We have a problem in the security community – or maybe within the modern information age of humanity in general. That problem is we see security as a technology, policy, privacy or people issue, instead of an integrated combination thereof. However, despite standards, laws, best practices, lessons learned and new technology we continue to practice defense-in-depth wrong.
We still treat security as an IT problem. We still treat risk and compliance as a paperwork exercise. We lack lack the implementation of a true security culture throughout all members of an organization. We continue to believe IDS, SIEM and anti-virus is enough. And we still think the audit, compliance and operational center tiered help desk approaches are all true defense-in-depth, especially while operating each in the same old silo culture apparatus.
If we truly want to improve security today, we need to take some steps to improve how people see, define and handle these security issues.
This is not an exhaustive list but in my experiences, here are some items we can change immediately to improve our layered defense strategy:
1. Create the Role of the CSRO
The Chief Security and Risk Officer (CSRO) should be created and answer directly to the CEO, Board of Directors, and political appointees etc., as the organization’s Chief independent voice for all security and risk issues.
This would include emergency, life safety and physical security issues, privacy issues, and cybersecurity issues. The traditional CISO, CSO, deputy CIO or security director is not working for the current landscape. This role should not be subordinate to CFO, COO, CIO and CTO but should replace CISO, CSO, CRO, etc.
2. Establish the CSRO Team
We should create an authoritative cross-functional team led by the CSRO and/or his/her deputy that is the sole authoritative body on all security and risk issue decisions, response coordination, accountability, leadership and policy enforcement for the organization.
This team should meet at least weekly. It should also have a well-defined charter with each member having voting power on the team and be given its authority in writing from the highest ranking official within the organization itself. This team must and should consist of the following type of membership of subject matter experts (SME) at a minimum:
- Senior IT security SMEs.
- Senior Legal counsel rep.
- Senior Privacy Officer.
- Senior HR rep.
- Senior audit and financial rep from the CFO/COO part of the organization.
- Senior Physical Security and Life safety manager/SME.
- Senior Program/Project Manager and Operations Management rep.
- Senior Technical Engineers.
- Applicable business area/data/information/system owners as needed.
- Key external partners, suppliers and customer stakeholders as needed.
3. Take On An Active Defense Strategy
The overall strategy must include an offensive element in the form of active defense. This does not mean that the organization needs to outright attack those they believe targeted them. However, it does mean that Honeypots, non-malicious droppers and other methods to study attackers, obtain creditable attribution and increased deterrence or derailment of adversarial efforts is possible and should be used. Moreover, outright attacking should be left up to those with the existing jurisdiction to do so in the kinetic or physical world today such as military, intelligence and law enforcement.
4. Practice Defense-in-Depth
All layers of the OSI model, as well as the human layer, must be covered in the defense-in-depth approach of the organization.
For example, Network IDS and IPS, web content filtering, Web application firewalls, malware analyzer tools, vulnerability analyzer tools, host level IPS with DLP, eDiscovery & forensics tools, decryption and encryption at rest, as well as in transit tools, Lojack tools, SIEM and machine data mining tools etcetera must all be stacked and layered from the Application Layer all the way down to the physical layer of protection. Mobile application and data security, Cloud security with sound SLAs and Wireless protection should also be included.
5. Account for Adjustment
Evolving baseline with daily, weekly and monthly adjustments will be needed. Study the LDAP, SNMP, DNS, HTTP and other traffic occurring within your networks on a regularly used basis. Watch Admin account behavior and know your access control practices, not just the policy on paper. Additionally, establish a request process and change control for business units requiring or requesting various types of software.
Ensure security testing, evaluation and analysis, as well as testing and locking down the host images deployed on assets across the organization to prevent users from installing software that they are unauthorized to install. It is far easier to target behavior that is not usual for your specific organization than it is to take an ITIL trouble ticket approach to every single IDS/IPS and SIEM alert that pops up on the dashboard.
In fact, it is a far better approach to security than wasting your resources chasing alerts and generating trouble ticket metrics rather than putting all of your resources into learning the dynamic behavior of the organization itself.
6. Leverage Whitelisting and Blacklisting
This goes along with baselining but also requires active global malware analysis. It requires studying indicators of compromise, threat intelligence and incident after action reports from many organizations, not just your own. Then you must apply them to your organization’s evolving daily, weekly, biweekly and monthly baseline.
7. Build a Vulnerability Management and Patch Management Program
Break out all segments of the network – all hardware and software and user groups – into a daily, weekly, biweekly and/or monthly schedule, so that at least every 90 days all segments will have been patched and scanned for the latest vulnerabilities at least once.
Build a point of contact list for each segment to hold accountable for mitigating discovered vulnerabilities and out-of-date patches. This will at least create a collaborative culture of testing and developing mitigations as the norm, instead of just for compliance exercises or audits etcetera.
8. Create a Collaborative Working Environment
Leverage online and virtual penetration testing, malware analysis and forensic tools, websites, labs etc. in the office as the norm, not the exception. Create weekly ways for your teams to cross-train in different areas.
Create an organizational team that participates in global competitions, as well as internal organizational competitions of attack and defend. Create internal wikis and training sessions that allow peers to tutor each other on a weekly- and monthly-basis.
This enables your existing workforce to continue training even when the budget is not supportive of flying off to conferences and formal training. The best teams are collaborative with each other and continuously cross-trained as a culture. This is especially important in large organizations with dispersed teams and various duties split across various sections of the organization. Keep the culture collaborative as the norm, not just for an audit or an incident.
9. Allow Opportunities for Growth and Success
Leadership experiences, training and position rotations of primary and secondary duties are often great for the individual, and will pay off dividends for the organization long-term. This applies the same as number eight above, but in this case, do the same for the non-technical cross training culture needs. This will further allow your technical and non-technical folks to cross-train in other primary and secondary duty areas to acquire new skill sets. It further creates a collaborative culture of respect, cross pollination and regular communication.
10. Develop a Culture of Vigilance
Lastly, even if you think all is well, engage an outsider to assess, penetrate and audit your organization both kinetically and via cyber at least twice a year, so that your organization will continue to develop a prepared and proactive culture, from the janitor up to the heads of the organization and their staff.
About the Author: Isiah Jones is a cybersecurity consultant, researcher and life learner that has been interested in and learning IT since 2004 and Cybersecurity since 2010. Also a former Federal/Navy Civil Service Cyber/IA and IT specialist with a variety of experiences such as Systems Analyst, Enterprise Resource Planning (ERP) SAP analyst, DON Lean Six Sigma Greenbelt analyst, Cybersecurity/Information Assurance Host Based Security System (HBSS) Analyst and an Information Assurance Officer (IAO)/Information Systems Security Officer (ISSO).
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.