Security Intelligence for the Enterprise - Part 3

Sunday, January 12, 2014

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

As promised, this is the 3rd installment of my Security Intelligence for the Enterprise post where I’ll drop some of the things that I find useful for clients looking to adopt a less “on your heels” security stance in the cyber realm.

 

I’ve already explained my position on what Security Intelligence is and why it’s different from Threat Intelligence, so I won’t revisit that … you can read part 1 and part 2 respectively if you want more background.

 

Planning

 

Before you dive into this campaign — and it is just that – a campaign — you’ll need to spend some time understanding what it is you want to accomplish. I suggest defining and setting your own goals, since others are not likely to align with your business strategy, or budget, or resource constraints.

 

If you’re going to mobilize for a new function, or maybe you’re starting a not-so-successful program from another time, you have to set goals and understand direction. Security Intelligence is a wholistic thing, so you have to approach it as such. First ask yourself “What is lacking in our business-aligned security program?” If your security program is yet-to-be-business-aligned, start there and come back to Security Intelligence only after you’re got appropriately tight business alignment.

 

Remember, ultimately you’re hoping that your Security Intelligence program helps you answer security-related questions faster and with greater certainty. It’s a way to learn from the past, analyze in the present and be more risk-averse in the future.

 

Capacity is a big issue

 

One of the first things I advise my clients to do is take a look at their existing security program and assess whether they have the human resources and capital to take on such an endeavor. If your staffers are pulling 50-plus-hour weeks, and are overworked already, you’re not going to have the ability to start a Security Intelligence program. Unless, that is, you drop one of your existing program elements or consolidate/repurpose. That’s actually quite common. And since I know you’re going to ask what the most common program element that disappears as a standalone function is, I may as well tell you that it’s the TVM (Threat and Vulnerability Management) piece. TVM nicely matures into Security Intelligence – if done properly. I will attempt to cover the metamorphosis from TVM to SecIntel in a future post, hopefully it won’t take as long to publish as this one did.

 

Once you’ve lined up your goals, and done due diligence on resource checking, you’re ready to begin the actual planning. Although it’s not the stylish thing to do these days, the Security Intelligence programs I build for clients start from the inside and work outward. This means you’re not going to be reverse-engineering malware and signing up for a pricey threat intel feed just yet. Security Intelligence inside-out means you’re converting at least a few of your vulnerability analysts (depending on company size) temporarily into business analysts. Look internally into your organization and start by going over some of your old Root Cause Analyses (RCAs) from incidents you’re experienced. Find the trouble spots, from both a technical and business perspective, and focus on those. If you’ve never had an incident, or don’t have major anything to work with, look at the various aspects of how security interacts with the operation of business and ask yourself what things are causing the most friction.

 

Now you’re on the right track to better protecting the business by having the correct information, at the right time, with the level of certainty you need. Certainty is crucial here – you can’t make decisions (such as preventing a project going live) with impartial data, or information you don’t have a high degree of confidence in.

 

At this stage you’ve added in the externalities that will be implemented later as part of the wholistic approach. Hacker group profiles, TTPs, external feeds of raw data, and timely research are all part of your master plan, each with specific value and specific payback for your program.

 

Basically ask yourself the question: “How does this widget/thing help me meet the operational goals of security for this enterprise?” Be ready to justify these items to both yourself, your team, and your management.

 

Execute the plan

 

Now that your plan is looking good and has been signed off appropriately it’s time to execute. I recommend organizations seeking to adopt a more wholistic approach using security intelligence start slow – with their existing TVM program. Modify your current TVM program as much as you can to suit the purpose of decision making … now with added business context.

 

Track changes you’re making, track issues you’ve encountered and gains you feel you’ve made along the way. This will help you to claim success at some point, without any uncertainty. I advocate CISOs hire on (at least temporarily) a project manager to assist with keeping things on an even keel. Security programs, including Security Intelligence, are prone to scope and project creep more than other things, I fear. I’m not sure why that is.

 

Don’t be afraid to test and fail. For example, one of my clients got ambitious and added web app server logs in full debugto their Security Intelligence platform and quickly realized that while they were getting some amazing data the systems they had in place for analysis and storage were being overwhelmed. They failed, but it only took a week, and they were able to work with their Operations organization to pare down the data volume while still receiving useful information they can process in a reasonable amount of time to make business-saving decisions. That’s pretty cool.

 

Measure it

 

By now, you’re aware of my addiction to measuring your gains/losses. Security Intelligence is no different, honestly. You’re investing, potentially quite heavily, in a new function to help your business be more agile in its security decision-making. If you can’t tell me how much more efficient or intelligent your organization has become as a result of implementing your key items, you haven’t accomplished anything in my book.

In fact, I spend so much time on definition, collection and analysis of data for provability of effectiveness that I make it a centerpiece of the program.

 

My SecIntel strategy has a placeholder for developing KPIs based on the decisions you’re hoping to make faster or more effectively with relation to some business item. Maybe you can make decisions on “attack or not attack” 50 percent faster than before the program rolled out. If you don’t have the metrics to back that up, you’re in trouble rolling up into a KPI dashboard. People won’t take your word for it, the days of FUD ruling the enterprise are (hopefully) long over.

 

There you go, folks. A few tidbits that will hopefully help you kick off your Security Intelligence program right. If you’d got questions, you can always hit me up – I’m here to help in any way I can.

 

Cross Posted from Following the Wh1t3 Rabbit

Possibly Related Articles:
12304
security intelligence enterpirse
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.