Recently, Rapid7 completed a UX exercise with security professionals from 18 different companies. Based on that work, we derived 97 outcomes (aka “things to do”) that these organizations were trying to achieve within their Detection and Response programs and for their businesses.
Today, I wanted to provide some commentary on the top three. As a career responder, I’ve helped build several Managed Detection and Response offerings, consulted in developing Detection and Response programs for large enterprises, and focused much of my current research on security programs: I have opinions!
First, you might be asking what we mean by outcome. In short, it’s something that someone is trying to achieve in a certain period of time as measured by some value. More specifically, each outcome is structured like this:
Without further delay, here are the top three outcomes from the exercise:
- Minimize the likelihood that there are threats your security tools can’t detect.
- Maximize your ability to know which vulnerabilities are on your network.
- Increase employee awareness of security best practices to prevent issues from happening in the first place.
1. “Minimize the likelihood that there are threats your security tools can’t detect.”
I am not at all surprised to see this as No. 1. This is the thing that keeps responders and business leaders awake at night. But it doesn’t have to be that way. Sure, you will always have that nag in the back of your head, but you’ll be more confident when your security program and its associated goals are maximized to protect what your business cares about the most. Remember, it’s not about preventing a breach, it’s about stopping a breach before it can cause material damage to your organization.
So, what does a security program that helps you sleep better at night look like? That is exactly the focus of my current research project in developing a Security Program Framework that uses best practices, metrics, a measurement of maturity, and a prescribed target maturity based on industry, data you want to protect, and value of the organization’s brand.
At its core, any security program must invest in the following key areas:
- Preparation: If it’s not written down, the players can’t come together to collaborate and build. Further, if it doesn’t make sense on paper, there’s no way it’s going to work in practice.
- Threat Prevention: Deploy technology to block known threats from disrupting normal business operations. More mature programs will add people for the care, feeding, and improvements to this technology layer.
- Breach Detection: Deploy specialized technology and skilled teams to detect threats that bypass preventative defenses.
- Incident Response: Deploy process, specialized technology, and specialized teams to drive all incident response activities, including those associated with a cyber-breach and those that do not.
- Continuous Improvements and Enterprise Security Consulting: Continuous improvements involves taking the output from any given phase above and applying lessons learned to the previous phase, thus making the whole process more efficient. Enterprise Security Consulting represents all of the activities performed by the security team aimed at improving enterprise security. Some examples might be adding a security help desk to respond to employee questions, assessing the security of a potential M&A target, providing risk guidance in executive decision making, etc.
When and where to invest in these areas becomes the next challenge. While the framework we’re building looks to address this gap, we’re just not there yet. However, one resource I recommend specific to Detection and Response capabilities is the MITRE ATT&CK Framework. Build your detection strategy around ATT&CK and you will sleep better at night.
2. “Maximize your ability to know what vulnerabilities are on your network.”
I typically bucket all attack surface management activities within the prevention layer of your security program. An effective vulnerability management and remediation program is a key pillar in reducing the opportunity for threats to materialize.
With InsightVM, Rapid7’s vulnerability risk management solution, as the technology component, identifying, validating, and automating assignment of remediation projects and tasks has never been easier. By integrating an automation platform like InsightConnect into the technology stack, security teams can integrate directly with IT team processes through Jira, SCCM, and other DevOps tools. SOAR tools like InsightConnect are used across your security program to automate repetitive manual tasks and increase the efficiency of the specialists on your security teams.
Typically, the complications and failures experienced in vulnerability management programs aren’t in identifying and managing vulnerabilities, but rather in the coordination of mitigation and remediation activities. Unfortunately, this is an area where technology can only assist in facilitating an efficient and agreed-upon process. This highlights the importance of a balanced investment in your security program. When organizations understand the security program investment strategy, focus on the outcomes the program is trying to achieve, and are held accountable by metrics that all executives understand, process issues bubble up very quickly for action.
