Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

BlueVoyant: How to Build a World-Class Cyber Security Practice

244 visualizaciones

Publicado el

In this eBook, security experts from BlueVoyant explore the challenges facing today’s security operations. They discuss in detail what it takes to build a world-class security practice capable of managing the growing volume and complexity of cyberthreats. It’s not an easy task. Doing security right requires hiring and retaining excellent people, building and maintaining a solid technology stack, and continually refining processes and workflows.

Publicado en: Software
  • Sé el primero en comentar

BlueVoyant: How to Build a World-Class Cyber Security Practice

  1. 1. Sponsored by HOW TO BUILD A WORLD-CLASS CYBER SECURITY PRACTICE
  2. 2. 2How To Build a World-Class Cyber Security Practice Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty. It’s true: Cybersecurity is risky business. It’s all about mitigating risk, but it’s also about keeping up with the latest threats—threats that are emerging almost too fast to count. It’s about keeping up with a continuous growth in attack surface and a growing flood of alerts. It’s about keeping up with the latest security technologies. And, if you miss something, just once, you could have a really, really bad day. Industry research shows that most companies believe that their cybersecurity operation isn’t good enough—that they’re losing ground. Is there a way past the challenges security practices must contend with every day? In this eBook, security experts from BlueVoyant explore the challenges facing today’s security operations. They discuss in detail what it takes to build a world-class security practice capable of managing the growing volume and complexity of cyberthreats. It’s not an easy task. Doing security right requires hiring and retaining excellent people, building and maintaining a solid technology stack, and continually refining processes and workflows. Speaking from experience, because the company has successfully built its own high-performance, global security operation, the BlueVoyant experts offer valuable advice. They also tell you how to put it all together into a tightly integrated security operation. If you’re concerned about your organization’s security posture—and you should be—I believe you’ll appreciate these articles from the experts at BlueVoyant. © 2020 Mighty Guides, Inc. I 9920 Moorings Drive I Jacksonville, Florida 32257 I 516-360-2622 I www.mightyguides.com All the best, David Rogelberg Editor Introduction: Building a World-Class Cybersecurity Practice
  3. 3. 3How To Build a World-Class Cyber Security Practice BlueVoyant is an analytic-driven cybersecurity company whose mission is to protect organizations of all sizes against agile and wellfinanced cyber attackers. Founded and led by experts in the cybersecurity and government security sectors, BlueVoyant’s offerings are built with real-world insight and applicability. Through our Advanced Threat Intelligence, Managed Security Services, and Incident Response Services, we excel in intelligence gathering, cybersecurity defense, detection of attacks, and response coupled with remediation. Our 24/7 SOCs, offices around the world, and our security analytics platform positions us to best help our customers defend against emerging cyber threats. For more information, visit bluevoyant.com Foreword Resource-Constrained Security Teams Can Achieve the Capabilities of the Most Well-Defended Organizations Most world-class security technologies are available only to the “security 1%”: banks, national governments, and the largest enterprises. These organizations have sizeable budgets to hire and retain significant Expertise and purchase or develop premier security solutions. These large enterprises drive innovation, but their solutions don’t map well to small-to-mid-sized organizations the other 99%. Smaller enterprises are typically constrained by budget and resources and are forced to compromise when it comes to security. BlueVoyant provides a new approach for resource-constrained teams. We democratize cybersecurity by protecting organizations of all sizes against agile and well-financed cyber attackers through highly-scalable service offerings tailored to meet the needs of our clients. We partner with our clients to achieve a level of security that they couldn’t reach on their own. We provide technology and integration they couldn’t otherwise afford. We offer threat intelligence that they wouldn’t have access to. We staff our Security Operations Centers with experts they would have difficulty hiring and retaining. As a result, we trim high costs and help IT teams achieve a level of security previously only available to the largest and most well defended organizations. Founded and led by experts in the cybersecurity and government security sectors, BlueVoyant makes superior technology, proprietary threat intelligence, 24x7 Security Operations Centers (SOCs), and deep cybersecurity expertise available to enterprises of all sizes. We provide mutually reinforced solutions that allow clients to right -size services to meet their unique needs. The first step in determining the proper security for your organization is to arm yourself with the right questions. The experts that have contributed to this Mighty Guide will help prepare you to move forward on your quest for improved cybersecurity. Enjoy the book. Regards, Thom VanHorn Head of Marketing BlueVoyant
  4. 4. 4How To Build a World-Class Cyber Security Practice Table of Contents CHAPTER CHAPTER CHAPTER CHAPTER CHAPTER 1 2 3 4 5 Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks 06 People Are the Foundation of a World-Class Security Operation 12 The Best People Need the Best Tools 21 People and Technology Need the Focus That Process Provides 29 Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation 37
  5. 5. 5How To Build a World-Class Cyber Security Practice Meet Our Experts JOE GIGLIOTTI Manager, Client Experience Team, BlueVoyant TRAVIS MERCIER Head of Global Security Operations, BlueVoyant MICHAEL SCUTT, Director of Hunt Operations, BlueVoyant REAGAN SHORT SOC Technical Advisor, BlueVoyant CHRISTOPHER WILDES SOC Technical Advisor, BlueVoyant Joe Gigliotti is the manager of BlueVoyant’s Client Experience Team. He has 17 years of IT experience, 8 of which have focused on cybersecurity and incident response. Before joining BlueVoyant, Joe was an analyst on Secureworks’ Security Response team. Joe holds a bachelor’s degree in network engineering from Johnson & Wales University and several certifications, including Sourcefire SFCP, SANS GIAC Certified Intrusion Analyst, and GIAC Information Security Professional. Travis Mercier is head of Global Security Operations for BlueVoyant, responsible for Global Security Operations Centers (SOCs) and the Threat Fusion Cell. He has 13 years of experience in cybersecurity, incident response, and digital forensics. Before joining BlueVoyant, Travis led Rackspace Managed Security’s Customer SOC and Managed Security Threat Intelligence Cell. He holds bachelor’s degrees in information systems and cybersecurity/infrastructure