-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
M3TID final v1.0 changes, as of 13 Feb 2024.
- Loading branch information
1 parent
65509f6
commit 7787137
Showing
1 changed file
with
5 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,35 +1,16 @@ | ||
| Moving Forward | ||
| =============== | ||
|
|
||
| Once an organization has scored themselves with this model, they can identify key gaps to fill. The Center recommends an organization to start with any component that is | ||
| currently scored as a zero because there is significant differentiated value in moving from zero to one in this model. Several of these components and dimensions are | ||
| multiplicative with each other, so zeros can have a big impact on overall score and, more importantly, overall efficacy of Threat-Informed Defense. For example, if an | ||
| organization is collecting broad and deep threat information, but not incorporating it at all in their defensive measures, then they are not gaining the benefit of that | ||
| information. Once an organization scores at least a one in each component (including the scores of service providers, if various portions of the Security program are | ||
| out-sourced), the Center recommends that organizations work to improve the CTI and Defensive Measures scores in parallel as a priority. Testing and evaluating those components | ||
| is valuable, but they must first exist to test and evaluate. Because of this, the overall score puts less weight on the Test and Evaluation dimension. | ||
| Once an organization has scored themselves with this model, they can identify key gaps to fill. The Center recommends an organization to start with any component that is currently scored as a zero because there is significant differentiated value in moving from zero to one in this model. Several of these components and dimensions are multiplicative with each other, so zeros can have a big impact on overall score and, more importantly, overall efficacy of Threat-Informed Defense. For example, if an organization is collecting broad and deep threat information, but not incorporating it at all in their defensive measures, then they are not gaining the benefit of that information. Once an organization scores at least a one in each component (including the scores of service providers, if various portions of the Security program are out-sourced), the Center recommends that organizations work to improve the CTI and Defensive Measures scores in parallel as a priority. Testing and evaluating those components is valuable, but they must first exist to test and evaluate. Because of this, the overall score puts less weight on the Test and Evaluation dimension. | ||
|
|
||
| The M3TID maturity model is meant to be a straightforward, easy to use tool for organizations to measure their current state, assess progress, and continuously refine and | ||
| optimize their security posture by prioritizing based on threat-informed principles. By understanding their current maturity level and identifying areas for improvement, | ||
| organizations can make targeted investments and strategic decisions to strengthen their defenses against the ever-evolving threat landscape. In the long run, this maturity | ||
| model will help organizations optimize their resources, enhance their cybersecurity capabilities, and better protect their digital assets and infrastructure from potential | ||
| attacks. | ||
| The M3TID maturity model is meant to be a straightforward, easy to use tool for organizations to measure their current state, assess progress, and continuously refine and optimize their security posture by prioritizing based on threat-informed principles. The Center continues to provide a number of resources that reinforce or enable continuous improvement in all three of the Threat-Informed Defense Dimensions. By leveraging M3TID to understand their current maturity level and identifying areas for improvement, organizations can make targeted investments and strategic decisions to strengthen their defenses against the ever-evolving threat landscape. In the long run, this maturity model will help organizations optimize their resources, enhance their cybersecurity capabilities, and better protect their digital assets and infrastructure from potential attacks. | ||
|
|
||
|
|
||
| M3TID Future Work | ||
| ------------------ | ||
|
|
||
| This model is intended to be a starting point which can be extended and expanded in several ways. The Center started with a breadth-first approach to framing up this space, | ||
| identifying the three primary dimensions of Threat-Informed Defense and the first five components of each dimension. At this stage, a score would be the result of a | ||
| qualitative self-assessment by knowledgeable practitioners in an organization, guided by the definitions of dimensions, components, and levels in Appendix A. This framework is | ||
| meant to be applicable to organizations of all sizes, and as such scoring should take into account organic “in house” capabilities as well as any capabilities delivered by 3rd | ||
| party service providers like an MSP. | ||
| This model is intended to be a starting point which can be extended and expanded in several ways. The Center started with a breadth-first approach to framing up this space, identifying the three primary dimensions of Threat-Informed Defense and the first five components of each dimension. At this stage, a score would be the result of a qualitative self-assessment by knowledgeable practitioners in an organization, guided by the definitions of dimensions, components, and levels in Appendix A. This framework is meant to be applicable to organizations of all sizes, and as such scoring should take into account organic “in house” capabilities as well as any capabilities delivered by 3rd party service providers like an MSP. | ||
|
|
||
| In the future, this model could be extended to incorporate fine-grained sub-components with associated levels, more objective criteria for levels that tied to specific data | ||
| sources and assessed by a 3rd party or automation, and additional components within the dimensions. The model could also be modified to improve on the quantification of levels | ||
| and the scoring algorithm to better align with evidence on the relative importance of each component to bottom-line security efficacy. In the absence of such evidence, the | ||
| Center needs to start by collecting data on the dimensions and components that the Center has hypothesized will prove most important based on existing research and experience. | ||
| In the future, this model could be extended to incorporate fine-grained sub-components with associated levels, more objective criteria for levels that tied to specific data sources and assessed by a 3rd party or automation, and additional components within the dimensions. The model could also be modified to improve on the quantification of levels and the scoring algorithm to better align with evidence on the relative importance of each component to bottom-line security efficacy. In the absence of such evidence, the Center needs to start by collecting data on the dimensions and components that the Center has hypothesized will prove most important based on existing research and experience. | ||
|
|
||
| In this initial release of M3TID, we provide a proof-of-concept spreadsheet that enables an organization to assess themselves and see the resulting scores. This may be updated | ||
| to a more interactive web application in a future release of M3TID, and potentially enable more automated measurement if the M3TID framework is extended to objective, specific | ||
| data sources. | ||
| In this initial release of M3TID, we provide a proof-of-concept spreadsheet that enables an organization to assess themselves and see the resulting scores. This may be updated to a more interactive web application in a future release of M3TID, and potentially enable more automated measurement if the M3TID framework is extended to objective, specific data sources. |