As the need for security incident management has grown, the responsibility has gone from partial dedications of IT managers or Sysadmins to the most evolved form of the SOC or Security Operation Center, dedicated departments, many times externalized, that handle all the related activities. In this situation, it has become necessary to organize the way the environment is handled. Although this is true for traditional cybersecurity management systems, in industrial environments as envisioned in the ODIN project, require a more structured approach that help define how cybersecurity should be treated.
This is where a security management framework makes its appearance as a way of organizing the security operations. One of these frameworks is the MaGMa Use Case Framework, created collaboratively by several Dutch financial institutions.
The main element of the security management is the usecase, which MaGMa defines as “a security monitoring scenario that is aimed at the detection of manifestations of a cyber threat”. As we see, the emphasis on the monitoring scenario indicates that the focus will be in the detect phase of the NIST cybersecurity framework. The usecases are subdivided in three levels, from the top Business layer, describing how it is connected to the organizational needs, Threat layer, describing how the usecase can be menaced and the low-level Implementation layer where the technical and operational aspects of the architecture are described. The threats are also divided in three levels of detail, from higher L1, L2 (both being part of the Threat/tactical layer) and the actual monitoring rules covered in the L3 level, based on the MITRE ATT&CK Matrix for Enterprise . This structure is the way of linking a top-level business view to a low-level technical asset or operation.
The key at this point is to identify and create the correct use cases that help industry to operate with an adequate cybersecurity monitoring strategy.
In order to approach the real live of an environment, the framework implementation will have to go through a lifecycle process of four phases:
All the processes should be measured by the appropriate metrics at different levels.
The creation of the MaGMa framework came from the initiative of a group of experienced organizations. To achieve the success in the management they identified some best practices that should be considered: