Attacks/Breaches

5/13/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Taking A Security Program From Zero To Hero

Breaking the enigma of InfoSec into smaller bites is a proven method for building up an organization's security capabilities. Here are six steps to get you started.

After many years as a niche profession, security has recently emerged as a mainstream one. Awareness is at an all-time high, and security is now a board-level discussion. With all this attention comes a very real problem for many organizations. The organization needs a mature security program, and they need it yesterday. But building and maturing a security program is a complex undertaking. How can organizations go from zero to hero in a minimal amount of time?

Source: Pixabay
Source: Pixabay

The problem is particularly challenging for smaller organizations that don’t already have an established security program in place. To start, you’ll need an understanding of a few pragmatic concepts and a bit of guidance to help to make the security journey a bit smoother. While not an exhaustive list, I have put together a few pointers that approach security as a business function. In my experience, it can be helpful to frame the topic in this manner, just as we would any other business function.

Step 1: Awareness
The first step toward a successful security program is the understanding that you need one. There is no shame in this – progress has to begin somewhere. Once the organization has resolved to stop treating security as an unapproachable enigma and to begin treating security pragmatically, the journey begins. For sure there are many pitfalls along the way, but the resolve to focus on security is the first step and an important step in the right direction.

Step 2: Vision
Any organizational journey needs to be driven in the right direction by a clear and concise vision. This security vision should not only be about what the organization seeks to accomplish, but also about how the organization will go about accomplishing that. The way to create that vision is to inform it methodically and scientifically. Begin with the risks and threats that the organization seeks to mitigate. Break those down further into goals and priorities to address on the road to mitigation. From those building blocks, a clear and concise vision can be assembled that encapsulates a strategic approach to security.

Step 3: People, process, and technology
People, process, and technology are the three pillars of a successful security program. These three pillars also form the means by which a security program is implemented. It’s important to consider all three in tandem, as they are highly inter-dependent and inter-related.

People are an essential part of any security program. Recruiting and retention are strategic aspects of a security program that are not always initially obvious. The right people are essential, as they implement the vision and carry out day-to-day operations. In the security world especially, people are a scarce resource, and as such, it is important to use them wisely. How wisely we use our people depends heavily on the process and technology we have in place.

Process guides people in how to use technology to address the goals and priorities that the organization has set. Additionally, process demonstrates to our stakeholders that we are serious about security by providing a formally documented approach. A process also invites us to study it, thereby allowing us to assess where we have bottlenecks and otherwise inefficient uses of resources.

Technology enables and empowers people to execute the process. Technology should be acquired strategically so as to maximize the goals and priorities it helps to address, while minimizing the cost and complexity required to do so. Acquiring technology in a non-strategic manner, or acquiring technology via a checklist approach can lead to unnecessary complexity and a data picture that isn’t particularly well-organized. Security is already a challenging enough discipline – no additional noise needs to be added.

Needless to say, the people, process, and technology required for a great security program can be difficult to implement, particularly for organizations with a limited time window. Consider working with a trusted partner to provide different pieces of the required people, process, and technology as best fits the organization’s strategy.

Step 4: Workflow
Once the security program is off the ground, focus shifts to workflow. The threat landscape is always changing, so it’s important that a security program never stop growing. Continue to adjust people, process, and technology as required to keep pace with changing risks. Make the best of the resources you have. Keep alert volumes to a reasonable level, and review every alert. Keep the signal-to-noise ratio high by populating the work queue with high-fidelity alerting specifically designed to address the organization’s goals and priorities while minimizing noise. Study the workflow continually to understand where improvements can be made and efficiencies can be introduced.

Step 5: Communication
Communication serves as a means by which metrics and other important information can be regularly communicated to leadership. But communication serves another important purpose as well. Relationships with upstream providers, peer organizations, professional associations, partners, customers, legal, privacy, and other stakeholders are incredibly important. Having those relationships in place ahead of time can help ensure that when crunch time comes, the appropriate channels exist to disseminate, receive, and act upon information in a timely manner.

Step 6: Community
The knowledge of 100 organizations will always be greater than the knowledge of just one. Techniques, methodologies, and indicators of compromise (IOCs) are all great information that can be shared between organizations. Those who give the most generally receive the most, and building street cred for your organization is important. Sometimes, being remembered can mean the difference between getting timely intelligence and not getting that intelligence. True, community is a less tangible aspect of a security program, but it is what separates good security programs from great ones.

Though initially overwhelming, when approached strategically, security is something that every organization can incorporate into its business operations. Breaking the enigma of security down into smaller, solvable problems and challenges is a proven method for organizations needing to build up their security capabilities. No organization has to go it alone, as many in the information security community are here to help.

 

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
5/14/2015 | 2:17:03 AM
Step 7: Hackers, Crackers and Phreaks
Let's not forget Step 7 which could take your security group from zero to hero quicker than steps 1-6 (and no, this isn't part of Step 3 - this isn't about "people" in the organizational sense).

Depending on your data and how dire your need is to make sure your security is the tightest it can be, and remains that way, pulling in some underground talent to pick your organization apart can be invaluable.  Nothing helps define the security of a site better than someone dissecting it and handing you the pieces.

I love hearing the old "We have a new security initiative underway.  You may hear from some people looking for your input."  Great.  If I ever actually hear from them, I'll tell them to hire my friend "John Doe" who will do in two hours (identify at least 50 key vulnerabilities and propose fixes) what some "initiatives" take years to do.

Don't get me wrong, I'm old now and Common Criteria and it's EALs and TOEs looks pretty good to me these days.  But Step 7 has to be the go-to sometimes, even if it winds up being off the books.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/13/2015 | 1:38:39 PM
The Profit
Step 3 makes me feel like I'm on an episode of The Profit with people, process, and profit.

These are very good guidelines for trying to initiate a security program and even building upon a currently structured security program. You can look at these steps as a high-level process that can help to align an overall structure or a guideline towards implementing individual security protocols. For example you can use these, from an organizational perspective, to implement DLP, etc.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17305
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher R...
CVE-2017-17311
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2017-17312
PUBLISHED: 2018-08-21
Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted...
CVE-2018-12115
PUBLISHED: 2018-08-21
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second...
CVE-2018-7166
PUBLISHED: 2018-08-21
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misint...