If you carefully read this entire blog, it should be very
clear that you can't use the old approach to security facing today's challenges
and threats. For this reason, it is important to ensure that your security
posture is prepared to deal with these challenges. To accomplish this, you must
solidify your current protection system across different devices regardless of
the form factor. It is also important to enable IT and security operations to
quickly identify an attack, by enhancing the detection system. Last but
certainly not least, it is necessary to reduce the time between infection and
containment by rapidly responding to an attack by enhancing the effectiveness
of the response process.
Based on this, we can safely say that the security posture
is composed of three foundational pillars as shown in the following diagram:
These pillars must be solidified
and if in the past, the majority of the budget was put into protection, now
it's even more imperative to spread that investment and level of effort across
the other pillars. These investments are not exclusively in technical security
controls, they must also be done in the other spheres of the business, which
includes administrative controls. It is recommended to perform a
self-assessment to identify the gaps within each pillar from the tool
perspective. Many companies evolved over time and never really updated their
security tools to accommodate the new threat landscape and how attackers are
exploiting vulnerabilities.
A company with an enhanced
security posture shouldn't be part of the statistics that were previously
mentioned (229 days between the infiltration and detection). This gap should be
drastically reduced and the response should be immediate. To accomplish this, a
better incident response process must be in place, with modern tools that can
help security engineers to investigate security-related issues. Incident Response Process will cover incident response in more, Investigating an Incident, will cover some case studies related to
actual security investigations.
Assume breach:
Due to the emerging threats and
cyber security challenges, it was necessary to change the methodology from
prevent breach to assume breach. The traditional prevent breach approach by
itself does not promote the ongoing testing, and to deal with modern threats
you must always be refining your protection. For this reason, the adoption of
this model to the cyber security field was a natural move. When the former
director of the CIA and National Security Agency Retired Gen. Michael Hayden
said in 2012:
During an interview, many people didn't quite understand what
he really meant, but this sentence is the core of the assume breach approach.
Assume breach validates the protection, detection, and response to ensure they
are implemented correctly. But to operationalize this, it becomes vital that
you leverage Red/Blue Team exercises to simulate attacks against its own
infrastructure and test the company's security controls, sensors, and
incident-response process. In the following diagram, you have an example of the
interaction between phases in the Red Team/Blue Team exercise:
It will be during the post breach
phase that the Red and Blue Team will work together to produce the final
report. It is important to emphasize that this should not be a one off
exercise, instead, must be a continuous process that will be refined and
improved with best practices over time.