Security Engineering (SE) Workbench


Return to the SE-Workbench Project Page

Security Analysis Tasks

Security Analysis is one of the seven key functions described in the Workforce Framework for Cybersecurity published by the Cybersecurity & Infrastructure Security Agency of US Department of Homeland Security.

The SE-workbench project looks at Security Analysis from the Security Engineer's point of view. In the SE-workbench project, the role of Security Engineer is taken as a composite of several of the 52 work roles defined in the Workforce Framework for Cybersecurity, to include: Security Architect, Systems Security Analyst, Threat Warning Analyst, Vulnerability Assessment Analyst, and others.

Security Analysis (for Security Engineers)

Security Analysis is the engineering process used to evaluate the security and privacy considerations for complex Information Technology systems. Security Analysis examines the structure and function an information System in its operational environment against factors that can affect the trustworthiness of the system. Security Analysis leads to conclusions, recommendations and actions to: eliminate risk, reduce risk, or manage risk within the definable risk tolerance parameters.

There are several Security Analysis activities and tasks performed used throughout the lifecycle of Information Systems:

  • Design, i.e., Security Requirements, Control and Threat Baselines and Architecture artifacts used throughout the Information System Lifecycle
  • Assess, i.e., Risk Assessment, Threat Assessment, and Vulnerability Assessment
  • Test, i.e., Security Test Plan design, execution and evaluation
  • Operate, i.e., Security Monitoring, Security Intelligence, Threat detection, Threat Response and Incident Management
  • Investigate, i.e., Security Audit, Post-incident Investigation and Forensics

Security Engineers who perform Security Analysis require specialized skill and expertise in analyzing problems with conflicting requirements and constraints. Each problem has a unique set of elements that represent the knowns, unknowns, variables and constraints. For Security Analysis these elements are: assets, systems, actors, risks, threats, attacks, vulnerabilities, weaknesses, scenarios, use cases, abuse cases, policies, rules, controls, countermeasures, technical mechanisms, guards, and more. Security Engineers who perform Security Analysis also need specialized knowledge. The knowledge can be gained through experience and timely access to authoritative information sources.

Design

Security Design is the general term the activities and tasks in the development process that lead to security features and functions. This Security Engineering activity maps to the Securely Provision category of the Workforce Framework for Cybersecurity described above. Security Design includes tasks associated with requirements gathering and analysis, evaluation of a proposed system design specification against criteria indicative of risk or vulnerability and proposing specifications to be implemented and tested by the development team.

Security Engineering activities for Design & Develop include:

  • Controls Baseline: Given information about the organization's governance, document a set of security controls and capabilities that satisfy the and Risk Management criteria for the organization. Controls Baselines provide the standard used in Risk Assessments and Security Audits. Controls Baselines need to be reviewed and revised over time.
  • Threat Baseline: Given a proposal, plan or design for an Information System and Information Assets, document the potential and relevant threats to the system and its assets. The purpose of a Threat Baseline, also called the Threat Model, is to provide requirements for trustworthiness that can be translated into design specifications for security functions. Threat Baselines and Threat Models are typically paper exercises in the early stages of a project. Threat Models are highly subjective. They need to be reviewed and revised over time.
  • Security Architecture Baseline: Given a proposal, plan or design for an Information Technology system, along with a Controls Baseline and a Threat Baseline, provide specifications for Security Services and Countermeasures to meet the requirements for trustworthiness of the system. Security Architecture Baseline documents the intended functions of the system. It is an integrated part of an Information Technology, not a separate document. Security Architecture Baseline is used to guide implementation and operation of security related features and functions. It provides the standard used in Risk Assessments and Security Audits. Security Architecture needs to be reviewed and revised over time.

Assess

Security Assessments are used to evaluate the features and functions of a system in comparison to criteria established on the related baseline. Security Assessments may be used to evaluate and improve the effectiveness of the System Security Controls against the Controls Baseline; the completeness of the Threat Baseline against the current threat environment; or the trustworthiness of the system considering the implemented security services, mechanisms and countermeasures. This Security Engineering activity maps to the Analysis and Protect and Defend categories of the Workforce Framework for Cybersecurity described above. The purpose of a security assessment is to produce a finding that can be used as either a quantitative or qualitative measure of system trustworthiness There are two types of assessment: an initial or baseline assessments evaluate what is known about a system against typical risks, threats or vulnerabilities; and, operational or differential assessments evaluate an operational system against its established baseline, or an enumerated set of risks, threats or vulnerabilities.