assurance from the University of Texas at San Antonio. Michael Scutt leads threat hunting services at BlueVoyant, helping clients uncover advanced adversaries, cutting-edge malware, and attacker infrastructure. His focus areas include host-based forensics, malware analysis, and threat research. Michael has spent a decade in information security and played many roles, from enterprise infrastructure hardening and threat mitigation to managing incident response engagements for Fortune 50 companies. Prior to joining BlueVoyant, Mike was the director of Security Research at CrowdStrike. Reagan Short, CISSP, is a technical advisor for BlueVoyant’s SOC, responsible for technical strategies related to detection mechanisms and process improvement. He has 15 years of experience in host, network, and data security analysis. Before joining BlueVoyant, he was a senior security analyst at LEO Cybersecurity, responsible for threat hunting and signature creation. Reagan holds a master’s degree in cybersecurity from the University of Texas at San Antonio. Christopher Wildes, GCIH, GWAPT, is a SOC technical lead for BlueVoyant, responsible for workflow automation and process improvement. He has 10 years of experience in cybersecurity operations, enterprise vulnerability management, and host- and network-based analysis. Before joining BlueVoyant, Christopher was a security analyst for Rackspace Managed Security and an analyst for the US Air Force Computer Emergency Response Team. He holds a master’s degree in cybersecurity from Pennsylvania State University.
  6. 6. 6How To Build a World-Class Cyber Security Practice Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks CHAPTER 1 TRAVIS MERCIER Head of Global Security Operations at BlueVoyant
  7. 7. 7How To Build a World-Class Cyber Security Practice Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks C ybersecurity has never been easy, and even under the best of circumstances, it is never perfect. A good practice can and must keep the risk of loss from cyberattacks at an acceptably low level for the business. Every business has its own risk profile based on the criticality of its digital assets, the vulnerability of its systems and operations, and it’s potential value as a target. A cybersecurity practice must accurately assess these factors and work with business management to determine what’s needed to deliver the necessary level of protection. Building a strong security practice capable of achieving that goal is a continuous challenge because for three main reasons, the game keeps changing: • Exponential growth in attack surfaces. The days of placing all your high-value assets in one place secured by access controls and firewalls are long gone. Today, we live in a world of distributed networks and distributed computing. It is a world in which data are stored, moved, and processed in the cloud and at the network edge. The data environment is cluttered with a growing number of Internet of Things devices that are potential network access points. Some of these devices are fixed equipment such as appliances, industrial controls, and machinery. Others are mobile devices, cell phones, vehicles, and specialized devices such as wireless medical equipment. Every business has its own risk profile based on the criticality of its digital assets, the vulnerability of its systems and operations, and it’s potential value as a target.
  8. 8. 8How To Build a World-Class Cyber Security Practice They all contribute to an attack surface that is continuously growing and changing. Even people have become a big part of the growing attack surface. People spend more time connected to more data through more devices than ever before, making them prime targets for attacks specifically engineered to fool them into opening a door for attackers. • Exponential growth of attacks. Cybersecurity experts know that attacks are growing in intensity. Recent business surveys show a 350 percent growth in ransomware attacks between 2017 and 2018. Over the same period, email spoofing increased by 250 percent. Increased opportunity provided by a growth in attack surface is one reason for this sharp increase, but there’s much more to it than that. For one thing, attack technology has become widely available in kit form, making it accessible to anyone with modest technical skills. Also, attackers are adopting the most sophisticated technologies, using automated, multivector strategies driven by machine learning in an effort to bypass even the best defenses. Beyond the technical factors, however, are the hard economic realities. Cybercrime pays. Stolen computer capacity, stolen personal data, stolen intellectual property, and stolen state secrets—it’s a growing market. Thieves can even make money without actually stealing anything. Ransomware is growing so quickly because many organizations pay handsomely to save their data. Cybercrime isn’t only big business in itself, it has become central to the strategic competition between businesses and nations. Recent business surveys show a 350 percent growth in ransomware attacks between 2017 and 2018. Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks
  9. 9. 9How To Build a World-Class Cyber Security Practice • Increased cost and complexity of defensive technologies. To combat these growing threats, solution providers are introducing more sophisticated tools and approaches to cybersecurity. The promise is that these tools speed threat detection and response as well as increase the productivity of a security practice. Under ideal circumstances, these providers are able to do these things, but these technologies are expensive, and effective implementation requires specialized skills. The challenges for many practices are first, finding the resources to invest in the technologies they need, and then finding skilled people to implement and maintain them. The world of cybersecurity suffers from a skills shortage that has grown more critical in recent years. Finding people with the skills needed to implement advanced defensive technologies is a serious challenge for many security practices. These are the realities that cybersecurity practices face every day. These organizations face a perfect storm of challenges that make it difficult for any organization to keep up with the latest threats and the latest defensive technologies. Does this mean that building an effective cybersecurity practice is an impossible task? Sometimes, it may seem that way, but the answer is no. You can build a strong practice, but it takes a lot of work. The world of cybersecurity suffers from a skills shortage that has grown more critical in recent years. Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks
