Security (or Safety) in numbers is the hypothesis that, by being part of a large physical group or mass, an individual is less likely to be the victim of a mishap, accident, attack, or other bad event. Wisdom of the crowd is a related notion, that using the collective opinion of a group of individuals leads to better results than relying on a single expert.
Cyber security is a great fit for those approaches. Everyone is a potential target of a cyber-attack, so it makes sense to share information and approaches. There are a lot of openly available resources for the cyber security community that include security and privacy guidelines (e.g. 800-53r5 Control, Cyber Security Framework, CIS Controls), industry and country specific security and privacy standards (e.g. PCI DSS, SS-019) and summaries of attacks and incidents (e.g. Verizon Data Breach Investigations Report–DBIR and MITRE ATT&CK®). Taken together they provide a wealth of data on how to ensure, maintain and measure good cyber hygiene. The list is way too long to list here.
At Orchestra we use the term left-of-bang protection to describe our approach to good cyber hygiene. The idea is that an ounce of protection is worth a pound of cure. Of course, no matter how good your left-of-bang defenses you still need strong response and recover capabilities, but if you don’t do identify and protect right – your response capabilities will be overwhelmed. Left-of-bang protection is based on the fact that most attacks use existing tools and tecniques or exploit familiar human psychology – not esoteric zero-day attacks. This allows an outcome oriented left-of-bang approach to mitigate between at least 62% and 83% of all Enterprise ATT&CK Techniques – but probably more.
Integrating and automating these community resources would create a “security in numbers” or “wisdom of the crowd” approach to proactive cybersecurity – in a way that can be quantitively measured. The problem isn’t that these resources are have inconsistent goals – but they do define requirements in very different ways. Actually, if viewed from an outcome perspective there is a lot of overlap between them.
Orchestra’s models tie these different resources together to create a precise security, compliance and privacy (SCP) model. This enables organizations to link their desired security outcomes and risk appetite to rigorously defined requirements. Orchestra’s executable policy approach uses the model to translate qualitative security objectives to quantitative metrics, automated control verification and continuous assessment of your controls deployment.