dxc cyber reference architecture€¦ · actionable security and threat intelligence containment,...

DXC Labs | Security — White Paper

An enterprise-focused path to cyber resilience and secure digital transformation

DXC Cyber Reference Architecture

2


Digital transformation, however, means that cybersecurity can no longer be handled as an after-the-fact bolt-on, separate from the rest of the business. Organizations must consider security as part of their strategic approach, viewing cybersecurity and resilience as business enablers that help enterprises safely embrace the benefits of digital transformation.

Even the World Economic Forum recognizes the importance of high-level responsibility for the strategic governance of cyber risk and cyber resilience. In a report for boards of directors, “Advancing Cyber Resilience: Principles and Tools for Boards,” the forum concluded that “cyber strategy must be determined at the oversight board level.”

Aligning cybersecurity strategy with business objectives — and obtaining board-level sponsorship — is key to attaining and maintaining a strong security posture.

Closing the security posture gap

Most organizations are struggling to reduce the growing gap between their security posture and the threat landscape, with its ever-increasing cyberattack sophistication — and at the same time, they are trying to stay on top of changing security-related regulatory and legislative obligations that differ across geographies.

Spending more money isn’t necessarily the answer. Security budgets are increasing, but the security posture gap is getting wider, as shown in Figure 1.

At the heart of digital transformation is data. The importance of protecting this critical business asset is bringing cybersecurity into sharp focus in the boardroom as well as the data center.

In the past, an enterprise’s cybersecurity team focused on IT security risks and threats, with little reference to business risks, objectives and strategy. The team would deploy controls within a defined corporate network boundary, driving a very technology-focused approach to cybersecurity. The team generally spoke its own language of cybersecurity terms and acronyms, little understood by the business.

Aligning cybersecurity strategy with business objectives — and obtaining board-level sponsorship — is key to attaining and maintaining a strong security posture.

DXC Labs | Security

DXC Labs delivers thought leadership and technology prototypes to enable enterprises to thrive in the digital age.

DXC Labs | Security brings together our world-class advisors to develop strategic and architectural insights to reduce digital risk. DXC’s Cyber Reference Architecture is at the heart of our research, providing clients with detailed guidance on methods to efficiently resolve the most challenging security problems. We help clients minimize risk while taking maximum advantage of the digital commons.

Learn more at www.dxc.technology/securitylabs

3


Here are some reasons why:

• Lack of integration, with little or no understanding of the cybersecurity risk posture throughout the business, makes it difficult to reduce business risk.

• Lack of prioritization means security investments are often allocated to implement the latest security trend or technology, without first addressing security foundations.

• Bottom-up technical siloes cause a lack of alignment between the security solutions deployed and business objectives.

• Lack of optimization results in overlap of security controls and failure to take advantage of virtualization or new functionality in existing security tools.

• Reinventing the wheel increases time, cost and risk.

Closing the gap requires upper management to set a clear cybersecurity strategy and requires the cybersecurity team to focus on managing cyber risk appropriately, and proportionate to the business’ goals and risk appetite.

If they want to be truly cyber resilient, enterprises must also be prepared for the worst to happen. It’s no longer a question of whether they may be breached but when, and what the likely consequences are. The legislative and regulatory implications of data breaches continue to increase, and the reputational damage they can cause to a business can be extremely damaging. A Juniper Research report estimates the cost of cybercrime to businesses will total $8 trillion by 2022.

DXC Cyber Reference Architecture as security backbone

DXC Technology provides security services for major organizations around the globe, has implemented thousands of security solutions and provides managed security services for the world’s largest companies. We’ve created a Cyber Reference Architecture (CRA) that draws on decades of experience monitoring billions of threats and responding to some of the world’s largest cyberattacks. This architecture is now at the center of all DXC cybersecurity strategies and capabilities. In fact, DXC lead consultants and architects use CRA every day — and update it regularly.

Figure 1. Security posture gap

Security posture gap

Adversaries’ sophistication,regulation complexity, etc.

Security capability

4


DXC CRA leverages our unparalleled expertise in consulting, architecture, transformation and operations to help people at all levels of an organization understand how to secure the enterprise while pursuing new digital initiatives. The architecture helps organizations develop business-aligned security strategies and accelerate their digital transformation.

DXC CRA helps organizations:

• Understand which objectives matter most to the business

• Define security requirements to achieve those objectives

• Map out the best approach for deploying targeted security capabilities to support the plan

DXC CRA serves as a security backbone, providing a common language, a consistent approach and a long-term vision. The architecture is composed of a framework and blueprints, as shown in Figure 2.

