Security Operations Fundamentals

Last year I last wrote:

Marcus [Ranum] noted that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security industry is just like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 diet industry. People who want to lose weight know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should eat less, eat good food, and exercise regularly. Instead, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y constantly seek cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest dieting fad, pill, plan, or program -- and wonder why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want!

You might be wondering about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security equivalent to eating less, eating good food, and exercising regularly. Addressing that subject adequately would take more than this blog post, but I want to share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps I use as a consultant when encountering a new client's enterprise.

You'll notice that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se steps fit nicely within Mike Rothman's Pragmatic CSO construct. These are a little more specific and focused because I am not acting as a Chief Security Officer when I work as a consultant.

1. Instrument sample ingress/egress points. What, monitor first? That's exactly right. Start collecting NSM data immediately (at least session, preferably alert, full content, session, and statistical). It's going to take time to progress through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps that follow. While working on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next steps your network forensics appliance can be capturing data to be analyzed later.


2. Understand business operations. Replace business with whatever term makes you more comfortable if you are a .gov, .mil, .edu, etc. You've got to know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization before you can understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data it needs to do its job. This requires interviewing people who know this, preferably business owners and managers.


3. Identify and prioritize business data. Once you understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization, you should determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data it needs to function. Not all data is equal, so perform a relative ranking to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important down to least important. This work must be done with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cooperation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 businesses; it cannot be security- or consultant-driven.


4. Identify and prioritize systems processing business data. By systems I mean an entire assemblage for processing data, not individual computers. Systems include payroll processing, engineering and development, finance projections, etc. Prioritize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se systems as you did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y carry. Hopefully cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two sets of rankings will match, but perhaps not.


5. Identify and prioritize resources comprising systems. Here we start dealing with individual servers, clients, and infrastructure. For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 database containing payroll data is probably more important than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web server offering access to clients. Here tech people are more important than managers because tech people build and maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se devices.


6. Define policy, profile resources, and identify violations. Steps 2-5 have gotten you to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where you should have a good understanding of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business and its components. If you have a policy, review it to ensure it makes sense given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process thus far. If you haven't yet defined a policy for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of your information resources, do so now.
   
   Next, profile how those resources behave to determine if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are supporting business operations or if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are acting suspiciously or maliciously. I recommend taking a passive, traffic-centric approach. This method has near-zero business impact, and, if executed properly, can be done without alerting anyone insider or outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company acting maliciously. Here you use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data you started collecting in step 1.


7. Implement short term incident containment, investigation, and remediation. I have yet to encounter an enterprise that doesn't immediately find a hot-button item in step 6. Put out those fires and score some early wins before moving on.


8. Plan and execute instrumentation improvements. Based on step 7, you'll realize you want visibility across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire enterprise. Increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of sensors to cover all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 areas you want. This step encompasses improved host-centric logging and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r visibility intitiatives.


9. Plan and execute infrastructure improvements. You'll probably decide to implement components of my Defensible Network Architecture to take a more proactive stance towards defending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. You may be able to reconfigure existing processes, products, and people to act in a more secure manner. You may need to design, buy, or train those elements.


10. Plan and execute server improvements. Here you decide what, if any, changes should be made to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resources offering business data to users, customers, partners, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like. Maybe you want to encrypt data at rest as well as in motion. Maybe you decide to abandon an old Web framework for a new one... and so on.


11. Plan and execute user platform improvements. This step changes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gear users rely upon, so it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last step. Users are most likely to resist that which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can immediately see, so tread carefully. Improvements here involve OS upgrades or changes, moves to thin clients, removal or upgrades of software, and similar issues.


12. Measure results and return to step 1. I recommend using metrics like those I described here. Measure Days since last compromise of type X, System-days compromised, Time for a pen testing team of [low/high] skill with [internal/external] access to obtain unauthorized [unstealthy/stealthy] access to a specified asset using [public/custom] tools and [complete/zero] target knowledge, and so on.

You may notice steps 8-11 reflect my TaoSecurity Pyramid of Trust. That is no accident.

It is also important to realize that steps 8-11 are based on data collected in step 1 and analyzed in step 6. Enterprise security improvements should not be driven by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 newest products or concept. Improvements should be driven by understanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise and specifically cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, you are playing soccer goal security by making assumptions and not judgements.

Only when you understand what is happening in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise should you consider changing it. Only when you realize existing processes, products, and/or people are deficient should you consider changes or additions. Think in terms of what problem am I trying to solve, not what new process, product, or person is now available.