Cybersecurity is a topic that has far outgrown the expectations of the technology industry of even just a decade ago. Due to this level of growth it’s far too common that organizations are left unprotected, and we continue to see an uptrend in major cyber attacks with no end in sight. Let’s discuss 4 tips that can be helpful in making a significant change in your organization’s security posture: (1) to build a comprehensive security team (2) to implement threat modeling and map it to other frameworks, (3) gathering metrics, and (4) optimization through automation. While none of the approaches on their own are revolutionary, together they can make a huge impact.
Let’s consider the first tip of assembling a high performing security team. When assembling a high performing security team you want to have a healthy mix of different specialties and skill levels. For example, when building a Secure Operations Center (SOC) you always want to have incident responders and triage analysts, but if possible I have found it helpful to include security engineers who can help audit and recommend changes, as well as a red team engineer which will enable you to conduct comprehensive purple team exercises. This allows you to create a team that focuses on growth of capability and skill level through cross team collaborative efforts. It also shows a willingness to invest in your team, which should lead to high team satisfaction and a higher retention rate.
Now let’s expand on the second approach of implementing threat modeling. This can be done through compliance models and frameworks such as PCI, NIST, SOC2, or through more traditional models such as PASTA, STRIDE, and VAST amongst others. The key is to find the model or use a hybrid solution that fits your environment. Doing this will allow you to organize and prioritize your risks, so you can assign risk scores, create a risk registry and map it to other frameworks such as the MITRE ATT&CK Framework.
Mapping to the MITRE ATT&CK Framework will allow you to understand the techniques and tactics associated with the risks, potential detection steps, potential mitigation steps, and resources that will allow you to understand the full risks that have been identified within your environment. You can even search risks by mitigation step, so for example, you can see that by implementing multi factor authentication is a mitigation step for over a dozen techniques. All of this information can be used to help build detections for your security team. Most security tools currently align with the MITRE ATT&CK Framework, so this will allow you to align your controls across the board and help clear out any ambiguity.
Moving on to the third tip, which is that you need to learn how to tell your cybersecurity story, because what good are having detections without having buy-in from your stakeholders? If you don’t have appropriate buy-in from stakeholders then you won’t get appropriate funding or support for your team or the technologies necessary to support your team. The best way to get your narrative across is through the use of metrics. The main metrics that are recommended are Time to Detect (TTD), Time to Triage (TTT), Time to Mitigation (TTM), and Time to Remediation (TTR). You should strive to capture these metrics for all security events, investigations, and incidents. Once these metrics are baselined you can create Objective Key Results (OKRs) on how to improve on your metrics. You can also use these metrics to help measure the efficacy of your tools and stories. The metrics can be paired with your threat models and risk registry to deliver a powerful narrative and help provide justification for more resources.
The final tip is to implement automation wherever possible. This can be done through the use of a Security Orchestration Automation Response (SOAR) tool, through various open
source tools, or by writing scripts. This can be used to automatically capture and calculate metrics, to take a potential indicator of compromise and gather operational intelligence information on it, or to automate different mitigation tasks such as quarantining a system or putting in a firewall block. Using scripts and open-source tools are a way that you can save on your bottom line, because while SOAR tools are useful, they can be expensive. Regardless you should strive to get the most out of the tools you have and use open-source tools when possible.
To recap, the four major tips are (1) to diversify the roles that are part of your security teams, (2) implement threat modeling and prioritization of risks, (3) gather metrics to tell your security narrative, and (4) look to optimize your teams and processes through automation.
Implementing some, if not all of these tips will allow you to up your security maturity level while ensuring you are using funds appropriately and ultimately will make your organization more secure.
