Vulnerabilities / Threats

1/31/2019
10:30 AM
Andy Singer
Andy Singer
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

For a Super Security Playbook, Take a Page from Football

Four key questions to consider as you plan out your next winning security strategy.

The Big Game is just days away. Whether it’s the Patriots or Rams who win the Super Bowl, we know for sure that the end of the season brings with it a period of turnover and uncertainty - feelings familiar to many of us in cybersecurity.

After trophies and parades, bloggers and talk radio turn to a favorite staple: forecasting which teams' assistants will earn head coaching jobs based on the perceived power of their playbooks. This parallels playbook buzz in security, in which a host of community voices are touting playbook-style approaches to security challenges, from expediting repetitive tasks to identifying malware to simulating attackers. Playbooks appeal to the emotional needs of anyone facing high-stakes, must-win scenarios, whether in a stadium or a security operations center (SOC). It is only natural to seek an edge by studying someone's winning formula.

Yet history is full of coaches taking a winning scheme to a new city, where their vaunted playbooks fall short because of different talent, timelines, and owner idiosyncrasies. The same applies to security leaders. So how can you avoid that outcome? Here are four key questions to ask as you study your playbook options.

1. What Does Your Organization Look Like?
Playbooks are supposed to create mismatches - but not in locker rooms and team meetings. Many a coaching guru finds it hard aligning trainers, scouts, general managers, and players around their strategies.

However, there are no "rebuilding years" in cybersecurity. Every new tool or formula you introduce has to make a positive difference from Day One. Make sure any playbook approach you are signing up for pairs well to your team, as well as executive sponsors' culture and timetable. What are the stakes? If you just received the resources to pick up MITRE ATT&CK and tinker with a few offensive exercises, that has very different blowback risks compared with swapping out part of your production security stack. Make sure you are on the same frequency with "owners" so that everyone can be upfront about purpose, needs, and benefits.

2. Is It Your Playbooks - or the Play-Calling?
The entire premise of a playbook's value is the idea that a valid body of experience and community - coaches, athletes, or security experts - found that "in situation [X], action [Y] is usually the most productive option." On the gridiron, it could be a designated quarterback run out of a four-receiver set to fool the defense. On a network, it could be rapidly initiating processes to find and contain files meeting a range of attributes before a payload detonates. But how do you know which play to call and when?

Coaches rely on sideline or press box views to compare what their eyes see with options on a clipboard. In the SOC, the field of action is defined by the complex plumbing of layered security products’ consoles, threat intelligence feeds, SIEM dashboards, and other monitors. Hiccups and misalignment in this plumbing prevent security coaches from knowing the true "down and distance," offsetting any playbook's value. Before replacing your plays, make sure you are calling the game with clear eyes and ears.

3. Do Position Coaches and Players Think?
The best coaches adapt systems to fit their players' unique mix of skills and experience. The same is true in cybersecurity. When you go all-in on a new playbook, you are bound to introduce new roles and assignments. Staff will have to shift how they spend their time, get trained on new tools, or become comfortable handing some of their work over to software. Seek out the players and coaches on your team who will tackle these changes head-on.

In football, certain plays are routine, such as a running play meant to gain at the last five yards. Similarly, in security many plays are routine, too, like updating rulesets and filters. The outcome of the game does not hang in the balance. Conversely, just like a blocked punt or kick-off return for a touchdown can change the whole complexion of the game, as the cliché goes, SOC teams need to make sure new wrinkles like automation and playbook twists do not trip up the most important things to execute when they matter most.

4. What Do the Numbers Say?
In the metrics-driven sports world, scoreboards are all that matter. If a newly installed offense coincides with a spectacular season, fans thank the playbook before wondering whether fewer injuries or rival teams' down years made the difference.

Unfortunately, there are no universal closing whistles or scoreboards in the art and science of cyber risk. Wins and losses are subjective labels handed out according to organizations' different risk tolerances, assets, and industries. Security leaders have to crunch the right numbers necessary to give boardroom and C-suite decision-makers both skybox and sideline views of the game. Before you swap out playbook code or approaches, consider how they impact the data you must or want to collect and compare.

Vital numbers can take many forms. Consider immediate hard figures, like the rate of incidents detected and investigated and time to remediation but press for a sense of incident responders time and stress level as well. There needs to be sound correlation. If a playbook seems to be crushing the numbers but the team still feels overwhelmed or unsure whether new actions are getting to the root cause of issues, you might not have the metrics necessary to back up your coaching decisions so you'll still need to press playbook developers for improvements.

Winning Strategy
In sports and cybersecurity, change management is the true test of champions. Players get hurt, free agency steals veterans, and opponents get stronger. In every organization, shifts in the business, IT fabrics, and third-party risks constantly send us back to the whiteboard. Accept that no playbook can replace leadership, bypass all constraints, or anticipate the fundamentally unthinkable.

I am optimistic about playbooks these days. Many of us in security were drawing our own plays up in the dirt years ago, comparatively speaking, so the advent of engaged collaboration and communities distilling new security workflows is a good thing. But we need to keep any playbook in perspective. Focus on what improves your day-to-day outcomes, but be careful of falling into a near-sighted obsession with tactics in a game where alignment and organization are the variables between you and success.

Related Content:

Andy Singer is a security industry veteran, with more than 20 years of experience igniting growth, bringing products to market, and entering new markets while also developing strong customer relationships. Prior to joining enSilo, Andy held global marketing leadership roles ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bou283
50%
50%
Bou283,
User Rank: Apprentice
1/31/2019 | 11:14:36 PM
Reasonable parallel
I'm agree. 

Attackers are very  innovative indeed in several aspects. 

We need to reconsider the situation on daily basis and be more innovative too. 

Great article, Thanks
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.