  10. 10. 10How To Build a World-Class Cyber Security Practice Operating in today’s cyber environment often feels like swimming in shark-infested waters. To swim it safely, you need a word-class cybersecurity practice that can quickly and reliably detect, respond to, and mitigate both known and previously unseen threats. Building a practice with those capabilities requires turning to the fundamentals of people, processes, and technology. With the right people, processes, and technology, a security practice can shape itself to effectively address the cyber risks faced by the organization it must protect. A significant challenge to developing a security practice is attracting and retaining people who have the skills the practice requires. Competition for good security people is stiff, but no matter how desperate your organization is to fill a position, it pays to be highly selective. You need people who have experience and who live and breathe cybersecurity. You want people whose passion leads them to explore new technologies and learn new methods. You want to dig into their technical capabilities, test them, and work with them to be sure they’re a good cultural fit for your organization. Once you bring someone on board, you must train them on your technology and processes, and then keep them sharp. Cultivating a tight security team that has the right skills and motivation takes time. Maintaining that team requires setting expectations and providing paths for continued development. Operating in today’s cyber environment often feels like swimming in shark-infested waters. Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks
  11. 11. 11How To Build a World-Class Cyber Security Practice In addition to cultivating the right people, a world-class security practice operates with fully documented processes that can be automated. You need extensive playbooks that cover every kind of security event; you must update playbooks based on programmatic reviews of real cases in your environment. The process is continuous, and you enforce it through an assumption in the culture that nothing is real if it isn’t documented. A good security practice doesn’t rely on tribal knowledge. The ultimate goal is to streamline detection and response so that it’s fast, accurate, and reliable. Finally, a world-class security practice must invest in a technology stack that supports the business’ defensive requirements. This investment includes monitoring, detection, analysis, threat intelligence, and security orchestration. Building this technology stack is more than just acquiring the right technology. It also involves developing the skills to implement and maintain those tools. Poorly implemented technology is at best a waste of money and at worst creates a dangerously false sense of security. It’s not easy to build a truly effective security practice, but it is necessary for any organization to thrive in today’s dynamic threat environment. I know from personal experience here at BlueVoyant that it can be done because we have done it successfully. In the articles of this e-book, we share strategies that have helped us find the right people, formalize our processes, build our technology stack, and put it all together into a world-class security practice. A good security practice doesn’t rely on tribal knowledge. The ultimate goal is to streamline detection and response so that it’s fast, accurate, and reliable. Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks
  12. 12. 12How To Build a World-Class Cyber Security Practice People Are the Foundation of a World-Class Security Operation CHAPTER 2 MICHAEL SCUTT Director of Hunt Operations, BlueVoyant
  13. 13. 13How To Build a World-Class Cyber Security Practice D efending data has unquestionably become a battle of attackers’ tools and cleverness pitted against the technology and ingenuity of defenders. In this endless contest, the rapid evolution of both offensive and defensive capabilities has dominated much of the discussion about security trends and strategies. Defenders are employing artificial intelligence, machine learning, and automation techniques to improve the speed and accuracy of their defenses. They are also continuously adapting to changing IT environments that, while offering new levels of operational flexibility, come with plenty of new attack vectors. Amidst all this focus on the technology of cybersecurity, one critical element of security operations remains necessary and unchanged: the need for good security people—the analysts and operators who interpret what the technology is saying and who make the important decisions. People continue to be foundational to a world-class cybersecurity practice. People Are the Foundation of a World-Class Security Operation Amidst all this focus on the technology of cybersecurity, one critical element of security operations remains necessary and unchanged: the need for good security people.
  14. 14. 14How To Build a World-Class Cyber Security Practice The Human Factor in a Modern Cybersecurity Practice Why are people so important to the practice of cybersecurity? It comes down to what the tools can and cannot do by themselves. Modern cybersecurity tools, properly deployed, are good at identifying unusual and threatening activity happening in the network. The ability to identify these events is vital, but when they are discovered, the assumption must be that an adversary is already in the network. There has already been a compromise. The key questions immediately become, How far has the attack progressed? What other parts of the network are affected? Is the attacker continuing to move? Security analysts are the ones who answer those questions. When security analysts receive alerts, they must be able to scope out where in the attack life cycle they are, identify the root cause, and isolate any additional activity that took place after that notification. The analyst must correlate that event with other activities, make decisions about contacting affected organizations, and provide those organizations with context and other information they will need to take quick, corrective action. The information coming out of the security organization must be accurate and actionable. To do their job well, analysts must: People Are the Foundation of a World-Class Security Operation The ability to identify these events is vital, but when they are discovered, the assumption must be that an adversary is already in the network.
  15. 15. 15How To Build a World-Class Cyber Security Practice • Have critical thinking skills; • Be familiar with operating system fundamentals and attacker methodologies; • Know the tools they’re using and the tools their adversaries are using; and • Have knowledge of enterprise technologies. Without the benefits of human analysts, the security tools will continue to faithfully deliver alerts to the affected organization. The tools may even successfully block an event. If the organization is dealing with a persistent adversary, however, that adversary will at some point successfully circumvent the block. For this reason, a consistently strong security practice is deeply dependent on the quality of the people who make up the security team. Finding and Retaining Good Security People Good security analysts have unique skills that don’t always arise from training and a background in cybersecurity. Cybersecurity professionals should possess three essential qualities: People Are the Foundation of a World-Class Security Operation Good security analysts have unique skills that don’t always arise from training and a background in cybersecurity.
