4 STEPS TO MATURING SECURITY OPERATIONS: PART 2
Note: This is the second of a two-part blog series
In my last post, I described how today, not having enough security measures and not maturing them to meet the latest threat landscape is not a choice anymore. It is no longer a case of “if” a breach could happen. It’s now about how can I make it difficult for the hacker, and “when” it happens, how ready am I to detect & respond.
I then went on to outline the first two steps:
- implementing preventive security controls
- and implementing monitoring controls
With those as our foundation, we’ve already built a more robust security environment and we’re now ready to move on to the next steps:
Step 3: Implement Incident Response Plans
So now that you have adequate preventive security controls & you are monitoring your environment, it’s time to move further. As mentioned at the start of this write-up, no matter how many security measures are in place, it may never be enough to stop an extremely motivated hacker. Hence, it’s important that we have incident response plans which can be invoked during a breach, thereby limiting the time of exposure due to the breach.
To emphasize on my point, I would like to use below mentioned data from Trustwave Global Security Report 2016. The image below compares the number of days taken from intrusion to its containment. Although we can see a downward trend, but we still have 60+ days taken to contain the incident, which means, organizations are exposed for this period.
Source: Trustwave Global Security Report 2016
Some incident response plans may merely be created on a word document and expected to be followed during breaches. It’s a good start, however, I recommend using security incident response tools which can be used by an SOC analyst guiding them through the entire process of incident handling. This will ensure all aspects of security incident handling are covered.
To further enhance incident response capability, organizations should look at orchestration of actions required to contain or mitigate the impact of security breaches.
Step 4: Implement Predictive Controls
Once the organization has successfully implemented & maintained all the previous stages, the next step is to start predicting breaches before they actually occur. As you would guess, it’s never easy to predict something which has not happened yet, however, assuming if previous stages have been well implemented, you can utilize them for this stage.
Predicting attacks will require multiple aspects:
Baseline- Ensure you have baseline data for your environment. You may call it peace time learning and any changes to the baseline could possibly act as an early warning for a possible breach. Some SIEM solution, help you create this baseline data.
Threat Hunting- Partially related to the previous point, you, or your MSSP, could have threat hunting as one of the capabilities where analyst hunt for threats in your environment. In some case, this could be post breach while in others, you could pick it up during the early stages.
Intelligence from Dark Web- In order to explain this point, I will draw an analogy to the intelligence that countries uses to predict any planned terrorist activities that might occur against them. They have informers, and so too, companies can subscribe to services from companies who have presence and / or harvest the dark web. This information could include planned attacks / campaigns on specific industry, region or company. This information can be utilized to know if you / your sector is being targeting and will thus enable you to be ready for it in advance!
As I mentioned earlier. Each of these stages requires regular review to ensure they are fit for purpose and that the most relevant level of controls exist!
Majid Khan, MSS Architect at Help AG