Framework• Taxonomy• Nomenclature• Balances high-level with detail

Blueprints• More detailed and focused• Used to address specific architecture challenges

Cyber Reference ArchitectureA set of consistent documents

Advise, transform and manage world-class security solutions

Used to develop

Figure 2. DXC Cyber Reference Architecture framework and blueprints

CRA framework

DXC’s CRA framework describes security holistically and is aligned to security standards and methods such as The Open Group Architecture Framework (TOGAF), Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and Related Technology (COBIT), National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). CRA also has a defined taxonomy and nomenclature.

The framework consists of three levels: strategic, tactical and operational, and technical (see Figure 3). These levels are used to logically group the 12 domains that make up the CRA framework, as shown in Figure 4.

5


Technical Security (TS)

Cyber Defense & Orchestration(CDO)

Security Strategy &

Risk Management (SSRM)

Strategic levelDefining strategy Managing risks and complianceDefining enterprise security architecture to address prioritized risks and enable the business

Tactical and operational levelSecurity monitoring and breach responseOrchestrate intelligent security operations

Technical levelDesign, size, implement and run technical security solutions

Strategy,Leadership &

Governance (SLG)

Risk & Compliance Management (RCM)

Security Resilient Architecture (SRA)

Resilient Workforce (RW)

Cyber Defense (CD)

Security Orchestration (SO)

Converged Security (CS)

Physical Security (PS)

Identity & Access

Management (IAM)

Infrastructure & Endpoint

Security (IES)Applications Security (AS)

Data Protection & Privacy (DPP)

Define a strategy aligned to business objectivesSLG

Manage risk and ensure complianceRCM

Translate business strategies into security solutionsSRA

Security-conscious culture and knowledge managementRW

Management of identities and access controlsIAM

Enterprise threat detection and preventionIES

Secure development and maintenance of softwareAS

Data classification, modeling and protectionDPP

IT and OT security integrationCS

Protect assets from physical threatsPS

Security monitoring, incident management and responseCD

Processes, including management and measurementSO

Figure 3. The three levels in the CRA framework

Figure 4. The framework’s 12 domains and their related functions

6


Each domain supports a set of objectives and is decomposed into subdomains and capabilities, as shown in Figure 5, while Figure 6 outlines domain topology.


Governance (SLG)

• Know what matters (business view)• Evaluation

• Set direction• Leadership

• Governance • Know what matters (IT view)• Execution management• Measurement and report• Manage risks• Compliance• Audit

• Product• Productivity• Simplification• Provide visibility• Execute response• Recover

• Cultural change• Skill and knowledge• Empower workforce

• Operate and run• Integrate• Automate

• Set architecture referential• Meet business requirements• Define and design solution

• Visibility• Security incident

• Identification• Intelligence lead

• Response




Cyber Defense (CD)




Identity & Access

Management (IAM)




Domain

SubdomainCapability

Capability

SubdomainCapability

Capability

Cyber defense

MonitoringLog correlation

Use cases

AnalyticsAnomaly detect

User behavior

Figure 5. Objectives supported by the domains

Figure 6. Domain topology, at left, and a partial example of a cyber defense domain

7


The conceptual view is then used in a storyboard to build the work packages required to implement the capabilities or the subdomains mapped to the layers. Each work package is a discrete statement of work but relies on the work packages identified before it in the storyboard, as shown in Figure 7 and Figure 8.

Figure 7. CRA cyber defense blueprint conceptual view example

Correlated events


Governance (SLG)




Cyber Defense (CD)




Identity & Access

Management (IAM)




Threat intelligence and profiling

Digital investigation and forensics

Security analytics

Security monitoring

Asset management

Security incident response and remediation management

Context and behavior layer

Vunerability management

Vulnerability layer

Operations layer

Strategic layer

Forensic analysis and response

Controls layer

CD layers Related CRA layers

Intelligence layer

Actionable security and threat intelligence

Containment, cleanup, eradication, disruption, remediation IT events Physical eventsOT events

Capabilities support the execution of the security strategy. A capability represents a security requirement plus an ability or capacity that an organization may possess to achieve a specific security purpose or outcome.

By not specifying below the capability level, the CRA remains agnostic to compliance/controls frameworks — such as Payment Card Industry Data Security Standard (PCI DSS), ISO/ISE 27002, National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA) and Cloud Controls Matrix (CCM) — but is easily mapped against any of these frameworks.

CRA blueprints

CRA blueprints are a set of reference architectures defined against the CRA framework. The blueprints start with a conceptual view, mapping layers and key functional areas to the applicable domains and subdomains in the CRA framework (see Figure 7).

8


Correlated events

Containment, cleanup, eradication, disruption, remediation



Security analytics

Security monitoring

Asset management

Assess/define SOC processes (CD.2.a)

Monitor and analyze security events 24×7×365

Centralized storage of normalized data. Detect security incidents quickly based on use cases.

Comprehensive breadth and depth of collection of events across the infrastructure

Infrastructure security monitoring (CD.1.a)




Vulnerability layer

Operations layer

Strategic layer

SOC foundation key work packages


Controls layer

Intelligence layer

IT events Physical eventsOT events


Correlated events




Security analytics

Security monitoring

Asset management


Security Incident Management process (CD.2.b

Crisis Management Process update (CD.2.c)

Establish a Digital Investigation & Forensics Service (CD.4.a)


Manage security incidents quickly

Ensure security and privacy requirements are covered in the crisis management process




Infrastructure Security Monitoring (CD.1.a)




Vulnerability Layer

Operations layer

Strategic layer



Controls layer

Intelligence Layer



Figure 8. CRA cyber defense blueprint storyboard example



Figure 9. CRA cyber defense blueprint work package example

Commented [CM10]: CS DESIGNER: 1. Close: “24x7x365” (in 2 places) 2. L/c “use cases” (in 2 places) 3. l/c “crisis” 4. Close “Cleanup” 5. On left side, close up spaces after the slash around “Assess / define” (in 2 places)

Commented [CM11]: CS DESIGNER 1. Add a hyphen to “High-Level” in the phrase “Purpose and High-Level Description” 2. In the right bottom phrase starting with “Business Challenges,” change “Foregoing” to “Forgoing” [THIS IS IMPORTANT; THE MEANING IS DIFFERENT.]

Work Package – CD.4.a

Establish a Digital Investigation & Forensics Service

Purpose and High-Level Description

Key Activities

Business Challenges and Problems Forgoing Commitment

Workload Estimation

Staffing Requirements

Business impact/disruption

Cost

Duration

Business Benefits & Outcomes

Deliverables

9


How DXC uses the CRA

There is no single way to use the CRA, and it’s not mandatory to apply all the components. How an organization deploys them depends on its business objectives, risk appetite, current state of maturity and budget. As shown in Figure 10, the CRA structure simply provides a unified, comprehensive approach to enterprise security, helping an organization:

• Understand what matters and define security objectives

• Define the security requirements needed to achieve the objectives by identifying from the CRA framework what security capabilities have to be deployed

• Describe how to deploy the targeted capabilities

Improve cyber maturity

To attain and maintain cyber resilience and embrace digital transformation, an enterprise must understand its overall cyber maturity, recognize its areas of weakness, continuously improve its overall maturity and make sure that its cyber risk is being treated appropriately and proportionately.




Cyber Defense (CD)




Identity & Access

Management (IAM)





Governance (SLG)

Domain

Business objectives

Critical business processes and assets

Key business risks

SubdomainCapability

Capability

SubdomainCapability

Capability

Correlated events




Security analytics

Security monitoring

Asset management


Security Incident Management process (CD.2.b

Crisis Management Process update (CD.2.c)

Establish a Digital Investigation & Forensics Service (CD.4.a)


Manage security incidents quickly

Ensure security and privacy requirements are covered in the crisis management process




Infrastructure Security Monitoring (CD.1.a)




Vulnerability layer

Operations layer

Strategic layer



Controls layer

Intelligence layer



#$%&'()*+,%$+&-(.-&/+0+1(2$/$3&%&/+ 4,56(7$86$3&(.9'(.)2:;:<7*5=,>&($/-(?03@(A&B&C(9&>850=+0,/'! "#$%&#'()*+,-%*.*%/#'0,)-1#203'2#454'67'".*.8.0#9:;0*#<3'*,=.->0'?-,/%>%&5'.'1,&0,@%>.*#>'%>#&*%*;'<.&.5#<#&*'0;0*#<! AB*-.1*'.&>'.&.@;C#'8)0%&#00'.&>'*#1+&%1.@'-#D)%-#<#&*0',$'E>#&*%*;'F.&.5#<#&*! :)??,-*'%>#&*%*;'-#D)%-#<#&*0'>#$%&#>'8;'*+#'G)0%&#00'8;'?-,/%>%&5'?-,1#00#0H'?-,1#>)-#0'.&>'*#1+&,@,5%#0! AB.<%&#'.&>')?>.*#'%&$-.0*-)1*)-#'*,?,@,5;'*,'.>,?*'=%*+'-#D)%-#<#&*0',$'*#1+&%1.@'%<?@#<#&*.*%,&! AB.<%&#'.&>')?>.*#'8)0%&#00'?,@%1%#0'.&>'?-,1#>)-#0'*,'<##*'*+#'-#D)%-#<#&*0',$'.)*,<.*#>'E>#&*%*;'F.&.5#<#&*I'J,%&#-0H'<,/#-0'.&>'@#./#-0 2KFL3