Security Engineering Assessment activities include:

  • Control Assessment: Given an environment with Information Technology Systems and Assets, along with a Security Control Baseline, (1) evaluate the effectiveness of the implemented Security Controls against the Security Control Baseline and (2) document the gaps and (3) estimate the risk and impact of uncontrolled threats on the integrity of the assets. Control Assessments are qualitative. Risk estimates may be based on either a commonly held or typical view of impact, or a view of impact for a specific owner and environment.
  • Threat Assessment: Given an environment and a set of assets, along with the Threat Baseline and Security Control Baseline, enumerate and rank the potential threats to the assets based on the likelihood of the threat and the severity of the impact on the asset and/or to the owner. Threat Assessments are qualitative. Threat Assessments may be based on either a commonly held or typical view of threats, or a set of verifiable threats for a specific owner and environment.
  • Vulnerability Assessment: Given an environment and a set of assets, along with the Threat Baseline and Security Control Baseline, enumerate and rank the weaknesses and vulnerabilities in the environment and assets based on the likelihood of the threat and the severity of the impact on the asset and/or to the owner, and (2) identify the controls and countermeasures to mitigate the weaknesses and vulnerabilities, and (3) evaluate the residual risk with mitigations in place. Vulnerability Assessments may be based on either a commonly held or typical view of vulnerabilities, or a set of verifiable vulnerabilities for a specific owner and environment.

Test

Security Testing is the general term for engineering activities across the information system lifecycle that apply testing methods and technologies to systems for the purpose of validating the security and trustworthiness. This Security Engineering activity maps to the Securely Provision category of the Workforce Framework for Cybersecurity described above. These tests can involve use of automated tools to scan code, emulate code execution, probe systems and software interfaces using scripts, etc., or use manual methods to review code structure and content, mimic user behaviors or threat actor behaviors, etc. Each tool and technique may find a subset of known security issues. No tool or set of tools provides complete coverage for all known security issues. Security Engineering activities for Testing include:

  • Source Code Scanning: Given code scanning software and a set of software source, generate a map of logic flows and exceptions that indicate program function and faults.
  • Operational Code Interface Scanning: Given code scanning software and an operational system, generate a map of logic flows and exceptions that indicate program function and faults.
  • Penetration Testing: Given Penetration Testing software, scripts and an operational system, generate a map of logic flows and exceptions that indicate program function and faults.

Operate

Security Operations is the general term for activities and tasks for Monitoring, Detection and Response of security related events and conditions. This Security Engineering activity maps to the Collect and Operate, Operate and Maintain and Protect and Defend categories of the Workforce Framework for Cybersecurity described above. Security Engineering activities for Operations include:

  • Security Monitoring and Response: Given: an Operational System, Security Monitoring tools and Services, plus a body of knowledge about known attacks and attack indicators, instrument the system to capture, display and analyze security relevant events and conditions. Initiate defensive actions to to mitigate the attacks and recover from incidents.
  • Security Intelligence: Given: an Operational System, Security Monitoring tools and Services, a body of knowledge about known attacks, attack indicators and attacker behaviors, plus a collection of operational data that includes security relevant events and conditions, correlate and analyze the knowledge and data in an effort to detect new forms and methods of attack.

Investigate

Security Investigation is the general term for activities and tasks related to analyzing artifacts to determine the root causes of a Security Incident. This Security Engineering activity maps to the Investigate category of the Workforce Framework for Cybersecurity described above Security Engineering activities for Forensics includes:

  • Security Audit: Given: an Operational System, gather and evaluate artifacts from the system in order to verify that the operation and management of the system complies with policies and standards of practice.
  • Gathering Evidence: Given: an Operational System, plus a set of tools, retrieve and protect artifacts from the system(s) needed to construct a view of the events and activities that led to the Security Incident.
  • Forensic analysis: Given: a set of artifacts for Operational System(s), plus a body of knowledge about known attacks, attack indicators and attacker behaviors, correlate and analyze the knowledge and data to construct a timeline of events leading to the Security Incident.


top of the page

Copyright © 2021, 2022 Jim Whitmore.

LAST UPDATE: 13 March 2022