Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/13/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Taking A Security Program From Zero To Hero

Breaking the enigma of InfoSec into smaller bites is a proven method for building up an organization's security capabilities. Here are six steps to get you started.

After many years as a niche profession, security has recently emerged as a mainstream one. Awareness is at an all-time high, and security is now a board-level discussion. With all this attention comes a very real problem for many organizations. The organization needs a mature security program, and they need it yesterday. But building and maturing a security program is a complex undertaking. How can organizations go from zero to hero in a minimal amount of time?

The problem is particularly challenging for smaller organizations that don’t already have an established security program in place. To start, you’ll need an understanding of a few pragmatic concepts and a bit of guidance to help to make the security journey a bit smoother. While not an exhaustive list, I have put together a few pointers that approach security as a business function. In my experience, it can be helpful to frame the topic in this manner, just as we would any other business function.

Step 1: Awareness
The first step toward a successful security program is the understanding that you need one. There is no shame in this – progress has to begin somewhere. Once the organization has resolved to stop treating security as an unapproachable enigma and to begin treating security pragmatically, the journey begins. For sure there are many pitfalls along the way, but the resolve to focus on security is the first step and an important step in the right direction.

Step 2: Vision
Any organizational journey needs to be driven in the right direction by a clear and concise vision. This security vision should not only be about what the organization seeks to accomplish, but also about how the organization will go about accomplishing that. The way to create that vision is to inform it methodically and scientifically. Begin with the risks and threats that the organization seeks to mitigate. Break those down further into goals and priorities to address on the road to mitigation. From those building blocks, a clear and concise vision can be assembled that encapsulates a strategic approach to security.

Step 3: People, process, and technology
People, process, and technology are the three pillars of a successful security program. These three pillars also form the means by which a security program is implemented. It’s important to consider all three in tandem, as they are highly inter-dependent and inter-related.

People are an essential part of any security program. Recruiting and retention are strategic aspects of a security program that are not always initially obvious. The right people are essential, as they implement the vision and carry out day-to-day operations. In the security world especially, people are a scarce resource, and as such, it is important to use them wisely. How wisely we use our people depends heavily on the process and technology we have in place.

Process guides people in how to use technology to address the goals and priorities that the organization has set. Additionally, process demonstrates to our stakeholders that we are serious about security by providing a formally documented approach. A process also invites us to study it, thereby allowing us to assess where we have bottlenecks and otherwise inefficient uses of resources.

Technology enables and empowers people to execute the process. Technology should be acquired strategically so as to maximize the goals and priorities it helps to address, while minimizing the cost and complexity required to do so. Acquiring technology in a non-strategic manner, or acquiring technology via a checklist approach can lead to unnecessary complexity and a data picture that isn’t particularly well-organized. Security is already a challenging enough discipline – no additional noise needs to be added.

Needless to say, the people, process, and technology required for a great security program can be difficult to implement, particularly for organizations with a limited time window. Consider working with a trusted partner to provide different pieces of the required people, process, and technology as best fits the organization’s strategy.

Step 4: Workflow
Once the security program is off the ground, focus shifts to workflow. The threat landscape is always changing, so it’s important that a security program never stop growing. Continue to adjust people, process, and technology as required to keep pace with changing risks. Make the best of the resources you have. Keep alert volumes to a reasonable level, and review every alert. Keep the signal-to-noise ratio high by populating the work queue with high-fidelity alerting specifically designed to address the organization’s goals and priorities while minimizing noise. Study the workflow continually to understand where improvements can be made and efficiencies can be introduced.

Step 5: Communication
Communication serves as a means by which metrics and other important information can be regularly communicated to leadership. But communication serves another important purpose as well. Relationships with upstream providers, peer organizations, professional associations, partners, customers, legal, privacy, and other stakeholders are incredibly important. Having those relationships in place ahead of time can help ensure that when crunch time comes, the appropriate channels exist to disseminate, receive, and act upon information in a timely manner.

Step 6: Community
The knowledge of 100 organizations will always be greater than the knowledge of just one. Techniques, methodologies, and indicators of compromise (IOCs) are all great information that can be shared between organizations. Those who give the most generally receive the most, and building street cred for your organization is important. Sometimes, being remembered can mean the difference between getting timely intelligence and not getting that intelligence. True, community is a less tangible aspect of a security program, but it is what separates good security programs from great ones.

Though initially overwhelming, when approached strategically, security is something that every organization can incorporate into its business operations. Breaking the enigma of security down into smaller, solvable problems and challenges is a proven method for organizations needing to build up their security capabilities. No organization has to go it alone, as many in the information security community are here to help.

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/14/2015 | 2:17:03 AM
Step 7: Hackers, Crackers and Phreaks
Let's not forget Step 7 which could take your security group from zero to hero quicker than steps 1-6 (and no, this isn't part of Step 3 - this isn't about "people" in the organizational sense).

Depending on your data and how dire your need is to make sure your security is the tightest it can be, and remains that way, pulling in some underground talent to pick your organization apart can be invaluable.  Nothing helps define the security of a site better than someone dissecting it and handing you the pieces.

I love hearing the old "We have a new security initiative underway.  You may hear from some people looking for your input."  Great.  If I ever actually hear from them, I'll tell them to hire my friend "John Doe" who will do in two hours (identify at least 50 key vulnerabilities and propose fixes) what some "initiatives" take years to do.

Don't get me wrong, I'm old now and Common Criteria and it's EALs and TOEs looks pretty good to me these days.  But Step 7 has to be the go-to sometimes, even if it winds up being off the books.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/13/2015 | 1:38:39 PM
The Profit
Step 3 makes me feel like I'm on an episode of The Profit with people, process, and profit.

These are very good guidelines for trying to initiate a security program and even building upon a currently structured security program. You can look at these steps as a high-level process that can help to align an overall structure or a guideline towards implementing individual security protocols. For example you can use these, from an organizational perspective, to implement DLP, etc.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.