To help with relating vulnerabilities that need remediating with outcomes the program is trying to achieve, security teams need to prioritize the work they’re asking their counterparts in IT to perform. As such, security teams need to understand the potential technical impact of vulnerabilities with how the exploit is being used in the wild, as well as where in the enterprise the vulnerability exists in relation to the crown jewels we’re charged with protecting. That last sentence was a mouthful, let me clarify: in order to effectively prioritize vulnerability remediation asks for IT, the security team must:
- Have a technical understanding of how the vulnerability and associated exploits work
- Understand how threats and attackers are using the vulnerability and exploits in the wild
- Know where (on which assets) the vulnerability exists in relation to where the organization keeps the data they want to protect
This is an area where Rapid7 has been investing a lot lately. My team, Rapid7 Labs, participates in a multi-discipline team initiative aimed at responding to emergent threat events as they occur. We tackle vulnerabilities, threat reports, rumblings from where the attackers hang out, and anything identified by our various research projects like Heisenberg (our honeynet network) and Sonar (we know the internet). Over the past few months, the team has produced new vulnerability checks for InsightVM, new detections for InsightIDR (our SIEM solution), new exploits for Metasploit, and community posts on this very blog. Additionally, we maintain the content that drives the Threat Landscape view in InsightVM.
Making vulnerability information available to the other components of your security program becomes the next challenge. Your detection and response teams need to know which vulnerabilities exist within the technology ecosystem to assist in their threat triage and validation activities. Once again, Rapid7 makes this easy if you also use InsightIDR for threat detection and response. With the integration between InsightIDR and InsightVM, threat analysts get a real-time view into vulnerabilities identified during vulnerability scans.
Through all this, we haven’t covered application security programs as part of addressing this outcome. While I’d love to dive in, guidance on establishing an effective AppSec program will need another post!
3. “Increase employee awareness of security best practices to prevent issues from happening in the first place”
I really love seeing this one at No. 3. I firmly believe that a lack of understanding of how threats and attacks materialize in organizations leads to lopsided investments in security programs, resulting in a false sense of security. This certainly starts with the end user, but also extends throughout the organization, including in IT and security teams.
Unfortunately, as an industry, we have failed our organizations when it comes to coherent education. While I have a huge appreciation for documents like the NIST 800 series, the CIS Top 20 controls, and other best practices/standards, you’re likely to see your kids grow up and go to college before you’ve made measurable progress.
Now, there are some glimmers of hope out there. Organizations like OWASP and MITRE provide high-quality, free resources to build up appsec programs and detection and response programs (respectively). There are also great training organizations like SANS, but as much as I applaud what they’ve achieved, cost quickly becomes a factor.
So, we need more initiatives that offer free guidance and resources that not only help address specific components of security programs, but the importance of a holistic program. This is the goal of the Security Program Framework research I’m conducting.
In addition to what you’re (hopefully) already doing with phishing education/testing, social engineering, basic infosec best practices, and who to contact for questions/reports, your program will need to target different audiences for different reasons:
- All Employees: Frequent updates/reminders on what the company is trying to protect. Frequent updates on techniques attackers are using.
- Management/Leadership: Frequent updates on security policies and guidance. Executive briefing on the security program. Frequent updates on key metrics from the security program. Frequent updates on cross-functional interactions.
- IT Technologists: Frequent “lunch-n-learn” style training where both teams present on technology and processes they’re using. Specific security training for the technologies they use. Secure coding training for engineers. Frequent reviews of vulnerabilities and red team findings.Security Technologists: All technologists should have an individual development and training plan that allows them to gain skills to better the infosec program.
Some surprises in there, right? You think of some of things you do as “status updates,” but in reality, they are training opportunities that are going unfulfilled.
Regarding the last bullet for security technologists, I often advise security team leaders and managers to maintain a skills matrix of skills they know they need to deliver on outcomes. I encourage managers to work with technologists to establish learning paths based on those skill needs.
So there you have it. Now, I’m just scratching the surface here. The reality is that achieving these outcomes takes a lot of investment and time. However, my 25 years of experience in security programs have taught me one thing: The only way to build security programs is to simultaneously manage the attack surface, monitor for and respond to breaches, and drive remediation activities. We’re in this for the long run folks, so buckle in and let’s go catch some bad guys.