  16. 16. 16How To Build a World-Class Cyber Security Practice • Critical thinking. They need to be able to look at a cyber event; recognize it as malicious activity; and, based on that activity, determine whether it represents a particular stage in an attack life cycle. Then, they must be able to decide on appropriate next steps. • Passion. Good security professionals must have an unquenchable desire to find the bad guys and a passion for winning. • Ability to self-learn. Cybersecurity is a fast-paced industry, and adversaries are innovating at an alarming rate. Good cybersecurity professionals are always doing their own research to find out about the latest threats, and they are always sharing information with their colleagues. It’s the only way to keep up with what’s happening in the field. This habit is important because attackers are doing exactly the same thing. Finding people with preexisting cybersecurity knowledge is ideal, but it’s not an absolute criterion. The best candidates typically have worked in roles where they rely on the critical thinking skills so important to good security analysts. Interestingly, some the best candidates we have encountered came from degree programs like nuclear physics and mathematics, which foster a strong, logical approach to problem solving. People Are the Foundation of a World-Class Security Operation Finding people with preexisting cybersecurity knowledge is ideal, but it’s not an absolute criterion.
  17. 17. 17How To Build a World-Class Cyber Security Practice It is no easy task to find and retain top-quality security people. Growing demand for security professionals who have the right knowledge and skills has created a situation where there are far more job openings than qualified people to fill them. Recently, more mature companies have begun to view cybersecurity as a special domain of expertise, not just a subset of IT. That view helps create a more cohesive security team within the organization—and a new career path for serious cybersecurity professionals, which is important for retention efforts. Yet most organizations still see cybersecurity as a budgetary item necessary to prevent loss. It’s not seen as something that actually adds value to the core business. That’s where managed security service providers (MSSPs) have an advantage in hiring and developing top security talent. Security isn’t just a cost center inside the business. For an MSSP, security is the business. When the security professionals in that business perform well, they add value to the core business in a big way. It becomes an environment in which serious-minded security people can pursue a career; they can develop themselves through exposure to a much broader range of cybersecurity experiences than they are likely to receive on a mid-sized company’s security team. People Are the Foundation of a World-Class Security Operation Security isn’t just a cost center inside the business. For an MSSP, security is the business.
  18. 18. 18How To Build a World-Class Cyber Security Practice As difficult as it is to find and retain good people, doing it well is critical to building a top-notch security practice. The skills and dedication of those people enable the team to perform. These people also help create the culture of security needed for the organization to work as an effective team. Strategies for Building and Maintaining a Security Team When assessing candidates for our team, we assume that they have some level of computing knowledge. Regardless of what their resume says or their cybersecurity credentials, we put them through a lengthy interview process that involves several people on our team. We want to see how candidates think about security challenges and assess the more intangible aspects of their personality, such as whether they have that passion to excel and self-learn. We’ll typically ask several questions to test candidates’ critical thinking skills and see if they are able to think like an attacker. For instance, we ask them how they would go about stealing their boss’s 82-inch wall-mounted television, including all the details of how they would plan and get away with that operation. We ask them to walk us through their thought process for the entire attack life cycle, from reconnaissance and exploitation to privileged escalation and lateral movement to staging for infiltration and exfiltration. We want to see how candidates think about security challenges and assess the more intangible aspects of their personality. People Are the Foundation of a World-Class Security Operation
  19. 19. 19How To Build a World-Class Cyber Security Practice We also evaluate their technical knowledge and critical thinking skills in a technical context by dropping them into an attack scenario. For example, we may describe a cyber event, and then ask them what they would do next, assuming that they had every tool imaginable and anything else they needed. We try not to provide them with too many guard rails around these questions. The goal is to better understand their logic and how they think about computing, networks, adversaries—their entire view of the security challenge. In addition, we want to understand candidates’ personal interest in cybersecurity— their interest beyond the job. Good security analysts often have a deep curiosity about cybersecurity. These are the folks who tend to have lab networks and sandboxes in their own homes, where they’re doing their own testing and red teaming, blue teaming, and purple teaming to identify how things interact. This process not only tells us about their interests but also plays into the culture of the exceptional security team we maintain. In the world of cybersecurity, no one person knows everything. The team is our collective consciousness. In the world of cybersecurity, no one person knows everything. The team is our collective consciousness. People Are the Foundation of a World-Class Security Operation
  20. 20. 20How To Build a World-Class Cyber Security Practice Another important aspect of good cybersecurity professionals is their desire to learn more, to identify what’s going on in the environment, and to win. This is important for us because if something happens in a client environment, these are the types of people who are going to go the extra mile to determine what happened, find the root cause, and make sure such an attack can’t happen again. That attitude offers the best level of protection for our clients. Building a strong team is key to having a high-performance security practice. So is maintaining that team. Retaining people depends on providing an environment in which people have opportunities for personal and professional development. Financial rewards aren’t the only things that motivate dedicated security pros. It’s equally important to create an environment that continually feeds their need to grow and gain knowledge. The team of analysts also needs to know that they are foundational to what the organization as a whole does. They need to have a strong sense of mission. In our case, I always tell folks we only have one job to do, and that’s to save the world. Without a solid staff of security professionals, the tools and procedures used in the security practice become less effective. Building and maintaining an exceptional security team is a continuous task. In many ways, a dedicated MSSP has advantages that mid-sized and even large businesses don’t have. The MSSP is a business whose core mission is security. Everything team does is central to the success of the business. It is also a setting where security people have a lot of opportunity to learn and develop through exposure to the widest range of security threats, IT environments, and security technologies. That’s what makes them the strongest possible practitioners of their chosen profession. People Are the Foundation of a World-Class Security Operation
  21. 21. 21How To Build a World-Class Cyber Security Practice The Best People Need the Best Tools CHAPTER 3 CHRISTOPHER WILDES SOC Technical Advisor, BlueVoyant REAGAN SHORT SOC Technical Advisor, BlueVoyant
  22. 22. 22How To Build a World-Class Cyber Security Practice A top-performing cybersecurity team depends on the skills of its people; thoroughly documented processes; and technology for monitoring, detection, analysis, and security orchestration. Technology is not just the tool set that detects and alerts analysts to malicious and suspicious activity, it’s the glue that ties everything together. Technology alone cannot protect an organization, but a robust technology stack is necessary for building and maintaining an effective security practice in today’s threat landscape. The cyber battlefield has become an accelerating arms race between defenders and attackers, each deploying ever-more-sophisticated tools to accomplish their goals. The shift from mostly preventive defense strategies—those that relied heavily on firewalls and signature -based end point protection—to primarily detection and response strategies has accelerated over the past few years. It is a fundamental shift that affects not only technology in the security stack but also the workflow and required skill set of security practitioners. The Best People Need the Best Tools Technology is not just the tool set that detects and alerts analysts to malicious and suspicious activity, it’s the glue that ties everything together.
