The Right Diagnosis: A Cybersecurity PerspectiveA healthy body and a healthy security organization have a lot more in common than most people think.
As someone who is battling a chronic medical condition, I understand the importance of the right diagnosis. The right diagnosis along with modern medicine and the right attitude have helped me successfully battle multiple sclerosis for nearly a decade. Most people who meet me in person have no idea that I have MS, and I intend to keep it that way for a very long time.
So, why am I telling you this? And further, what do diagnosing and battling MS have to do with information security? I'd argue that we can learn an important lesson from my experiences: that just as the right diagnosis and the right treatment can go a long way toward treating medical issues, they also go a long way toward treating security problems.
No security program is perfect, but some need more attention than others. What are the checkpoints that will help organizations understand where their security programs are ailing, how to make the right diagnosis, and begin the proper treatment? Let me share a few of my thoughts.
Check brain function: Just as the brain controls how the body functions, the leadership of a security organization controls how that organization functions. When looking to evaluate and understand where a security program stands, one of the first diagnostics should be focused on leadership. Do security leaders have a clear vision? Do they have a solid strategy? Are they focused on the right goals and priorities? Do they have the right plan to make their strategy a reality? Do they have the ear of the executives, the board, and other stakeholders? Are they building the right team? These and other questions can help a security organization check its brain function and diagnose where it may be ailing.
Check the heartbeat: Security operations could be considered the central function of a security program, analogous to its heartbeat. Just as a healthy, regular heartbeat is critical to the health of the body, a healthy security operations program is critical to the health of a security organization. Is the security operations team properly trained? Do team members' tools support their mission? Do team members populate their work queue with reliable, high-fidelity, practical alerts? Do they detect and respond to incidents in a timely and efficient manner? Do they have the right processes and procedures in place?
Check blood flow: Security needs to make its way throughout the organization just as blood needs to make its way throughout the body. This requires the right message, practical guidance, and the proper relationships. When any of these are lacking, the security organization will have a difficult time working with the business to improve its security posture.
Check breathing function: Just as breathing brings oxygen to the body, fresh ideas and innovation bring oxygen to the security organization. When a security program stagnates and becomes stale, it begins to lose effectiveness. Risks and threats change with time. Attackers become more creative and sophisticated. Technologies change. Detection methods become outdated. All of this results in the security organization becoming increasingly unaware of what it needs to be concerned about. The relevance of the information on which it relies becomes diluted. Without innovation to breathe new life into the security program, returns will diminish. Increasingly less risk will be mitigated.
Check muscle function: Just as the muscles move different parts of the body and implement the will of the brain, the incident response function implements the will of the security team. In the event of an event or incident, incident response is the muscle that brings the organization back to an acceptable place from a risk perspective. Ensuring that the incident response function is healthy is directly correlated with ensuring that the security program is healthy and properly able to mitigate risk. Does the incident response team have the visibility required to properly monitor the enterprise? Does it have the people, process, and technology to ensure success? Do team members have the required relationships within the organization to properly mitigate and remediate incidents that occur?
Check the extremities: Healthy extremities are an important part of a healthy body. In security, customers, vendors, partners, and other stakeholders are the extremities. It's easy to get caught up in the nearly endless list of internal security tasks awaiting the average security team. But considering the security of customers, vendors, partners, and other stakeholders is also an important part of a mature security program. Without considering the health of its extremities, the security organization will miss a number of ways in which risk can be introduced into the enterprise.
Get a second opinion: Sometimes even the most skilled medical professionals make the wrong diagnosis. Similarly, in security, sometimes even the most skilled security professionals make the wrong diagnosis. To ensure the right one, it can be helpful to work with a trusted colleague, a group of colleagues, or a partner. Don't just trust one diagnosis, particularly if it's your own. Take the time to get a second opinion.
Be patient: The right treatment based upon the right diagnosis may take time to have an effect. It's important to give a new or modified approach time before giving up on it. Designing meaningful metrics allows a security organization to continually assess its progress against its goals and priorities. This gives the security organization much needed data points for evaluating whether or not a given approach is on track to produce the desired results.
Check the diagnosis: Risks and threats develop and evolve over time. The environment within the enterprise changes continually. Technology changes constantly. These and other changes mean that a diagnosis that was right some time ago may no longer be the right diagnosis. It's important for a security organization to continually evaluate the circumstances and conditions it finds itself in and verify that a given diagnosis is still the correct one.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio