Defendable Architecture: Security Intelligence Driven Framework

In the fast-paced world of technology, where cyber threats are constantly evolving, businesses and organizations must prioritize the security and resilience of their systems. Defendable architecture has emerged as a critical concept in the realm of cybersecurity and system design. It offers a proactive approach to safeguarding digital assets and ensuring business continuity. In this blog, we will explore the key principles and benefits of defendable architecture and why it should be at the forefront of any organization’s technology strategy.

Defendable architecture was first introduced by Lockheed Martin and the whitepaper can be downloaded publicly.

Conventional security approaches primarily focus on fortifying systems against cyberattacks, with the expectation that once deployed, systems should be impervious to all threats. However, this static approach fails to adapt to evolving attacker tactics and doesn’t account for the fact that breaches can occur. Advanced adversaries, including Advanced Persistent Threats (APTs), demand a more dynamic and proactive defense strategy.

Defendable Architectures introduce a paradigm shift in security by emphasizing an intelligence-based model. This approach involves gathering insights from various intelligence sources, including real-time interactions with the system itself, to comprehend attackers better. By actively adapting to and predicting changes in adversaries’ tactics, systems become more resilient.

Defendable Architectures advocate the intentional design, implementation, and maintenance of systems to support Intelligence-Driven Defense® practices. This results in a virtuous cycle of heightened system visibility, rapid translation of intelligence into defensive measures, and effective deployment of these measures within the security controls. Furthermore, threat intelligence is integrated into the system’s design to ensure it aligns with current and emerging threats.

This concept extends beyond individual systems and encompasses the entire enterprise, offering guidance on how organizations can plan and deploy their systems and infrastructure within the Intelligence-Driven Defense framework. By applying this approach, organizations can construct systems that withstand cyberattacks, survive compromises, and adapt to evolving attacker strategies. Defendable Architectures provide a roadmap for creating systems that can be actively defended, remain resilient even after compromise, and flexibly adapt to changes in adversary behavior.

Key Principles of Defendable Architecture

In their work, Lockheed Martin`s experts underscored the pivotal role of intelligence in the defense of computer networks. They highlighted how Intelligence-Driven Defense processes, which involve activities like analyzing cyberattacks based on the Cyber Kill Chain® model, using new intelligence to investigate historical data, and adapting security controls in response to evolving threats, heavily rely on human expertise and tradecraft for success.

Recognizing the active involvement of human intelligence in defending systems and enterprises leads to more effective security practices. Systems built on the foundation of Defendable Architectures not only harness the intelligence of security defenders but also tap into the collective knowledge of designers, developers, testers, and administrators who are involved throughout the system’s lifecycle.

The various phases in this lifecycle—design, build, run, and defend—each present unique opportunities to infuse intelligence and knowledge into the system itself.

1. During the design phase, engineers shape the system’s concept, requirements, and overall design, making critical security decisions. Unlike traditional security architectures that focus solely on hardening systems, Defendable Architectures use threat intelligence and system threat analysis to guide design choices, ensuring alignment with Intelligence-Driven Defense principles.
2. Engineers, during the build phase, translate the design into functioning code and configure security controls. Testers rigorously evaluate the system’s inherent security features and the effectiveness of the selected security controls, employing various testing methods to identify vulnerabilities and assess risk.
3. In the run phase, administrators take charge of system management, ensuring its ongoing operation and addressing operational needs like patching and system maintenance. They also facilitate diagnostic processes for developers and defenders, implementing changes to security controls based on intelligence provided by defenders.
4. The defend phase is where intelligence analysts generate insights by monitoring adversary activity and respond to attacks. This involves safeguarding all aspects of the system, including production, test, development environments, and source code. Defenders translate indicators into protective and detection rules, actively defending systems and keeping stakeholders informed of evolving attack vectors.

Throughout these phases, there is a continuous flow of information and intelligence exchange, ensuring that the knowledge gained at each step is incorporated into the system’s defenses and architecture. This collaborative approach, as depicted in the figure provided, reinforces the notion that intelligence-driven practices and Defendable Architectures are instrumental in building resilient systems that can adapt and defend against cyber threats effectively.

Benefits of Defendable Architecture

1. Enhanced Security: Defendable Architecture prioritizes security, resulting in systems that are better equipped to defend against a wide range of cyber threats. By focusing on intelligence-driven defense and adaptability, it strengthens an organization’s overall security posture.
2. Resilience: Systems built on Defendable Architecture are designed to be resilient in the face of attacks. They can better withstand security breaches and continue to operate effectively, reducing downtime and minimizing the impact of security incidents.
3. Adaptability: Defendable Architecture is flexible and adaptable, allowing systems to evolve and respond to changing threat landscapes. This adaptability enables organizations to stay ahead of emerging threats and adjust their defenses accordingly.
4. Effective Threat Intelligence Integration: The architecture facilitates the integration of threat intelligence into the design and operation of systems. This ensures that security measures are aligned with current and evolving threat patterns, enhancing the system’s ability to detect and mitigate threats.
5. Visibility: Systems built on Defendable Architecture typically offer greater visibility into their operation and potential security threats. This increased visibility helps organizations identify and respond to security incidents more effectively.
6. Manageability: Defendable Architectures are designed with manageability in mind. This makes it easier for organizations to monitor and maintain their systems, apply updates and patches, and respond to security incidents promptly.
7. Support for Intelligence-Driven Defense: The architecture aligns with Intelligence-Driven Defense practices, allowing organizations to leverage the knowledge and expertise of various stakeholders, including designers, developers, administrators, and defenders. This collaborative approach strengthens an organization’s ability to defend against threats.
8. Efficient Response to Adversaries: Organizations implementing Defendable Architectures can respond more efficiently to adversary actions. They can translate threat intelligence into updated security measures and quickly adapt to new attack techniques.
9. Informed Decision-Making: The architecture enables organizations to make informed decisions about the deployment of security infrastructure based on enterprise-level threat intelligence and threat analysis. This helps organizations allocate resources effectively and prioritize security investments.
10. Cyber Resilience: By focusing on both surviving attacks and adapting to changes in attackers’ techniques and objectives, Defendable Architectures contribute to building cyber resilience. This is critical for organizations seeking to withstand and recover from cyber incidents.

Summary

Classical security engineering has traditionally focused on building hardened systems, but this approach has limitations. Instead, the emphasis should be on creating defendable systems that can adapt and actively defend against evolving threats. The security of a system isn’t solely determined by its requirements, design, or test results; it’s a combination of how the system is designed, constructed, operated, and defended over time.

Defendable Architectures promote systems designed for Intelligence-Driven Defense practices, leveraging the expertise of various stakeholders throughout the system’s lifecycle. This collaborative approach enables organizations to make informed decisions about implementing security controls in their systems. Defendable systems exhibit key characteristics: visibility, manageability, and survivability.

These principles extend to creating Defendable Enterprises, where organizations use threat analysis and threat intelligence to design, deploy, and operate security infrastructure aligned with their defensive needs. Such enterprises efficiently translate new threat intelligence into updated security measures, infrastructure changes, and system design patterns, enabling effective responses to adversaries. They also make informed decisions about deploying new security infrastructure based on enterprise-level threat intelligence and analysis.

In striving for cyber resilience, organizations must aim not only to survive attacks but also to have architectures that can adapt to changes in attackers’ techniques and objectives. By incorporating threat intelligence and designing for visibility, manageability, and survivability, organizations and their systems can actively defend against emerging threats and adapt to new types of attacks.