?-,1#00! E<?@#<#&*'.&>'1,&$%5)-#'.&'.)*,<.*%1',-'2?.-*@;3'<.&).@'$##>'$-,<'()*+,-%*.*%/#'0,)-1#'*,'*+#'E>#&*%*;'F.&.5#<#&*':;0*#<! "#$%&#'*+#'.**-%8)*#'<.??%&5',$'%&$,-<.*%,&'$-,<'*+#'>.*.'$##>'*,'*+#'$%#@>'%&'*+#'E>#&*%*;'F.&.5#<#&*':;0*#<! "#$%&#'-)@#0'.&>'?,@%1%#0'$,-'+.&>@%&5',$'?-,1#00%&5'*+#'%&$,-<.*%,&'$-,<'*+#'$##>! "#$%&#'.11,)&*'1,--#@.*%,&'-)@#0'$,-'-#1,&1%@%&5'.&>'/.@%>.*%&5'*+#',=&#-0+%?',$'.11,)&*0

D+$EE0/3(F&G*05&%&/+>'! "MN'7,@#0I

! O'B':#1)-%*;'P-%&1%?.@'2Q'>.;03! O'B':#1)-%*;'N,&0)@*.&*'.&>'E(F':FA'2QR'>.;03! O'B'P-,J#1*'F.&.5#-'2OQ'>.;03! O'B'E"F':;0*#<'A&5%&##-'2OR'>.;03! O'B'S#*=,-T%&5'A&5%&##-'2Q'>.;03

! N)0*,<#-'7,@#0I! O'B'6#.>',$':#1)-%*;'2U'>.;03! O'B'67'(??@%1.*%,&':FA'2OR'>.;03! O'B'E(F':FA'2OQ'>.;03! O'B'P-%/.1;',$$%1#-'2'V'>.;03

H&1()8+0B0+0&>'! (&.@;C#'#B%0*%&5'%>#&*%*;'L%$#WN;1@#'.&>',?*%<%C#'$##>',$'%>#&*%*%#0'%&*,'*+#'E>#&*%*;'F.&.5#<#&*':;0*#<! "#$%&#'.&>',?*%<%C#'?-,1#00%&5'?,@%1%#0'8.0#>',&'>.*.',$'$##>! 7%0T'.&.@;0%0',&'$##>'.**-%8)*#')?>.*#! E<?@#<#&*'>#0%5&#>'0,@)*%,&

9&C0B&5$<C&>'! ()*+,-%*.*%/#':;0*#<'E&*#-$.1#'0?#1%$%1.*%,&! 7#?,-*',$'*+#'$##>')?>.*#'0*.*)0! E>#&*%*;'(**-%8)*#0'<.??%&5'*.8@#! ()*,<.*#>'X0#-'F.&.5#<#&*H'X0#'N.0#0'$,-'K,%&#-H'F,/#-H'L#./#-

4,56C,$-(&>+0%$+0,/'! A0*%<.*#>'?-,J#1*'>)-.*%,&'Y'UWV'<,&*+0'2>#?#&>%&5',&'*+#'1)--#&*'<.*)-%*;3! A0*%<.*#>'&)<8#-',$'<.&'>.;0'#$$,-*'$,-'"MN'Y'ZR'<.&'>.;0! A0*%<.*#>'&)<8#-',$'<.&'>.;0'#$$,-*'$,-'N)0*,<#-'Y'VR'<.&'>.;0! 6.->=.-#'.&>':,$*=.-#'1,0*0'&,*'%&1@)>#>

I*>0/&>>(I&/&E0+>($/-(J*+8,%&>'! E<?-,/#'#$$%1%#&1;'.&>'@,=#-%&5',?#-.*%&5'1,0*0'8;'@%<%*%&5'*+#'2<.&).@3'%&*#-.1*%,&0',$'%&*#-&.@9V->

