Operations

10/1/2018
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Right Diagnosis: A Cybersecurity Perspective

A healthy body and a healthy security organization have a lot more in common than most people think.

As someone who is battling a chronic medical condition, I understand the importance of the right diagnosis. The right diagnosis along with modern medicine and the right attitude have helped me successfully battle multiple sclerosis for nearly a decade. Most people who meet me in person have no idea that I have MS, and I intend to keep it that way for a very long time.

So, why am I telling you this? And further, what do diagnosing and battling MS have to do with information security? I'd argue that we can learn an important lesson from my experiences: that just as the right diagnosis and the right treatment can go a long way toward treating medical issues, they also go a long way toward treating security problems.

No security program is perfect, but some need more attention than others. What are the checkpoints that will help organizations understand where their security programs are ailing, how to make the right diagnosis, and begin the proper treatment? Let me share a few of my thoughts.

Check brain function: Just as the brain controls how the body functions, the leadership of a security organization controls how that organization functions. When looking to evaluate and understand where a security program stands, one of the first diagnostics should be focused on leadership. Do security leaders have a clear vision? Do they have a solid strategy? Are they focused on the right goals and priorities? Do they have the right plan to make their strategy a reality? Do they have the ear of the executives, the board, and other stakeholders? Are they building the right team? These and other questions can help a security organization check its brain function and diagnose where it may be ailing.

Check the heartbeat: Security operations could be considered the central function of a security program, analogous to its heartbeat. Just as a healthy, regular heartbeat is critical to the health of the body, a healthy security operations program is critical to the health of a security organization. Is the security operations team properly trained? Do team members' tools support their mission? Do team members populate their work queue with reliable, high-fidelity, practical alerts? Do they detect and respond to incidents in a timely and efficient manner? Do they have the right processes and procedures in place?

Check blood flow: Security needs to make its way throughout the organization just as blood needs to make its way throughout the body. This requires the right message, practical guidance, and the proper relationships. When any of these are lacking, the security organization will have a difficult time working with the business to improve its security posture.

Check breathing function: Just as breathing brings oxygen to the body, fresh ideas and innovation bring oxygen to the security organization. When a security program stagnates and becomes stale, it begins to lose effectiveness. Risks and threats change with time. Attackers become more creative and sophisticated. Technologies change. Detection methods become outdated. All of this results in the security organization becoming increasingly unaware of what it needs to be concerned about. The relevance of the information on which it relies becomes diluted. Without innovation to breathe new life into the security program, returns will diminish. Increasingly less risk will be mitigated.

Check muscle function: Just as the muscles move different parts of the body and implement the will of the brain, the incident response function implements the will of the security team. In the event of an event or incident, incident response is the muscle that brings the organization back to an acceptable place from a risk perspective. Ensuring that the incident response function is healthy is directly correlated with ensuring that the security program is healthy and properly able to mitigate risk. Does the incident response team have the visibility required to properly monitor the enterprise? Does it have the people, process, and technology to ensure success? Do team members have the required relationships within the organization to properly mitigate and remediate incidents that occur?

Check the extremities: Healthy extremities are an important part of a healthy body. In security, customers, vendors, partners, and other stakeholders are the extremities. It's easy to get caught up in the nearly endless list of internal security tasks awaiting the average security team. But considering the security of customers, vendors, partners, and other stakeholders is also an important part of a mature security program. Without considering the health of its extremities, the security organization will miss a number of ways in which risk can be introduced into the enterprise.

Get a second opinion: Sometimes even the most skilled medical professionals make the wrong diagnosis. Similarly, in security, sometimes even the most skilled security professionals make the wrong diagnosis. To ensure the right one, it can be helpful to work with a trusted colleague, a group of colleagues, or a partner. Don't just trust one diagnosis, particularly if it's your own. Take the time to get a second opinion.

Be patient: The right treatment based upon the right diagnosis may take time to have an effect. It's important to give a new or modified approach time before giving up on it. Designing meaningful metrics allows a security organization to continually assess its progress against its goals and priorities. This gives the security organization much needed data points for evaluating whether or not a given approach is on track to produce the desired results.

Check the diagnosis: Risks and threats develop and evolve over time. The environment within the enterprise changes continually. Technology changes constantly. These and other changes mean that a diagnosis that was right some time ago may no longer be the right diagnosis. It's important for a security organization to continually evaluate the circumstances and conditions it finds itself in and verify that a given diagnosis is still the correct one.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1848
PUBLISHED: 2018-12-14
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1977
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
CVE-2018-18006
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
CVE-2018-18984
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
CVE-2018-19003
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...