Cybersecurity is on the precipice of change.
Sharing knowledge of successful security operations and lessons learned from the front lines has never been more important. And as organizations are starting to experiment with this concept, it’s becoming more clear that we are better as a united front.
After all, we’re all fighting a similar adversary. As products, vendors, and companies, we are all connected. We’re all in this together, whether we accept that truth or not.
But sharing isn’t just about bad IP addresses or indicators of compromise. We also need to share the workflows that help us move faster and get through more alerts on a day-to-day basis.
The quicker we catch threats, the more likely we are to shut them down before real damage is done.
What Do You Mean by Shared Security Workflows?
By sharing security workflows, I mean documenting the procedures that security practitioners use to detect and respond to attacks, and making that process repeatable. This can also help organizations to actually evaluate effective security workflows so that no one is ever starting from scratch.
Here is a simple real-world example:
Let’s say your security team was notified about potential threat actor activity on your company's network. The indicator given in this case was an IP address. Here’s what might happen from there:
- A ticket is created and assigned to an analyst to investigate the intel indicator
- A security analyst examines network flow logs for connections from the indicator IP
- If hits from the indicator are found, analyst investigates session and content data
- Analyst finds a user account on the company's network that attacker is logged into
- Analyst searches network for login times from the user across the enterprise
- Analyst finds other login attempts but from different but related IP addresses
- The offending IP addresses are blocked from the network
- The legitimate user is notified and the account is suspended until remediation
- A remediation ticket is created and assigned to the appropriate team
- The initial investigation is now closed
The steps in this process are part of a security workflow. Of course, not everyone’s workflows are exactly the same way. And oftentimes, workflows are unique to the organization’s needs. But that’s exactly why sharing is so valuable. As a community, we can share these use cases to determine the best course of action when potential attacks do occur.
Similar to the way Github can enable developers to share solutions to common programming challenges, sharing security workflows can help everyone avoid reinventing the wheel and also improve their security processes by looking at how others have solved the same problems.
And over time, members of the community will contribute to make these workflows faster, more efficient, and overall better.
How To Enable Security Workflow Sharing
In the same way that many organizations share security tools, development processes, and other open source projects, we as security professionals need to start sharing workflows for the greater good.
Here are some examples of types of security workflows that we should be sharing:
- Incident Response
- Alert validation
- Identity access and management
Of course, opponents of sharing workflows cite the potential negatives: enabling attackers to circumvent workflows and forcing organizations to be less secretive than they might want to be.
However, the way I see it is attackers are already many steps ahead of defenders. We’re simply playing catch up at this point. And in many scenarios, attackers already have the knowledge they need to compromise systems, so making the response process public becomes a non-issue.
The positives also outweigh the negatives by a long shot. Efficient security teams, better overall security posture, and a community working together? I’ll take these any day over the alternative.
Making this Vision a Reality
As I mentioned above, we’re not far off from this cultural shift. But to get started, we need to start thinking about a standard of how and where we share. This will allow us to express processes in a sensible and repeatable fashion. What will this standard look like? Only time will tell, but Komand hopes to help facilitate the open distribution of security workflows and more in the future.
We have a vision. And that’s to help streamline security operations to be more efficient and thus effective. The community, and the sharing of workflows, is a huge part of this vision.