?.-*;'.><%&%0*-.*,-0! O':,)-1#',$'*-)*+'8;'+./%&5'.'0%&5@#'()*+,-%*.*%/#':;0*#<! ()*+,-%*.*%/#'0,)-1#'>-%/#0'*+#'@%$#1;1@#'#/#&*0I'#454'L#./#-'%&'67'0;0*#<'-#0)@*0'%&'.)*,<.*%1'>#W

?-,/%0%,&%&5',$'E>#&*%*;'.&>'.11,)&*0! :?#1%$%1'.**-%8)*#0'$-,<'()*+,-%*.*%/#'0,)-1#203'1.&'$.1%@%*.*#'7,@#'G.0#>'(11#00'N,&*-,@'2#454

>#?.-*<#&*'.&>'$)&1*%,&'-,@#03

I*>0/&>>(K@$CC&/3&>($/-(75,<C&%>(L,5&3,0/3(K,%%0+%&/+'! AB*#-&.@'?#-0,&&#@'.-#'&,*')0).@@;'%&1@)>#>'%&'*+#'67'>.*.8.0#! ()*,<.*%,&',$'.)*+,-%*.*%/#'0,)-1#'<%5+*'&,*'8#'>%-#1*@;'@%&T#>'*,'E>#&*%*;'F.&.5#<#&*':;0*#<! P#,?@#'=%*+'<)@*%?@#'-,@#0',-'-#0?,&0%8%@%*%#0! (@%5&<#&*',$'<)@*%?@#'>.*.H'?-,1#00'.&>'0;0*#<',=&#-0! P-%/.1;'1,&$@%1*0')0%&5'67'>.*.'.0'.)*+,-%*.*%/#'0,)-1#! N,&/#-0%,&',$'67'>.*.'$,-<.*'0,<#*%<#0'-#D)%-#0'.>>%*%,&.@'<.&).@'#$$,-*! L.1T',$'?-,1#00#0'.&>'?-,1#>)-#0'$,-'<.&.5#<#&*',$')0#-0'.&>'.11#00'-%5+*0'%&',-5.&%C.*%,&0

")-.*%,&

G)0%&#00'%<?.1*9'>%0-)?*%,&

N,0*

E(F4O4OK$=$<0C0+0&>($--5&>>&-

?

2

2

#$%&'()*+,%$+&-(.-&/+0+1(2$/$3&%&/+ 4,56(7$86$3&(.9'(.)2:;:<7*5=,>&($/-(?03@(A&B&C(9&>850=+0,/'! "#$%&#'()*+,-%*.*%/#'0,)-1#203'2#454'67'".*.8.0#9:;0*#<3'*,=.->0'?-,/%>%&5'.'1,&0,@%>.*#>'%>#&*%*;'<.&.5#<#&*'0;0*#<! AB*-.1*'.&>'.&.@;C#'8)0%&#00'.&>'*#1+&%1.@'-#D)%-#<#&*0',$'E>#&*%*;'F.&.5#<#&*! :)??,-*'%>#&*%*;'-#D)%-#<#&*0'>#$%&#>'8;'*+#'G)0%&#00'8;'?-,/%>%&5'?-,1#00#0H'?-,1#>)-#0'.&>'*#1+&,@,5%#0! AB.<%&#'.&>')?>.*#'%&$-.0*-)1*)-#'*,?,@,5;'*,'.>,?*'=%*+'-#D)%-#<#&*0',$'*#1+&%1.@'%<?@#<#&*.*%,&! AB.<%&#'.&>')?>.*#'8)0%&#00'?,@%1%#0'.&>'?-,1#>)-#0'*,'<##*'*+#'-#D)%-#<#&*0',$'.)*,<.*#>'E>#&*%*;'F.&.5#<#&*I'J,%&#-0H'<,/#-0'.&>'@#./#-0 2KFL3

?-,1#00! E<?@#<#&*'.&>'1,&$%5)-#'.&'.)*,<.*%1',-'2?.-*@;3'<.&).@'$##>'$-,<'()*+,-%*.*%/#'0,)-1#'*,'*+#'E>#&*%*;'F.&.5#<#&*':;0*#<! "#$%&#'*+#'.**-%8)*#'<.??%&5',$'%&$,-<.*%,&'$-,<'*+#'>.*.'$##>'*,'*+#'$%#@>'%&'*+#'E>#&*%*;'F.&.5#<#&*':;0*#<! "#$%&#'-)@#0'.&>'?,@%1%#0'$,-'+.&>@%&5',$'?-,1#00%&5'*+#'%&$,-<.*%,&'$-,<'*+#'$##>! "#$%&#'.11,)&*'1,--#@.*%,&'-)@#0'$,-'-#1,&1%@%&5'.&>'/.@%>.*%&5'*+#',=&#-0+%?',$'.11,)&*0