  23. 23. 23How To Build a World-Class Cyber Security Practice Much of this change is driven by new kinds of attacks designed to evade older security tools, such as file-less malware that uses legitimate applications and social-engineering campaigns that deliver fast-moving and highly automated malware. Another factor is that attacker tools have become commoditized. With malware and ransomware widely available on the dark net, it becomes much easier for bad actors to change their means of gaining access and focus on their ultimate goals. Furthermore, not every adversary needs to dedicate resources to developing exploits to vulnerabilities or establishing a command-and-control infrastructure. Exploit developers can monetize their efforts by selling their wares in forums and move on to the next exploit. This ability to segment the constituent elements of successful campaigns exponentially increases everyone’s exposure. These changes in tactics have necessitated new tools for monitoring, detection, and security automation as well as more extensive threat intelligence. They have also led to a change in how technology and information must be used and integrated to be effective. These advanced detection and response tools are not “set-it-and-forget-it” solutions. An effective security operation must monitor what the tools are saying and continuously adjust the tools to meet the latest threats. The Best People Need the Best Tools An effective security operation must monitor what the tools are saying and continuously adjust the tools to meet the latest threats.
  24. 24. 24How To Build a World-Class Cyber Security Practice What’s Required in a World-Class, Modern Security Stack? A top-performing security operations center needs to have the following essential capabilities: • Network- and device-level data. Early detection and response depend on having visibility that goes beyond atomic indicators like IP addresses, domains, email addresses, and file hashes. Analysts must look into end point telemetry and see what’s happening on the devices themselves; they must monitor trends and patterns in network telemetry. Firewalls and end point protection are useful for stopping known threats, but they can also provide contextual data useful for threat hunting, which thrives on end point and network data that go beyond the signatures built into end point agents and network appliances. Security specialists must be able to undertake deep packet inspection and traffic anomaly analysis as well as correlate information with logs and machine data from any asset that can generate data relevant in a security context. Such assets include virtual private networks and cloud service providers that reside outside the walls of the organization. The Best People Need the Best Tools Early detection and response depend on having visibility that goes beyond atomic indicators like IP addresses, domains, email addresses, and file hashes.
  25. 25. 25How To Build a World-Class Cyber Security Practice • Threat intelligence. Threat intelligence is a critical piece of the puzzle because it provides additional context for particular behaviors detected. Good threat intelligence provides advanced notice of threatening activity before it happens in the network. When analysts detect those behavior patterns, they can much more quickly correlate those activities with a larger security context. Actionable threat intelligence enables rapid investigational pivots to help find additional activities that have gone undetected. • Security information and event management (SIEM). A SIEM is essential for effective and efficient detection and response. With it, analysts can correlate event and data sources and enhance situational awareness by employing statistical aggregations that put different lenses on network and machine data to determine whether something suspicious is happening. A well-engineered SIEM is an important tool for threat hunting because it puts everything in one place so that security teams can visualize and analyze that data with one workflow. Consolidating security data into dashboards and visualizations built to cover everything that’s important in the company’s environment enhances overall security workflow, but it’s not just for the security team. It’s also a valuable tool for senior decision makers who need to know the organization’s risk profile. The Best People Need the Best Tools A well-engineered SIEM is an important tool for threat hunting because it puts everything in one place.
  26. 26. 26How To Build a World-Class Cyber Security Practice Using a SIEM is an efficient way to gather all that information and make it available to key decision makers. Teams can manage the security of a small operation without a SIEM, but doing so diminishes visibility and makes event correlation more cumbersome, time consuming, and error prone. • Security automation, orchestration, and response (SOAR). SOAR is the primary platform for security automation. It enables security organizations to automate the tasks analysts perform frequently and manually so that they can focus on tasks that require deeper analytical skills. SOAR makes several things possible. First, it enables a team to triage more alerts, which is important because the volume of alerts increases as organizations grow and as the number of adversaries on the internet increases. Second, not all detection tools and signatures are easily tunable; SOAR empowers security teams to automatically handle high-fire false positives. Finally, automating certain aspects of event analysis and remediation speeds event response. Today’s attacks move fast, and if response depends on manually working through a playbook, the attacker could very well accomplish his or her goals before the security team is able to respond and remediate. With SOAR, it’s possible to make decisions quickly and automatically push policies forward that will mitigate threats in the future. The Best People Need the Best Tools With SOAR, it’s possible to make decisions quickly and automatically push policies forward that will mitigate threats in the future.
