Attacks/Breaches

5/13/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Taking A Security Program From Zero To Hero

Breaking the enigma of InfoSec into smaller bites is a proven method for building up an organization's security capabilities. Here are six steps to get you started.

After many years as a niche profession, security has recently emerged as a mainstream one. Awareness is at an all-time high, and security is now a board-level discussion. With all this attention comes a very real problem for many organizations. The organization needs a mature security program, and they need it yesterday. But building and maturing a security program is a complex undertaking. How can organizations go from zero to hero in a minimal amount of time?

Source: Pixabay
Source: Pixabay

The problem is particularly challenging for smaller organizations that don’t already have an established security program in place. To start, you’ll need an understanding of a few pragmatic concepts and a bit of guidance to help to make the security journey a bit smoother. While not an exhaustive list, I have put together a few pointers that approach security as a business function. In my experience, it can be helpful to frame the topic in this manner, just as we would any other business function.

Step 1: Awareness
The first step toward a successful security program is the understanding that you need one. There is no shame in this – progress has to begin somewhere. Once the organization has resolved to stop treating security as an unapproachable enigma and to begin treating security pragmatically, the journey begins. For sure there are many pitfalls along the way, but the resolve to focus on security is the first step and an important step in the right direction.

Step 2: Vision
Any organizational journey needs to be driven in the right direction by a clear and concise vision. This security vision should not only be about what the organization seeks to accomplish, but also about how the organization will go about accomplishing that. The way to create that vision is to inform it methodically and scientifically. Begin with the risks and threats that the organization seeks to mitigate. Break those down further into goals and priorities to address on the road to mitigation. From those building blocks, a clear and concise vision can be assembled that encapsulates a strategic approach to security.

Step 3: People, process, and technology
People, process, and technology are the three pillars of a successful security program. These three pillars also form the means by which a security program is implemented. It’s important to consider all three in tandem, as they are highly inter-dependent and inter-related.

People are an essential part of any security program. Recruiting and retention are strategic aspects of a security program that are not always initially obvious. The right people are essential, as they implement the vision and carry out day-to-day operations. In the security world especially, people are a scarce resource, and as such, it is important to use them wisely. How wisely we use our people depends heavily on the process and technology we have in place.

Process guides people in how to use technology to address the goals and priorities that the organization has set. Additionally, process demonstrates to our stakeholders that we are serious about security by providing a formally documented approach. A process also invites us to study it, thereby allowing us to assess where we have bottlenecks and otherwise inefficient uses of resources.

Technology enables and empowers people to execute the process. Technology should be acquired strategically so as to maximize the goals and priorities it helps to address, while minimizing the cost and complexity required to do so. Acquiring technology in a non-strategic manner, or acquiring technology via a checklist approach can lead to unnecessary complexity and a data picture that isn’t particularly well-organized. Security is already a challenging enough discipline – no additional noise needs to be added.

Needless to say, the people, process, and technology required for a great security program can be difficult to implement, particularly for organizations with a limited time window. Consider working with a trusted partner to provide different pieces of the required people, process, and technology as best fits the organization’s strategy.

Step 4: Workflow
Once the security program is off the ground, focus shifts to workflow. The threat landscape is always changing, so it’s important that a security program never stop growing. Continue to adjust people, process, and technology as required to keep pace with changing risks. Make the best of the resources you have. Keep alert volumes to a reasonable level, and review every alert. Keep the signal-to-noise ratio high by populating the work queue with high-fidelity alerting specifically designed to address the organization’s goals and priorities while minimizing noise. Study the workflow continually to understand where improvements can be made and efficiencies can be introduced.

Step 5: Communication
Communication serves as a means by which metrics and other important information can be regularly communicated to leadership. But communication serves another important purpose as well. Relationships with upstream providers, peer organizations, professional associations, partners, customers, legal, privacy, and other stakeholders are incredibly important. Having those relationships in place ahead of time can help ensure that when crunch time comes, the appropriate channels exist to disseminate, receive, and act upon information in a timely manner.

Step 6: Community
The knowledge of 100 organizations will always be greater than the knowledge of just one. Techniques, methodologies, and indicators of compromise (IOCs) are all great information that can be shared between organizations. Those who give the most generally receive the most, and building street cred for your organization is important. Sometimes, being remembered can mean the difference between getting timely intelligence and not getting that intelligence. True, community is a less tangible aspect of a security program, but it is what separates good security programs from great ones.

Though initially overwhelming, when approached strategically, security is something that every organization can incorporate into its business operations. Breaking the enigma of security down into smaller, solvable problems and challenges is a proven method for organizations needing to build up their security capabilities. No organization has to go it alone, as many in the information security community are here to help.

 

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
5/14/2015 | 2:17:03 AM
Step 7: Hackers, Crackers and Phreaks
Let's not forget Step 7 which could take your security group from zero to hero quicker than steps 1-6 (and no, this isn't part of Step 3 - this isn't about "people" in the organizational sense).

Depending on your data and how dire your need is to make sure your security is the tightest it can be, and remains that way, pulling in some underground talent to pick your organization apart can be invaluable.  Nothing helps define the security of a site better than someone dissecting it and handing you the pieces.

I love hearing the old "We have a new security initiative underway.  You may hear from some people looking for your input."  Great.  If I ever actually hear from them, I'll tell them to hire my friend "John Doe" who will do in two hours (identify at least 50 key vulnerabilities and propose fixes) what some "initiatives" take years to do.

Don't get me wrong, I'm old now and Common Criteria and it's EALs and TOEs looks pretty good to me these days.  But Step 7 has to be the go-to sometimes, even if it winds up being off the books.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/13/2015 | 1:38:39 PM
The Profit
Step 3 makes me feel like I'm on an episode of The Profit with people, process, and profit.

These are very good guidelines for trying to initiate a security program and even building upon a currently structured security program. You can look at these steps as a high-level process that can help to align an overall structure or a guideline towards implementing individual security protocols. For example you can use these, from an organizational perspective, to implement DLP, etc.
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.