D+$EE0/3(F&G*05&%&/+>'! "MN'7,@#0I

! O'B':#1)-%*;'P-%&1%?.@'2Q'>.;03! O'B':#1)-%*;'N,&0)@*.&*'.&>'E(F':FA'2QR'>.;03! O'B'P-,J#1*'F.&.5#-'2OQ'>.;03! O'B'E"F':;0*#<'A&5%&##-'2OR'>.;03! O'B'S#*=,-T%&5'A&5%&##-'2Q'>.;03

! N)0*,<#-'7,@#0I! O'B'6#.>',$':#1)-%*;'2U'>.;03! O'B'67'(??@%1.*%,&':FA'2OR'>.;03! O'B'E(F':FA'2OQ'>.;03! O'B'P-%/.1;',$$%1#-'2'V'>.;03

H&1()8+0B0+0&>'! (&.@;C#'#B%0*%&5'%>#&*%*;'L%$#WN;1@#'.&>',?*%<%C#'$##>',$'%>#&*%*%#0'%&*,'*+#'E>#&*%*;'F.&.5#<#&*':;0*#<! "#$%&#'.&>',?*%<%C#'?-,1#00%&5'?,@%1%#0'8.0#>',&'>.*.',$'$##>! 7%0T'.&.@;0%0',&'$##>'.**-%8)*#')?>.*#! E<?@#<#&*'>#0%5&#>'0,@)*%,&

9&C0B&5$<C&>'! ()*+,-%*.*%/#':;0*#<'E&*#-$.1#'0?#1%$%1.*%,&! 7#?,-*',$'*+#'$##>')?>.*#'0*.*)0! E>#&*%*;'(**-%8)*#0'<.??%&5'*.8@#! ()*,<.*#>'X0#-'F.&.5#<#&*H'X0#'N.0#0'$,-'K,%&#-H'F,/#-H'L#./#-

4,56C,$-(&>+0%$+0,/'! A0*%<.*#>'?-,J#1*'>)-.*%,&'Y'UWV'<,&*+0'2>#?#&>%&5',&'*+#'1)--#&*'<.*)-%*;3! A0*%<.*#>'&)<8#-',$'<.&'>.;0'#$$,-*'$,-'"MN'Y'ZR'<.&'>.;0! A0*%<.*#>'&)<8#-',$'<.&'>.;0'#$$,-*'$,-'N)0*,<#-'Y'VR'<.&'>.;0! 6.->=.-#'.&>':,$*=.-#'1,0*0'&,*'%&1@)>#>

I*>0/&>>(I&/&E0+>($/-(J*+8,%&>'! E<?-,/#'#$$%1%#&1;'.&>'@,=#-%&5',?#-.*%&5'1,0*0'8;'@%<%*%&5'*+#'2<.&).@3'%&*#-.1*%,&0',$'%&*#-&.@9V->

?.-*;'.><%&%0*-.*,-0! O':,)-1#',$'*-)*+'8;'+./%&5'.'0%&5@#'()*+,-%*.*%/#':;0*#<! ()*+,-%*.*%/#'0,)-1#'>-%/#0'*+#'@%$#1;1@#'#/#&*0I'#454'L#./#-'%&'67'0;0*#<'-#0)@*0'%&'.)*,<.*%1'>#W

?-,/%0%,&%&5',$'E>#&*%*;'.&>'.11,)&*0! :?#1%$%1'.**-%8)*#0'$-,<'()*+,-%*.*%/#'0,)-1#203'1.&'$.1%@%*.*#'7,@#'G.0#>'(11#00'N,&*-,@'2#454

>#?.-*<#&*'.&>'$)&1*%,&'-,@#03

I*>0/&>>(K@$CC&/3&>($/-(75,<C&%>(L,5&3,0/3(K,%%0+%&/+'! AB*#-&.@'?#-0,&&#@'.-#'&,*')0).@@;'%&1@)>#>'%&'*+#'67'>.*.8.0#! ()*,<.*%,&',$'.)*+,-%*.*%/#'0,)-1#'<%5+*'&,*'8#'>%-#1*@;'@%&T#>'*,'E>#&*%*;'F.&.5#<#&*':;0*#<! P#,?@#'=%*+'<)@*%?@#'-,@#0',-'-#0?,&0%8%@%*%#0! (@%5&<#&*',$'<)@*%?@#'>.*.H'?-,1#00'.&>'0;0*#<',=&#-0! P-%/.1;'1,&$@%1*0')0%&5'67'>.*.'.0'.)*+,-%*.*%/#'0,)-1#! N,&/#-0%,&',$'67'>.*.'$,-<.*'0,<#*%<#0'-#D)%-#0'.>>%*%,&.@'<.&).@'#$$,-*! L.1T',$'?-,1#00#0'.&>'?-,1#>)-#0'$,-'<.&.5#<#&*',$')0#-0'.&>'.11#00'-%5+*0'%&',-5.&%C.*%,&0