  27. 27. 27How To Build a World-Class Cyber Security Practice Building and Maintaining a Security Stack The security stack consists of the technologies needed to stay ahead of today’s threats. Building this kind of security stack is not a simple matter. It requires investigating and choosing the right tools; integrating them with the current environment and existing technologies; and configuring them with the rules, visualizations, and automations that are important to the business. The technology must also be maintained. From our experience, this is a never-ending task that requires skilled people knowledgeable in the technologies, the environments they are protecting, and advanced threats that are continuously evolving. In fact, a large part of a security manager’s job is to be aware of technology changes and threats that require modifications to the security stack. If a tool adds capabilities through its application programming interfaces, we need to revisit playbooks that interact with that tool and any automations associated with it. When our threat intelligence informs us of new adversary behaviors and tactics , we have to update our SIEM with additional correlations, aggregations, and visualizations. As attackers use new exploits and find new paths to their target, we need to adjust our playbooks or create new ones. It is an environment of continuous change, whether that change comes internally from organizational shifts or externally from attackers constantly adapting their tactics to become stealthier and faster. The Best People Need the Best Tools A large part of a security manager’s job is to be aware of technology changes and threats that require modifications to the security stack.
  28. 28. 28How To Build a World-Class Cyber Security Practice For any business, maintaining that level of technical capability becomes an issue of cost, time, and priorities. That’s why many companies turn to a managed security services provider whose primary business is the continuous improvement required to sustain responsiveness and a strong defensive posture. Maintaining the security stack is essential because the tools empower the security team to perform at their highest level. In a true positive feedback loop, this improvement goes both ways. The people with expertise and knowledge of how adversaries work are the ones who continuously tune the tools for maximum operational effectiveness. The right technology and the right people are both necessary, and neither is sufficient on its own. Armies don’t gain battlefield dominance by putting an ace pilot in a crop duster or a layman in an F-22 Raptor. In a world-class security practice, people and technology need each other, but both depend on process for operational direction. The next article explores the importance of process and how to enforce it. Maintaining the security stack is essential because the tools empower the security team to perform at their highest level. The Best People Need the Best Tools
  29. 29. 29How To Build a World-Class Cyber Security Practice People and Technology Need the Focus That Process Provides CHAPTER 4 JOE GIGLIOTTI Manager, Client Experience Team, BlueVoyant REAGAN SHORT SOC Technical Advisor, BlueVoyant CHRISTOPHER WILDES SOC Technical Advisor, BlueVoyant
  30. 30. 30How To Build a World-Class Cyber Security Practice W ithin the security operations center (SOC), the security team works with technologies to perform the following essential security functions: • Detect, classify, and determine the best way to mitigate threats. • Take the necessary threat response and mitigation actions. • Acquire threat intelligence and engage in threat hunting. To successfully perform these core activities, the SOC requires interaction among the people, technology, and client organizations it’s charged with protecting. Without well-documented processes that span all these functions, security staff won’t be able to perform their mission or use the technology tools available to them efficiently. People and Technology Need the Focus That Process Provides To successfully perform these core activities, the SOC requires interaction among the people, technology, and client organizations it’s charged with protecting.
  31. 31. 31How To Build a World-Class Cyber Security Practice In the world of cybersecurity, process is the methodology a security team follows to achieve its security objectives. Those processes are documented at a more granular level in scenario-specific playbooks. Playbooks provide step-by-step action plans that tell analysts exactly how they should respond to an incident. Each playbook is specific to a type of incident. For instance, ransomware would have its own playbook; there may even be playbooks for different types of ransomware. A good security practice has playbooks that cover every kind of security event that poses a significant risk. Playbooks are structured to ensure that analysts can make a determination about an event and pass on recommendations with as much contextual information as possible so that the client organization can take corrective actions. Some playbooks or portions of playbooks are also encoded in security orchestration, automation, and response (SOAR) as automated functions. But, where do processes and playbooks come from? People and Technology Need the Focus That Process Provides A good security practice has playbooks that cover every kind of security event that poses a significant risk.
  32. 32. 32How To Build a World-Class Cyber Security Practice Creating Processes and Playbooks Processes, playbooks, and workflows begin at a high level with the broad mission and goals of the security practice. The cultural integrity within the team forms the basis for how it approaches its mission. Specific processes are the methods this team devises to achieve its goals, and playbooks become granular action plans that contain detailed workflows. For many organizations, playbook creation begins with a generic playbook related to a specific type of incident. This playbook may come from an industry-accepted security framework such as Integrated Adaptive Cyber Defense, sponsored by the US Department of Homeland Security. Quickly, however, these generic playbooks must be customized for the unique approach the security practice uses. Building customized playbooks requires a two-prong strategy rooted in the experience of the security team: People and Technology Need the Focus That Process Provides Specific processes are the methods this team devises to achieve its goals, and playbooks become granular action plans that contain detailed workflows.
  33. 33. 33How To Build a World-Class Cyber Security Practice • Proactive playbook development. This aspect of playbook development relies heavily on threat intelligence, understanding your threat landscape, and building playbook scenarios to address recognizable threats. If you discover a newly emerging threat, create a playbook for responding to it. Playbook creation requires dedicated work by threat intelligence specialists who continuously monitor the latest attacks. It requires subscribing to threat intelligence services, downloading and testing attack code, and creating a response workflow that you believe will provide a sufficient response if and when that type of attack is detected. A world-class security practice must proactively develop playbooks continuously to minimize the chance of being caught by a new kind of attack. • Reactive playbook development. This is a process of continuous evaluation of actual incident response workflows. Every time a critical incident occurs, the entire team needs to review how it handled the event, what worked well and what didn’t, and the lessons it learned from how it managed the event. These takeaways become the basis for either modifying an existing playbook or creating new playbooks. People and Technology Need the Focus That Process Provides Playbook creation requires dedicated work by threat intelligence specialists who continuously monitor the latest attacks.
