IBM Cybersecurity Architecture Series - General overview
Hola!
I found this GIF related to my previous blog entry here. (꒪⌓꒪) You can check out what I mentioned in that blog post below, but if you’re curious to learn more, head over to the post!
These are my notes based on the IBM Cybersecurity Architecture Series, but they’re more of a flyover-type summary, just in case you’re wondering if this series is worth your 2+ hours. ༼ ʘ‿ʘ༽
- Identity and Access Management (IAM): This is the first domain discussed and is described as the "new perimeter." It focuses on answering the questions "Who are you?" and "Are you allowed to do this or not?" It includes processes like administration (creating, deleting, updating accounts and privileges), authentication (determining identity, often using multiple factors), and authorization (determining what a user is allowed to do, potentially based on risks). A special aspect is privileged access management (PAM) for users with high levels of access. The fourth aspect is auditing to verify that the previous three were done correctly, often using user behavior analytics (UBA). It also includes federation to extend identity to external systems and consumer identity and access management (CIAM) for customers. Funny enough when I think on the IAM my brain just said to me ay this AIM sounds like EMINEM like "who you are...my name is ..."
- Endpoint Security: This involves securing devices that act as the "IT gateway." Endpoints include servers, desktops, laptops, mobile devices, and even smart appliances. Securing endpoints is crucial because multifactor authentication (MFA) relies on a trusted platform. Endpoints contribute to the attack surface, and their diversity (hardware and software) increases complexity, which is the enemy of security. Security controls for endpoints include endpoint management systems (ideally unified), security policies (hardware, software, passwords), patching, remote data wipe capabilities, location tracking, antivirus or EDR, and secure device disposal policies. The BYOD (Bring Your Own Device) concept is discussed as a challenge requiring well-defined programs, user consent, defined monitoring, and the ability to selectively wipe corporate data.
- Network Security: This domain focuses on protecting network infrastructure. Key technologies mentioned include firewalls (which create isolation and protection similar to physical firewalls), network segmentation (using firewalls in different architectures like DMZ to create zones of varying trust), proxies (which act on behalf of others to inspect and enforce policies), NAT (Network Address Translation, which aids in IP conservation and prevents direct external access), VPNs (Virtual Private Networks, with different types depending on OSI model layers, trending toward application-specific VPNs for greater granularity), and SASE (Secure Access Service Edge, a cloud-delivered combination of networking and security, related to Zero Trust and microsegmentation).
- Application Security: This focuses on protecting software and applications. The fact that all software contains bugs underscores the need for application security. A key concept is DevSecOps, which integrates security throughout the software development lifecycle (SDLC), promoting a cyclic, collaborative, and automated approach to address vulnerabilities as early as possible ("shift left"). Elements for writing secure code include secure coding practices (referencing OWASP), using trusted libraries, standard architectures (like those provided by IBM), avoiding common mistakes (such as those in the OWASP Top Ten), and having a software bill of materials (SBOM) to know components and their vulnerabilities. Application security testing includes SAST (Static Application Security Testing, which analyzes source code) and DAST (Dynamic Application Security Testing, which analyzes running applications). The use of AI chatbots in development introduces risks of vulnerabilities or data exposure. I believe this GIF is based on a real story from my Service Desk analyst experience... XD It totally captures those wild moments...
Data Security: This domain refers to protecting data, often considered the "crown jewels." The motivation for data security includes the average cost of a data breach ($4.35 million globally, $9.44 million in the U.S.) and the fact that 83% of organizations have experienced more than one breach. A data security ecosystem includes governance (defining policies, classification criteria, and resilience/recovery plans), discovery (finding sensitive data in structured sources like databases and unstructured sources like files/emails), protection (including access control and cryptography), compliance (with regulations like GDPR and data retention laws), detection, and response. The top five things that reduce the cost of a data breach are the use of AI, an incident response team, cryptography, frequent testing, and employee training.
Detection: While the first five domains focus primarily on prevention, detection deals with identifying when a problem occurs. This involves system monitoring and data usage. Key technologies for detection are SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) systems. A SIEM collects logs, alarms, and flow data from multiple domains to correlate, analyze (via rules and anomaly detection), and report. An XDR evolved from EDR (Endpoint Detection and Response) and often uses a "top-down" approach, installing agents for local detection and response but also aggregating information for a more comprehensive view, potentially using federated search to query data where it resides. SIEM and XDR are complementary technologies ("XDR plus SIEM"). Detection also includes threat hunting, a proactive approach where experienced analysts search for indicators of compromise (IOCs) based on hypotheses, aiming for early detection and reducing the mean time to identify (MTTI).
Response: Once a problem is detected, response focuses on containing and recovering from it. The goal is to reduce the mean time to contain (MTTC), which averages about 70 days according to a survey. The Security Operations Center (SOC) is often the team responsible for detection and response. Incident response (IR) has traditionally been a manual process relying on experts to triage (evaluate alerts), investigate, and remediate. The modern approach is SOAR (Security Orchestration, Automation, and Response), which seeks to automate and orchestrate response tasks to make them more efficient and repeatable. A SOAR system can create and manage cases based on SIEM/XDR alerts, enrich them with artifacts/IOCs, and assign them to analysts. Investigation and remediation activities can be guided by dynamic playbooks that specify steps based on intermediate results. Automation handles previously seen situations, while orchestration (semi-automated) allows human direction in new or complex ("first-of-its-kind") cases. A key part of responding to a data breach is breach notification, which requires knowing the type of compromised data, the geography of those affected, and applicable laws/regulations (like GDPR), which can be aided by specialized tools.
I feel this blog entry is pretty dense, so I’m keeping it as a WIP and moving on. If you’re reading this and you’re not me, well, gracias!
Subscribe to my blog
