Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/1/2018
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

The Right Diagnosis: A Cybersecurity Perspective

A healthy body and a healthy security organization have a lot more in common than most people think.

As someone who is battling a chronic medical condition, I understand the importance of the right diagnosis. The right diagnosis along with modern medicine and the right attitude have helped me successfully battle multiple sclerosis for nearly a decade. Most people who meet me in person have no idea that I have MS, and I intend to keep it that way for a very long time.

So, why am I telling you this? And further, what do diagnosing and battling MS have to do with information security? I'd argue that we can learn an important lesson from my experiences: that just as the right diagnosis and the right treatment can go a long way toward treating medical issues, they also go a long way toward treating security problems.

No security program is perfect, but some need more attention than others. What are the checkpoints that will help organizations understand where their security programs are ailing, how to make the right diagnosis, and begin the proper treatment? Let me share a few of my thoughts.

Check brain function: Just as the brain controls how the body functions, the leadership of a security organization controls how that organization functions. When looking to evaluate and understand where a security program stands, one of the first diagnostics should be focused on leadership. Do security leaders have a clear vision? Do they have a solid strategy? Are they focused on the right goals and priorities? Do they have the right plan to make their strategy a reality? Do they have the ear of the executives, the board, and other stakeholders? Are they building the right team? These and other questions can help a security organization check its brain function and diagnose where it may be ailing.

Check the heartbeat: Security operations could be considered the central function of a security program, analogous to its heartbeat. Just as a healthy, regular heartbeat is critical to the health of the body, a healthy security operations program is critical to the health of a security organization. Is the security operations team properly trained? Do team members' tools support their mission? Do team members populate their work queue with reliable, high-fidelity, practical alerts? Do they detect and respond to incidents in a timely and efficient manner? Do they have the right processes and procedures in place?

Check blood flow: Security needs to make its way throughout the organization just as blood needs to make its way throughout the body. This requires the right message, practical guidance, and the proper relationships. When any of these are lacking, the security organization will have a difficult time working with the business to improve its security posture.

Check breathing function: Just as breathing brings oxygen to the body, fresh ideas and innovation bring oxygen to the security organization. When a security program stagnates and becomes stale, it begins to lose effectiveness. Risks and threats change with time. Attackers become more creative and sophisticated. Technologies change. Detection methods become outdated. All of this results in the security organization becoming increasingly unaware of what it needs to be concerned about. The relevance of the information on which it relies becomes diluted. Without innovation to breathe new life into the security program, returns will diminish. Increasingly less risk will be mitigated.

Check muscle function: Just as the muscles move different parts of the body and implement the will of the brain, the incident response function implements the will of the security team. In the event of an event or incident, incident response is the muscle that brings the organization back to an acceptable place from a risk perspective. Ensuring that the incident response function is healthy is directly correlated with ensuring that the security program is healthy and properly able to mitigate risk. Does the incident response team have the visibility required to properly monitor the enterprise? Does it have the people, process, and technology to ensure success? Do team members have the required relationships within the organization to properly mitigate and remediate incidents that occur?

Check the extremities: Healthy extremities are an important part of a healthy body. In security, customers, vendors, partners, and other stakeholders are the extremities. It's easy to get caught up in the nearly endless list of internal security tasks awaiting the average security team. But considering the security of customers, vendors, partners, and other stakeholders is also an important part of a mature security program. Without considering the health of its extremities, the security organization will miss a number of ways in which risk can be introduced into the enterprise.

Get a second opinion: Sometimes even the most skilled medical professionals make the wrong diagnosis. Similarly, in security, sometimes even the most skilled security professionals make the wrong diagnosis. To ensure the right one, it can be helpful to work with a trusted colleague, a group of colleagues, or a partner. Don't just trust one diagnosis, particularly if it's your own. Take the time to get a second opinion.

Be patient: The right treatment based upon the right diagnosis may take time to have an effect. It's important to give a new or modified approach time before giving up on it. Designing meaningful metrics allows a security organization to continually assess its progress against its goals and priorities. This gives the security organization much needed data points for evaluating whether or not a given approach is on track to produce the desired results.

Check the diagnosis: Risks and threats develop and evolve over time. The environment within the enterprise changes continually. Technology changes constantly. These and other changes mean that a diagnosis that was right some time ago may no longer be the right diagnosis. It's important for a security organization to continually evaluate the circumstances and conditions it finds itself in and verify that a given diagnosis is still the correct one.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12888
PUBLISHED: 2019-06-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-12887. Reason: This candidate is a reservation duplicate of CVE-2019-12887. Notes: All CVE users should reference CVE-2019-12887 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.