  34. 34. 34How To Build a World-Class Cyber Security Practice Another aspect of playbook creation is making decisions about which parts of the playbook can be offloaded to the SOAR platform for automation and which parts to put into a physical document that analysts can follow. This continuous balancing act optimizes how the security technology and analysts work together. A lot goes into determining what belongs in playbooks and which portions of the playbooks are offloaded to the SOAR platform. Those decisions come back to the central role of security operations: being at the forefront of risk mitigation. Every possible security event has a risk impact based on the probability of its occurrence and its severity to the business should it occur. Risk impact is a primary factor in deciding what goes into highly specific playbooks and which parts of those playbooks should be automated. The difficulty of task performance is also a key consideration. When you’re building a playbook, you want to make sure that the humans in the SOC are getting it right, especially when there is some level of difficulty or a large chain of actions that must take place to enrich, normalize, and provide additional value to system data. Playbooks ensure that nothing is missed. Automating portions of the playbook, especially high volumes of heavily repeated tasks, frees analysts to work through more complex operations that require human analytical skills. When responding to fast-moving events, getting the workflow right is critical because the stakes are often high. People and Technology Need the Focus That Process Provides Risk impact is a primary factor in deciding what goes into highly specific playbooks and which parts of those playbooks should be automated.
  35. 35. 35How To Build a World-Class Cyber Security Practice Playbook workflows enrich and are enriched by the data available to the security operations team. Interpreting events and deciding on best mitigations requires correlating data points that are coming from the network and from endpoints in the environment you’re protecting. The more and better data that are available, the more effective playbook workflows will be in correlating the most relevant contextual data, which will result in more explicit, accurate, and timely responses. Having that visibility and supporting data makes those playbooks more meaningful as it drives the process of detection and response. Creating good playbooks isn’t easy, especially if you are totally unaware of the threat that could become your next big event. If you’re trying to build a playbook for something you haven’t seen before, it’s like shooting in the dark. That is one advantage an managed security services provider (MSSP) has over most businesses. By handling security for a large number of clients, a good MSSP deals with a much larger attack surface than most businesses will ever have to manage. They see a higher percentage of campaigns that are active in the wild, far more than individual organizations are likely to see. All this puts the MSSP in a better position to build and maintain strong, up-to-date playbooks. People and Technology Need the Focus That Process Provides Creating good playbooks isn’t easy, especially if you are totally unaware of the threat that could become your next big event.
  36. 36. 36How To Build a World-Class Cyber Security Practice Maintaining Process and Balance in the Practice Maintaining processes in a security practice largely involves maintaining playbooks. That requires continuous threat research and performance evaluation. The more exposure a security practice has to actual security events and the more threat hunting resources it can deploy, the more opportunity it will have to keep playbooks and workflows current based on the latest attacks and the best response strategies. Continuous playbook development and evaluation are central to striking the best balance between manual and automated tasks for maximum performance of security operations. Playbooks mediate the relationship between people and technology in a security practice. The best outcome for the practice is when the right person with the right skills, the right expertise, and the right instinct has access to the best technology to maximize output. That’s what keeps a security practice ahead of the enemy. The hard work of process and workflow refinement never ends because in the world of cybersecurity, everything changes. The IT environments you’re protecting change, attackers change their strategies and tools, and defensive capabilities change. One key to building a world-class cybersecurity practice is recognizing these changes and understanding where the opportunities lie to either use or respond to that change. Building and maintaining playbooks is a critical, unifying activity that defines a world-class security practice. People and Technology Need the Focus That Process Provides
  37. 37. 37How To Build a World-Class Cyber Security Practice Putting It All Together: 9 Tips for Building a World- Class Cybersecurity Operation TRAVIS MERCIER Head of Global Security Operations at BlueVoyant CHAPTER 5
  38. 38. 38How To Build a World-Class Cyber Security Practice Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation A high-performance security practice depends on a dedicated, well-equipped team of skilled security experts working from the established processes currently relevant to the threat landscape they face and the environment they’re protecting. It’s not enough to simply set up good detection and response tools and let them do their thing. Successfully protecting digital assets requires tight integration among people, process, and technology. Achieving that cohesion in a security practice demands focused effort to find good people, sharpen their skills, research the latest defensive technologies, and adapt processes to current threats and operational capabilities. Maintaining a world-class security operation is work that never ends because attackers never rest. For example, Kaspersky reports that the number of ransomware variants it detects grew 153 percent in the one year—from quarter (Q) 3 2018 to Q3 2019. Cyberthieves work hard to create new variants because ransomware is a highly lucrative business for them. That’s bad news for potential ransomware victims, which is pretty much all of us. Successfully protecting digital assets requires tight integration among people, process, and technology.
