Thursday, November 25, 2010

Why everyone in infosec should do SABSA training

Last week I did my SABSA training and certification. I don't know how I went but I wanted to share the results of what I learned.

This post is long and I make no apologies for it. I wish someone had a post like this before I started on the training. I didn't have anyone I could turn to or who could really tell me what it was about until I had done it (which was frustrating). I mean I asked around but I didn't get an answer that really satisfied me. So I wanted to give the best writeup that I could to help explain to any other likeminded folk in the field or least give my thoughts on what I walked away with. So here it is.

For the uninitiated, SABSA stands for 'Sherwood Applied Business Security Architecture' and it is a method for applying an understanding of the business you are securing. By understanding the business, you are able to build in security that is appropriate to the context of that organisation.

My career journey has taken some very bizarre turns. When I took up my last role, I wanted to move into focused pentesting (from a role where I did some pentesting) and instead wound up doing a combination of stuff - security management, security consultant and solution design and architecture. I got to oversee a bunch of pentesters, hire pentesters and be fairly involved but it became a gradual divorce away from the hands on (which I still miss sometimes but other times I don't). But more to the point, I enjoyed what I was doing, although I think it took me a time to really appreciate it because it wasn't what I signed up for.

Anyway as I came from more of a sysadmin/pentester background, I would look at project designs and how to break them (typical 'break' vs 'build' mentality). Reviewing security controls because a question of trying to be as thorough as I could, and an exercise in mentally threat modelling various ways to break the solution design.

I would look at different methodologies for security testing, I would think of solutions in terms of the OSI model and what security services were required (authentication, authorisation, auditing, etc). I looked at OWASP to ensure a stringent design process was followed. We used contractual arrangements to enforce our needs where we could.  I'd spend time talking to the business and trying to spend more time listening than talking. I wanted to find out what their problem was and if I could address it. I also tried to keep up with all the tech (which is impossible once you get to this point doing this work as something has to give).

But the whole thing seemed and felt really adhoc. It was a case of finding what I could think of, springboarding ideas with my team mates and consistently asking myself "is this enough?".

I couldn't put a label on what I did exactly - but whatever it was - I was never aware of a methodology to help people like me doing the work I was doing. I became aware of architecture as a discipline owing to some good solution architects who heavily influenced my thinking and became aware of Enterprise Architecture as a discipline and how good solution design can help drive strategy. However that seemed great as an IT Architecture, or a Business Architecture, but nothing to help me in my discipline. I learned relatively quickly that pentesting was simply a way of measuring security effectiveness but in and by itself, didn't offer me anything beyond some assurance. It was around then I started to drift away a bit from pentesting.

I became aware of SABSA in 2008 through a co-worker. We'd both found the SABSA book by David Lynas, John Sherwood and Andy Clarke but neither of us really did anything with it. I think at a glance we had the same impression as everyone else. It looked great as a method but seriously, how practical was this light and fluffy stuff. We both came from similar backgrounds and I think had very similar thoughts on applying architecture - this all looked really high level theory and not very practical.We were still interested in the book and how it applied but we never got around to reading the book or doing the course.

Well, I finally started on that book earlier this year and got through most of it (3/4 I think). The course is an equally tough slog too. I consider myself pretty passionate on this topic btw, but after day 4 even the most passionate person will be tested I reckon!

As I went through the training I had an epiphany of sorts (actually I spent a good chunk of the weekend at Ruxcon ruminating about it too). Having read the book and seen some videos on architecture, I had some idea of how Architecture, as an IT discipline worked. But this course really highlighted for me why SABSA is THE single most important training I have had in my field to date. I wanted to share what I learned and highlight why I think other infosec professionals - regardless of their role, should do it.

What I learned:
I learned that the often disparate array of compliance standards, ISO standards, architecture frameworks and so on need not be. They can all integrate together. Once you understand the business you can begin to build that picture. The architecture frameworks (TOGAF, SABSA, Zachman, etc) are simply a "method of organised thinking". SABSA is the concrete which enables me to put together all the other building blocks together.