")-.*%,&

G)0%&#00'%<?.1*9'>%0-)?*%,&

N,0*

E(F4O4OK$=$<0C0+0&>($--5&>>&-

?

2

2

Work packages

Drivers

Understand what matters Define requirements Define and plan the journey

Why What HowCRA Framework CRA Blueprints

Objectives

• Support and enable business

• Protect critical business processes

• Manage key business risks

What needs to be done

• Identify from the CRA framework (catalog of capabilities) what security capabilities (security requirements) have to be deployed in the organization to achieve objectives

How to deploy targeted capabilities

• Understand the maturity of existing capabilities and use relevant blueprints; select and adapt work packages explaining how to deploy targeted capabilities


10


DXC CRA helps organizations in all industries improve and maintain their cyber maturity, so they can:

• Develop a business-aligned security strategy — the “to be” state describing the business need, vision, objectives and accountabilities

• Define an adaptive security transformation roadmap — a series of tactical and strategic initiatives and activities to be performed over a set time period to enable the execution of the security strategy

• Develop a resilient and agile security architecture providing a risk-based approach to support the business strategy

• Enable budgetary planning and justification

Accelerate security improvements

The CRA is at the core of DXC’s Cyber Maturity Accelerator methodology, which is designed to help companies rapidly get on the road to security improvement (see Figure 11)

DXC’s Cyber Maturity Review diagnostics evaluate a client’s cybersecurity against the CRA, identifying areas of weakness. DXC consultants use the CRA, and specifically the blueprints, to rapidly develop a security improvement roadmap of costed and prioritized security improvement initiatives. From this roadmap, they develop and shape a security improvement program to align cyber maturity with the client’s business priorities and objectives.

Once the organization attains an acceptable level of cyber maturity, the CRA continues to provide the basis for an ongoing security improvement program throughout the digital transformation.

• Cyber Attack Simulation

• Ransomware Diagnostic

• CMR Deep Dive: GDPR Readiness

• Advanced Compromise Assessment

• CMR Deep Dive: Security Operations

• Privileged Account Security Diagnostic

Six optional diagnostics

• Core diagnostic – 500 questions

• Baseline and quantify security posture

• Benchmark cyber maturity against peers

• Identify maturity gaps and prioritize investment

Cyber Maturity Review

+ =

As-is

As-is

• Blueprints to accelerate to-be definition

• Recommendations, cost/benefit analysis

• Customized solutions with DXC’s experts

• Time estimations on project duration

• Reference architecture

• Prioritized roadmap

DXC Cyber Reference Architecture

To-be

• Security improvement program• Addresses lack of maturity• Improves security posture• Reduces risk

Cyber Maturity Accelerator

1

23

Figure 11. DXC’s Cyber Maturity Accelerator methodology

11


The fast track to cyber resilience and transformation

DXC CRA provides an unmatched foundation for understanding, transforming and managing best-in-class cybersecurity solutions. It gives companies the strategic framework to elevate cybersecurity to the boardroom, as well as supplying the tactical tools and methodology to create and execute a clear technology roadmap to cyber maturity.

When security goals are aligned with an organization’s goals, the result is cyber resilience that supports and accelerates digital transformation and business success.

Here are two examples of the CRA in action:

Multinational manufacturer

A leading global manufacturer needed to review its corporate security strategy and associated security improvement program and establish a security operations center to align with business objectives and optimize its investments. DXC worked with the firms to define a CRA to support the execution of the strategy.