  39. 39. 39How To Build a World-Class Cyber Security Practice Without a strong, dedicated cybersecurity program, it’s difficult to defend against the growing number, variety, and complexity of cyberattacks. This eBook drills into the foundations of a world-class security operation: its people, processes, and technology. The key to strong security is how these pieces come together to work as a tightly integrated security machine. To that end, here are nine tips for building an exceptional security practice: • Treat security as a specialized discipline, not a branch of IT. In many security practices, especially those in small and midsized businesses (SMBs), security is a function within the IT organization. IT people are assigned security tasks like installing and configuring tools, investigating and responding to alerts, and patching vulnerabilities. As long as security is considered a subset of IT, it will never have the cohesion required of an exceptional security practice. Making security a specialized organization within the business, with its own budget and mission, gives it focus. It becomes a destination for security-minded professionals who will share knowledge as they work together toward a common goal. It provides a career path for serious cybersecurity professionals. It creates continuity in the security operation. These are the characteristics of a security practice that will attract and retain skilled security professionals. As long as security is considered a subset of IT, it will never have the cohesion required of an exceptional security practice. Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation
  40. 40. 40How To Build a World-Class Cyber Security Practice • Hire the best people. The best people aren’t necessarily those with the most security experience. They are people who have good analytical skills, are passionate about cybersecurity, can think like attackers, and are energetic self-learners. They should also be people who will work with others on the team. Cultural fit is important. That’s why hiring security people is itself a team activity. • Build the technology stack in your security operations center (SOC) using • best-in-class tools from proven vendors. Avoid building or buying into proprietary tools. This approach creates a security “black box” that becomes difficult to develop and maintain—one that the rest of the organization may not understand. It’s better to pick best-of-breed technology and ingest data from those tools so that the team can focus its energies on analyzing the output rather than configuring the tools. • Maximize data inputs from your environment. Your security practice is only as good as the data it has to work with. You need to capture as much data as possible from traffic flow in the network, from firewalls and other network appliances, endpoints and their abstraction layers, applications, and hosting environments. With more contextual data, your processes and playbooks become more effective for helping analysts quickly detect and respond to incidents. Pick best-of-breed technology and ingest data from those tools so that the team can focus its energies on analyzing the output rather than configuring the tools. Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation
  41. 41. 41How To Build a World-Class Cyber Security Practice • Build and maintain detailed playbooks. Create playbooks that detail what to do for every kind of security event you experience. Also, create playbooks that cover serious potential threats you may not have experienced, yet. To create such a forward-looking playbook, you’ll need to conduct threat research, test malicious code to see how it behaves, and use that research to develop detailed playbook workflows. Finally, you must update these playbooks continuously through regular review and as part of incident post mortem analyses. • Be aggressively proactive in your practice. Subscribe to threat intelligence, and actively engage in threat hunting. Be highly proactive in playbook development by creating playbooks that cover threats you haven’t experienced yet so that you will be able to detect and mitigate them as soon as they appear in your environment. Share information, and learn continuously about new defensive capabilities and threats. • Use security automation. Deploy a security orchestration, automation, and response (SOAR) platform, and use it to automate portions of you playbooks. In this way, you can offload repetitive tasks from skilled security analysts, freeing them to focus on more complex tasks, such as analysis and workflow. Automation also significantly increases the speed of incident detection and response. Security automation makes it possible to more efficiently examine a higher percentage of alerts. Security automation makes it possible to more efficiently examine a higher percentage of alerts. Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation
  42. 42. 42How To Build a World-Class Cyber Security Practice • Continuously evaluate and update technology, processes, and playbooks. Everything security touches is constantly changing, whether it’s the IT environment, the tools used to defend it, or the threats it faces. Team members must be passionate and self-learning because cybersecurity is a continuous learning endeavor. It’s critical that the culture and workflow of the security practice include regular playbook assessment, postevent assessment, threat research, and investigation into the latest tools and strategies. These activities should be as normal as breathing. • Cultivate the habit of working as a team. When it comes to cybersecurity, no one person can know everything. A high-performance security practice is a highly collaborative one. When there’s a problem to be solved, a post mortem assessment of an incident, or a need to rethink a process, it pays to have as many people involved as possible. Team members must be passionate and self-learning because cybersecurity is a continuous learning endeavor. Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation
  43. 43. 43How To Build a World-Class Cyber Security Practice What if you lack the resources to build your own world-class security operation? Not every company is in a position to build its own security practice with all the capabilities it needs to adequately defend the business. SMBs are particularly vulnerable for several reasons. For example, SMBs often don’t have the time or money to build the level of security they really need to sufficiently lower their risk exposure. Furthermore, they often fail to recognize how vulnerable they are. It’s easy to assume that if you’ve set up pretty good endpoint protection, you have firewalls, and you keep up with patches, you’re in decent shape. Besides, you’re just an SMB. The bad guys are really going after much more value than you have to offer, right? Well, not really. Industry research shows that nearly 60 percent of companies suffering data breaches are SMBs. These same business are also ripe targets for ransomware because the disruption such attacks cause is more costly to SMBs than to enterprises. However, these companies can still have world-class security protection. Increasingly, they are working with managed security services providers (MSSPs) to strengthen their security posture. The best MSSPs are totally focused on security, which gives them all the advantages of a dedicated operation—the ability to hire and retain the best people, build and maintain the best technology, and have the resources to be proactive in developing and maintaining processes that keep up with the latest threats. Also, through their client relationships, MSSPs typically see and can mitigate a substantial array of threats. If you’re considering working with an MSSP, pay particular attention to these points: Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation
  44. 44. 44How To Build a World-Class Cyber Security Practice • How does the MSSP acquire and develop staff expertise? • Which technologies does the MSSP use and how? Do its tools include having endpoint detection and response, security information and event management, SOAR, and other essential tools? Does it use best-in-class solutions from proven vendors rather than proprietary, black box solutions? • Does the MSSP take a proactive approach to threat hunting? • Does the MSSP maintain a global footprint? Even if your business is a local or regional one, cyber threats have no boundaries. Building a world-class security operation requires adherence best practices for people, processes, and technology. However for companies that don’t have the knowledge or resources to build a SOC internally, a best-in-class MSSP can provide the security coverage they need. For companies that don’t have the knowledge or resources to build a SOC internally, a best-in-class MSSP can provide the security coverage they need. Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation

×