point of reference.

Body of the Topic

To change a few words, right? Well, you will quickly find out that at the level of abstraction, these words are extremally impactful. They impact the scope of your responsibilities, your authorizations, role descriptions. The good thing that BRSE will bring clarity, simplicity, practicality, structural cohesiveness as all the moving parts are unified by the clean hierarchy of objectives. These terms create a perfect picture together thus having it in mind will help you tremendously to go through the transition phase.

Ok, let's get to the words, shell we.

1. Breach is a situation when an malicious actor has gained the ability to execute commands from within your IT estate.

You can read up on implications of this definition in articles [2], [3], [4], [5], [6].

It's pretty mental to have a term listed ABOVE the discipline itself. This should already scream to you how critical that is. The second indicator would be the amount of references to articles. It so important that its letter takes the first spot in the acronym too! At the section of definitions we aren't going to dive into this too much. However, the concepts in the articles referenced here should already shows you how massive the influence of this one term.

2. Breach Response (BR) is a manual or automatic action in order to stop the ongoing cyber breach by timely detecting and disrupting of the execution of malicious tactics and techniques or by preemptively denying them the ability to be executed. BR also includes the following:

   1. blast radius analysis

   2. search for the breach entry point and pivoting, lateral movement points

   3. the search and destroy campaign for the implants which ensure persistence for the adversary

Why, main objective of cybersecurity is "to disrupt"? if you have burglars in your house, you want them out. NOW. Most real-time desire ever. But, Ivan, Why do we have latter "R" in BRSE? Letter "R" stands for Response, not disruption, doesn't it? Yes.

BRSE focuses on two types of breach response, not one: disruption and denial. Are there any other ways to respond? Absolutely, however, BRSE respects the hierarchy of cybersecurity objectives with the top one being breach disruption.

Security engineering (SE) brings in a second type of response: denial (it does both both). BTW breach response by SE, is THE GLUE that connects SE to Security Operations and allows BRSE to come to life as a doctrine. The word "Response" also maintains the historical link to MDR (Managed Detection and Response) in solidarity and support of the honest attempt to drive attention to the key expectation which was often tossed around (still is in many cases) between multitude of teams and even within cybersecurity teams themselves (they called it "triaging, investigation and escalation" through three levels of Security Operations Center (SOC)).

Response can either be automatic (no human action or approval needed at the moment of breach detection) or manual (human action is required).

3. Cybersecurity is a discipline with the main objective to disrupt cyber breaches.

Cybersecurity also has smaller objectives independent from the main one: like  CIA (Confidentiality, Integrity, Availability) triad.  CIA triad is not covered by BRSE for now, mostly because it's been addressed by every other standard out there (more reasoning here [1]). BRSE is laser-focused on the main objective of cybersecurity. Targeting breaches and the detailed focus on breach response is unique to BRSE. 

4. Security Engineering (SE) is a subdiscipline of cybersecurity with the main objective to reduce workload from the security operations by executing the whole slew of tasks in order to deliver automatic response to cybersecurity breaches either by disrupting or by denying execution of relevant adversarial tactics and techniques.

This versatility is likely the reason why it is loved literally by EVERYBODY: the clients and the industry. Security engineering and cybersecurity protection sometimes can be used interchangeably. However security engineering is a broader term and includes objectives like CIA triad, run and maintain work, solution design and deployment, identity and network security. If we want to talk about response (automatic) only, cybersecurity protection is a more accurate term although from BRSE perspective this nuance is insignificant.

These are the key definitions, however we will be adding more terms an definitions, including the ones which are excluded and| or replaced in BRSE.

To Be Continued.

Suggested Actions

[Should be later consolidated into the plan template]

1. Introduce BRSE approach to all the stakeholders as per RACI chart and per your BRSE adoption plan.

2. Analyze implications of switching to BRSE terminology, design changes to accommodate the transition and modify your BRSE adoption plan if needed. 

3. Run as many workshops as needed in order to establish understanding of what adopting BRSE means.

4. Add BRSE terms and their definitions into your cybersecurity program document. This will be your internal source of truth.

5. Establish an internal practice to review and correct existing and new documents and records as per BRSE terms and definitions.

6. Engage your compliance and legal functions in order to establish mapping of BRSE terms with the ones demanded by Law, regulatory documents: reports, audit work for your EXTERNAL documents. This mapping should be used for external facing communications. It is important to unchain yourself from the existing industry baggage in order to achieve maximum effectiveness. Thus having such mapping is as valuable for external compliance as for the internal function.

References

1. Laser-focused Cybersecurity (Part 1) | by Ivan Fedorets | Medium (ivancyber.com) 

2. Cybersecurity: Breach [is the new “Incident] | by Ivan Fedorets | Medium (ivancyber.com) 

3. Is This the Most Ambiguous Word in Cybersecurity? | by Ivan Fedorets | Medium (ivancyber.com) 

4. Attack or a Breach?. Here are quotes from the Microsoft… | by Ivan Fedorets | Medium (ivancyber.com) 

5. Cybersecurity: Getting Rid of the Term “Threat” - Ivan Fedorets - Medium (ivancyber.com) 

6. Cyber Breach Severity Levels: Are Three Levels Enough? How about a Dozen? | by Ivan Fedorets | Medium (ivancyber.com)