Every thing I know, have learned and will learn (not just security related) I can apply using this framework to build a security model for my clients based on re-usable architecture. The "architecture" however, is never complete. It is a living breathing organism. Each project or each pass is an attempt to iteratively build up your understanding of the business. Each project is an opportunity to build upon those building blocks - re-use what you can or tailor to suit where appropriate. You never have a perfect "target". It just keeps moving. We've often known that security is a journey, not a destination - but seeing this through the eyes of an architecture framework is a very different thing. I think its like trying to describe being a parent to someone who doesn't have kids. There's the difference between knowing the path and walking the path, as Morpheus would say. :)

From a technical viewpoint, I learned how to structure controls so that controls at the various OSI layers are not done in isolation from each other. That you can build concrete controls. You can even forgo certain controls but it is not without an understanding of the potential consequences or the risk.  I also learned to truly build re-usable, extensible security services. Moreover, how they link back to business goals and objectives which enables demonstrable return on investment and develop a realistic form of risk assessment (pretty much the best system for risk assessment I have seen to date).

Incase people reading this think this is all high level fluff, the guys who developed this were the architects for Swiftnet (the system banks use to transfer funds internationally). Anyone who has heard of this or worked with banks will understand the importance of the system and the risks involved. As you go through the training, David Lynas (who is the main instructor globally - if not the only one I am aware of) will make clear his points through illustrated examples throughout his career and using examples from other people's careers. As someone who had done this sort of work before, I found these some of the most educational points of the training as I could relate it back to various situations of my own and either pat myself on the back for getting something right or mentally kick myself for thinking how I should have handled something differently.

I realise this is going on and on - but I really want to stress why I think this is worthwhile. I try to provide some context here based on a person's title/role or aspirantions here:

Security Managers/CISOs/CSOs
The SABSA framework integrates with just about every relevant standard or framework you can think of (ITIL, COBIT, ISO27000 series, etc) and a way for running security programs. It provides a method for delivering business driven security services with mesaurable results and a PRACTICAL form of risk assessment (the most practical I have seen). The risk management framework and how to measure security, will be worth the price of entry alone for you. 

Security Designers/Architects
I think you'll  come away with a similar view to myself and see how this all ties everything in together. Management, penetration testing, security standards, compliance, risk, technical controls and how to integrate them all - in a practical method. You will enjoy the focus of building and creating at a truly enterprise level and your game will be taken to another level.

Penetration Testers/Security Analysts
Pentesters are a funny lot with their training budgets.  Either they want to do Offensive Security course or for the more advanced ones, a top notch Immunity course by Dave Aitel - or they are usually happy to spend their own time with a few books and play around with stuff on their own. Now if you fall into the later category, you should definitely put it towards SABSA.

I mean lets face it - you're not going to put the budget towards anything else, why not learn how to review solution designs using a comprehensive strategy which will enable you to cover all the components? Why not learn how to link it back up to core business objectives? Truth is that will not take away from your technical skills - why not learn how to engage with the business at a higher level.

The short answer is if you haven't done the SABSA training, just get out there and do it. It will not takeaway from anything you have done to date. I can assure you it will only complement anything you do, regardless of what it is. And finally, I think it will really open your eyes in ways you hadn't considered previously. It won't solve world hunger and the "security problem" for good, but I will say that it is a damned good start. If more people had done this training in our field, I can honestly say that the world would be a safer place.

I hope this is useful.


- J.


Matthew Hackling said...

Thanks for this Jarrod. From what I have seen of SABSA provides a methodology for structured thinking. It's pretty much formalises how most of us approach security architecture, we collate requirements from stakeholders (legislation, regulation, contractual), integrate and normalise the requirements and translate them into security requirements/controls, use risk assessment to figure out where best to place the security controls as no project has an unlimited security budget and to what extent they need to be monitored. Security architecture needs to start at requirements and work it's way down conceptually to logical network diagrams and then to physical network diagrams. A Visio diagram with a firewall plonked on it is not a security architecture, it's a tiny bit of a network security detailed design document. A security architecture document should have

Jarrod said...

Hi Matt,

I know you have a similar interest in security architecture - I strongly encourage you to do the training as I know for a fact you would get an equal buzz out of it as I did. :)


- J.

davidawest said...

Hey Jarrod,
I've had a similar history with SABSA as you - the book has been sitting on my shelf for 12 months, it looks great and sounds great, but feels a little "light and fluffy" - I'm always left wondering, how can it really help me..

Thanks for the review. I've been thinking about the training for a little while and you've inspired me to take a closer look. Quick question for you..

What are your thoughts on how applicable applying the SABSA approach would be in an organisation that does not fully embrace enterprise architecture in a way that Zachman would be proud of? Ie, is SABSA useful more as a way of thinking rather than fully blown methodology you need a lot of buy in and support for?


David Sneddon said...