Optional diagnostics


+ =As-is

As-isDXC Cyber Reference Architecture

To-be


1

23

As-is

As-isTo-be

Multinational manufacturer Approximately 50,000 employees in 130 countries Security strategy, security roadmap, definition and execution

• Advanced Compromise Assessment• CMR Deep Dive: Security operations

• Exercise due care and have visibility of maturity gaps, especially around security operations

• Digital investigation, threat actors profiling

“DXC Security Services thought leadership in defining our multiyear security improvement program has been extremely valuable by defining an overall security architecture, setting the right priorities and the right sequence of deliverables in the program.” — Group CIO

• Review and definition of corporate security strategy and the Cyber Security Reference Architecture to support the execution of the strategy

• Define a detailed, holistic and comprehensive 3-year roadmap to accelerate security strategy deployment and optimize investment

• Lead and execute transformation program, including SOC capabilities

• Business-aligned strategy and consistent security architecture aligned with business objectives

• Develop capabilities to identify, manage and respond to advanced targeted threats

3 years

12


Global financial services group

A large global banking group with offices in 30 countries had been breached, with sensitive bank and customer data being made available publicly over the internet. DXC worked closely with the chief risk officer and the information security team to identify and close the technical and governance gaps within its headquarters. DXC also assessed the cyber maturity and conducted penetration tests of five other banks in Switzerland, Turkey, Indonesia, Egypt, Ghana and the United Arab Emirates.

The first step toward a more secure future

It’s time for people at all levels of the organization to get involved in securing the enterprise while pursuing new digital initiatives. The DXC Cyber Reference Architecture helps organizations develop business-aligned security strategies and accelerate their digital transformation. The first step begins with a cyber maturity assessment and a commitment to improve the organization’s security posture.

Optional diagnostics


+ =As-is

As-isDXC Cyber Reference Architecture

To-be


1

23

As-is

As-isTo-be

Global financial services group Approximately 28,000 employees in 31 countries Security strategy, security roadmap, forensics and penetration testing

• Advanced Compromise Assessment• Penetration testing & configuration

reviews

• Provided an independent assessment of governance and technical security gaps, especially around governance, threat and vulnerability management and SIEM/SOC capabilities

• Definition of new governance and security team organizational structure

• Improvement of SOC, threat and vunerability management approach

• Definition of a detailed, holistic and comprehensive roadmap to accelerate security strategy deployment and optimize investment

• Client requested DXC Technology to perform CMR assessment and external penetration testing across all international subsidiaries and affiliates

• Request for proposals to implement information Security Information Management System and Security Operations Center projects from multiple subsidiaries

Several months

1 “Advancing Cyber Resilience: Principles and Tools for Boards,” World Economic Forum, in collaboration with The Boston Consulting Group and Hewlett Packard Enterprise, January 2017, p. 4. http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf

2 The Future of Cybercrime & Security: Enterprise Threats & Mitigation 2017-2022,” Juniper Research, May 30, 2017, https://www.juniperresearch.com/press/press-releases/cybercrime-to-cost-global-business-over-$8-trn

http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf

http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf

https://www.juniperresearch.com/press/press-releases/cybercrime-to-cost-global-business-over-$8-trn




Learn more at www.dxc.technology/cra

www.dxc.technology

About the authors

Christophe Menant is the global strategy lead for security risk management at DXC Technology. He is the principal author of and global lead for the DXC Cyber Reference Architecture. With 26 years of experience in IT and security, he has helped clients develop security and transformation strategies, manage major breaches and remediation programs, and develop reference security architectures and offerings. Prior to DXC, he worked for IBM and previously specialized in security architecture and compliance, cloud security, and SAP and Oracle SaaS solutions.

Mark Evans is the chief security architect, Security Consulting, Integration and Compliance, for the UK, Ireland, India, Middle East and Africa (UKIIMEA) region at DXC Technology. He has a background in enterprise security architecture and cloud security. Previously, Mark was the chief security architect for HP/HPE’s UK Government Cloud Program (formerly known as Helion-G and now known as DXC UK Restricted Secure Cloud Delivery), designing and delivering secure cloud services for the UK government.

About DXC Technology

As the world’s leading independent, end-to-end IT services company, DXC Technology (NYSE: DXC) leads digital transformations for clients by modernizing and integrating their mainstream IT, and by deploying digital solutions at scale to produce better business outcomes. The company’s technology independence, global talent, and extensive partner network enable 6,000 private and public-sector clients in 70 countries to thrive on change. DXC is a recognized leader in corporate responsibility. For more information, visit www.dxc.technology and explore thrive.dxc.technology, DXC’s digital destination for changemakers and innovators.

© 2019 DXC Technology Company. All rights reserved. MD_9467a-19. March 2019

http://www.dxc.technology/cra

https://www.dxc.technology

http://thrive.dxc.technology

dxc cyber reference architecture€¦ · actionable security and threat intelligence containment,...

Documents