Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/12/2017
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Crowdsourcing 20 Answers To Security Ops & IR Questions

"Those who know do not speak. Those who speak do not know." Why it pays to take a hard look at our own incident response functions and operations.

Recently, I was invited to present to a group of people interested in learning more about security operations and incident response - or so I thought. I’m sure you can imagine my surprise when I encountered a group of people who continuously interrupted and even spoke among themselves while I was presenting. Now, I am quite used to, and in fact, encourage questions mid-talk. But this was different. These were not respectful interruptions to ask questions or make clarifying points. Rather, this group seemed intent on continuously telling me that they already knew everything.

Of course, there are many approaches to security operations and incident response that differ with the approach I encourage.  But what became apparent to me in this particular room over the course of the hour was that nearly ALL of the people from various organizations in the room had absolutely NO approach to security operations and incident response whatsoever. I was able to assess this by asking a number of different questions throughout the talk. And, as is my style, I tried to take a lesson from this experience. 

Image Credit: By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
Image Credit: By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

Although most of the organizations I work with don’t come anywhere near this extreme view of totally unjustified overconfidence, the experience inspired me to write today’s column: 20 questions we, as security professionals, should ask ourselves about our respective security operations and incident response functions. Let’s get started:

1.  What is our vision?  Do we understand the big picture of where we are trying to bring our security program?

2.  Have we taken a formal approach to risk assessment?  Security is, after all, about managing, minimizing, and mitigating risk.  If we do not approach this task formally and strategically, it is difficult to see how we will be able to complete it properly.

3.  What inputs have we collected for our risk assessment?  Have we spoken with the board, executives, customers, partners, and other stakeholders?

4.  Are we knowledgeable regarding the threat landscape we face?  Each organization faces unique risks and threats. Reliable, high quality intelligence can help us better understand the landscape we face.

5.  Have we properly prioritized the risks and threats we face?  No organization has infinite budget, time, and resources. Thus, tackling challenges in priority order becomes critical to successfully maturing.

6.  Have we taken the time to develop precise, targeted, and incisive logic to identify activity and behavior that may indicate exposure to one or more of the risks we’ve prioritized previously?

7.  Are we keeping our signal-to-noise ratio in check?  Have we made sure to keep the signal (true positives) high and the noise (false positives) low in order to generate a reasonable alert volume that the organization can work with on a daily basis?

8.  Have we concentrated all of our eventing and alerting into a single work queue?  It is extremely difficult to manage an organization working out of multiple different work queues.

9.  Do we have mature processes and procedures in place?  Each alert can be looked upon as a jumping off point into an investigative workflow.  The end result of this workflow is a decision point: whether or not incident response is required.  As such, it is imperative that the investigative workflow for each alert type is well documented and understood.

10.  Have we adequately trained our team?  No matter how good an organization’s processes and technology are, its people need to understand what they need to be doing and why they need to be doing it.

11.  Do we have integrated case management?  I once worked for someone who would often remark, “If it isn’t written down, it didn’t happen.”  This is so true, particularly in the security realm where we are constantly expected to show what results we have produced with the budget we have been allocated.

12.  Have we reduced or eliminated blind spots?  Lack of visibility is the enemy of security operations.  Ensuring visibility across network, endpoint (including mobile), applications (whether on-premise or hosted), and cloud infrastructure is critical to providing the data needed to make educated security decisions.

13.  Are we set up for investigative success?  Any alerting needs to be enriched with important contextual data and supporting evidence before any educated decision can be made as to its true nature.  If people, process, and technology aren’t in place to facilitate the investigative process, it impedes the entire decision making process.

14.  Have we leveraged orchestration and automation where appropriate?  Can we save valuable human cycles by automating some or all parts of specific processes and procedures?

15.  Do we have a three-layered approach to detection?  Signature-based detection isn’t enough by itself, and neither is detonation-based (sandbox-based) detection.  We also need the analytics-based layer of detection that I’ve discussed in depth previously in this series.

16.  Have we remembered to allow for hunting?  No matter how good rules and logic are, they will only get us so far.  If we’ve optimized resources correctly, we can focus some analyst cycles on hunting for those bizarre behaviors and cryptic activities that will fly by even the most advanced detection mechanisms.

17.  Have we leveraged intelligence properly?  Proper context is critical to timely and informed decision making.  Some of that context comes from supporting evidence and telemetry data.  But some of it also comes from a broader understanding of who may be after me, what they may be after, and why they may be after me.

18.  Have we presented the narrative?  Humans makes decisions best when presented with a complete story, a painted picture, an assembled puzzle.  Analysts perform best when presented with a narrative, rather than a lengthy queue of context-less alerting.

19.  Are we prepared?  What will happen when we need to perform a serious incident response?  Do we have all the necessary puzzle pieces put together in the right place?

20.  Are wecontinually learning?  No matter how mature our security program is, there is always room for improvement.  Take lessons learned each and every day and feed them back into the security operations and incident response function to strengthen it.

As the famous Chinese philosopher once said, “Those who know do not speak. Those who speak do not know.”  Of course, not all organizations represent the extreme that I encountered a few weeks ago.  Nonetheless, there is a lesson here that we can all benefit from.  It pays to take an earnest look at our own security operations and incident response functions.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
garrytroomen
50%
50%
garrytroomen,
User Rank: Apprentice
3/6/2017 | 6:00:23 AM
192.168.l.l
long sought clarification on this topic
Row3n
0%
100%
Row3n,
User Rank: Strategist
1/16/2017 | 12:22:59 AM
Hi
I personally think that it's the newer generation who acts like this - so many of the strawberry generation have forgotten what it's like to have respect for someone in the know. It's better in the finance business where people are expected to be polite and respectful as a way of life, but in other cases... I don't have a good impression of the kids at all.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.