Jarrod, Nice blog. You may recall me, I was the audit guy on your course. I really enjoyed the course and from my perspective I was very impressed with the risk assessment and metrics available by using SABSA (eg. Business Attributes) and the real life examples given where this had been performed. I got to say this has been one of the best courses I've done in 20 years, and certainly one of the most enjoyable.

I think to respond on what Dave Wests asks, SABSA speaks specifically about the issues faced where further support or buy in is required and hence believe it will be of value to you.

Aladdin said...

Dear Jarrod
Thank you for this post. SABSA is very good framework. I have bought the book and read the whitepaper.
I have tried to get a training course for SABSA, but unfortunately, we don't have such kind of training in our region, rather than getting its expensive costs.
Can you kindly share us your training materials so that we can understand SABSA deeper? I will be glad to share me that on my email
Thank you for your cooperation

Imi said...

Seruously thank you for taking the time to write this! I do have the book also, and have been struggling with similra doubts like ypu. Can it be that the solution to by doubts is sitting in front of my eyes?
I have been looking at balanced scorecard, metrics, it governance stuff, etc. for strategising, but architecture seems to be a verry useful tool, the actual "concrete" you mention!

So thanks again,

Chintan Dave said...

Hi Jarrod,

Thanks for writing this post.I was looking for more details from security professionals and by this post is exactly what I needed - a pen testers view :)


TB said...

Matt, I took the class in August 2013 and I came out saying the same thing; the best class I have even taken in my 15 years in the security field.


TB said...

Sorry I meant Jarrod
Matt, I took the class in August 2013 and I came out saying the same thing; the best class I have even taken in my 15 years in the security field.

Thanks Jarrod

Anand said...

Appreciate you taking time to write this post, it helps. Did you went through achieving SABSA Certification, if yes. What all does it take to achieve it?

Rey said...

OMG! Jarod I think we’re living in parallel worlds; my career has just shifted in the path of your journey. My focus was also down the road of a more seasonal pentester and fell in a role of security consulting and solution design and architecture, exactly where you were in terms of shifting further away from the hands on activities.

I came across SABSA when researching the practice of Enterprise Security Architecture. I hit the book on my searches and already placed an order, then searched for SABSA reviews for training and came across your blog site.

Thanks for sharing your thoughts to the community about your experience and SABSA. Your write-up helped me to understand where I am in my career and how I can focus my development on where I want to go as Security Architect. I plan on attending next year’s schedule and look forward to training.

Thanks again for the write-up

meena said...

Thanks a for good blog
BA Online Course

The ITIL Imp said...

Hi Jarrod,
Thank you for your post regarding the real value of SABSA training; it's been on my wish list for a long time and I finally have funding to attend the foundation course. I was already looking forward to it, but reading your blog (and comments) increases my interest and confidence that it will be really worthwhile and most importantly, actionable.
Thanks again.

loveme said...

COBIT 5 online training delivery is a specialty of Consultants Factory. We’re among the best to offer it. We’ve trained 5000+ candidates across India, UAE & Saudi Arabia.
COBIT 5 online training

Chris W said...

I know this blog is 8 years old but just saw some crazy stuff in here:

> From what I have seen of SABSA provides a methodology for structured
> thinking. It's pretty much formalises how most of us approach security
> architecture

Ummm no. If it was so easy, everyone would be doing it. But yet we have organizations (who think the following is good design) having a connection from the HVAC to PoS systems, for example, and that my friends is what is known as architecture.

> the book has been sitting on my shelf for 12 months, it looks great
> and sounds great, but feels a little "light and fluffy"

I hear this a lot. It kinda makes me think of pointer logic in software development, either one has an aptitude for it or not -- you can only teach it so much. By way of comparison, SABSA isn't the CISSP where anyone off the street can study the book and take the test (yes, I have SCF and CISSP in my collection of alphabet soup -- I'm proud of the SCF. I have the CISSP for one reason and one reason only... 8570).

I've even had people ask me, "can you do a SABSA appraisal for me"? It doesn't work that way. SABSA is a framework for one's design and processes. It's light and fluffy because it's not going to tell you what to do (like a CVE would have remediation steps for example). SABSA is light and fluffy on the surface because it's a way to bring together multiple standards into a single framework.

But SABSA doesn't do the work for people... the people have to define their business... their requirements... and they also do that by role (which changes from perspective to perspective). Each role if different, responds to different stimuli, and each role has different inputs and outputs. SABSA forces people to *think*!