In a perfect world, security teams have everything they need to defend against the complex cybersecurity threat landscape: an enviable team of security pros, sophisticated detection and prevention processes, and intelligent alerting and reporting tools.
But in reality, most teams and security operations centers find themselves struggling to keep pace. And whether it’s from an imbalance in people, process, and technology, or a data utilization problem, security teams end up in a reactive state: too many unanswered alerts, people unable to respond fast enough, and breaches falling through the cracks.
A reactive state is not a sustainable pace for anyone, let alone an entire team. You will quickly burn out (if they haven’t already), and the situation will become worse. Which is why we came up with a few ways to tackle the reactive problem.
While it may take time to do an about-face on a reactive security culture, addressing and installing proactive measures into several key areas can change the tide and make for some quick wins.
1. Have the Right Strategy for Your Organization’s Most Common Threats
In the world of information security, it’s a common viewpoint that your organization has already been compromised. So instead of focusing your security team’s energy on passive detection and prevention-only measures, it’s wise to balance between prevention and active searches for compromises.
To understand your organization’s most common threats, you must first understand your environment and the threats you’re likely to face. Here are a few questions to help determine these threats:
- What assets are you trying to protect?
- What are the most common attacks on these assets?
- What attacks have occurred in the past?
- What were previous attack vectors like, and what systems did they compromise?
- What were previous vulnerabilities in your systems?
These questions pinpoint what attackers could target or have actively targeted in the past, giving you an idea of where you need coverage. The kind of coverage you may need includes people with certain skills, distinct processes, and tools that are optimized for specific threats.
Just starting out, and don’t have attack history? Here are some common attacks your org could face:
- Brute Force Attacks
- Denial of Service (DOS)
- Malware (viruses, worms, trojan horses, etc)
- Social Engineering
- SQL Injections
On the topic of tools and products: just because a tool can supply coverage doesn’t mean it’s the best tool for your environment. Which leads me to my next point.
2. Don’t Just Check a Box on Tools, Put the Right Ones in Place
With the plethora of security products out there today, it seems easy enough to buy a commercial product that checks a box for a specific challenge or compliance need in your security operations. But that doesn’t mean this tool is the right one for the job, let alone for your unique environment.
If it doesn’t fit, the tool will either be left sitting on the shelf collecting dust, or it will make your team’s job much harder by including it in their current workflows, adding complexity and inefficiency to processes (and possibly a higher margin of error).
I wrote a previous post on how to select and implement security technology, but ultimately selecting the right tool for the job comes down to a few questions:
- Do you have the right people in place to use and fine-tune the tool?
- Is the tool being added with strategic context?
- Does it fit your goals and measures of ROI?
- Does it connect with existing tools and systems?
- Is it cost effective?
It’s also crucial to conduct a proof of concept (POC) for any candidate product to see how well it actually performs in your environment. You may find after a POC that a tool doesn’t work as well as expected, or that it fits perfectly and streamlines existing workflows.
3. Train Your People on Proper Policies, Procedures, and Processes
Security isn’t just the responsibility of the security team alone. We wrote about ways to cultivate a culture of security ownership across your organization not too long ago, and among the ways to do so are:
- Align security with business value
- Empower everyone to be security advocates
- Train teams and give them the right tools to succeed
- Gamify initiatives and measure the results
- Create an open feedback loop and implement constant improvements
On top of training ALL of the people in your organization on security awareness, policies, and procedures to keep information within the company, it’s also important to properly onboard security staff. This includes well documented and easily accessible security processes (think incident response, event escalation, vulnerability management, etc.) on top of other internal knowledge of teams, tools, and system architecture.
Finally, assigning mentors to new security team members will ensure they learn the ins and outs, as well as succeed in the organization and their career growth.
4. Set Clear Roles, Responsibilities, and Expectations
Defining specific roles and responsibilities amongst your security team is crucial for efficient and effective incident response and security operations.
When expectations are set, people know where they fit into the process, and when it’s their time to jump in during an incident, process, or project. Setting clear roles breeds alignment amongst the team and the greater organization. It also ensures that no events fall through the cracks, and every potential incident is handled in a decisive manner.
You can read more about defining roles and responsibilities of security teams here.
5. Think Like an Attacker
Achieving proactive security measures requires a specific mindset. In our Defender Spotlight interview with Will Lefevers, one of the best pieces of advice he gave was, “Study the enemy. Skip the CEH, ignore the CISSP, go straight for the OSCP. Think like an attacker.”
Thinking like an attacker allows you to approach the process in a different manner. Instead of thinking about how your defenses are intended to work, think about how your defenses actually work in this moment. Know the strengths and weaknesses, and be prepared for how attackers will expose your systems, then plan to diverge from the attack path.
6. Invest in Vulnerability Assessments, Pen Testing, and Risk Analysis
While each of these concepts require a varying level of difficulty, it’s important to understand the weaknesses in your systems, as well as the probability of attack and the impact it could have.
At a bare minimum, performing regular vulnerability assessments can help patch up low hanging fruit, and can oftentimes be easy to automate.
Penetration testing can build upon vulnerability assessments, but can be difficult to do correctly. So have experienced practitioners perform this type of testing with specific frameworks and goals in place.
Risk analysis, while difficult and possibly costly, will help evaluate the vulnerabilities and threats to your organization, and determine the cost/benefit analysis of fixing them.
7. Test Your Incident Response Processes Often
Similar to penetration testing or red teaming, testing your incident response processes are no different. Whether you hire an outside agency to conduct tests, or you internally simulate a targeted attack on your systems, testing your incident detection and response processes will help you discover gaps in coverage and areas of slowness.
Testing these processes will prepare your security team for real-world scenarios, which provides them experience and helps speed up the process and produces faster response times. Testing also allows you to reevaluate your security processes to identify gaps.
Remember, it’s a good idea to test and re-evaluate processes when new personnel join the team and/or new technologies are introduced to be sure they still works as intended.
8. Always Have Data Backups (and Make Sure They Work)
For remediation purposes, you may need to restore from backup more times than you’d like. So having your information backed up and in a safe spot allows your team to act fast without fear of data loss.
9. Connect Your Tools and Systems, and Automate as Much as Possible
A big problem in our industry is unconnected tools and systems. This forces security practitioners (analysts and incident responders alike) to jump from system-to-system, manually fetching data as well as performing other time-intensive security tasks.
Not only does this slow incident response times and reduce efficiency, but it also leads to a higher margin of error. If a process is repetitive and well defined, it can and should be automated. (Here are the top 5 processes that should be automated).
Having a connected environment with automated workflows will free up much of your teams’ time to do more proactive security defense. You can still leave analysis to humans, but simple tasks like fetching threat intel or posting escalation messages to Slack can easily be automated.
10. Lay the Groundwork for Threat Hunting
While not a new concept, threat hunting is catching on with security professionals, and rightfully so. Threat hunting is a truly proactive process of actively seeking dormant threats within your systems. But in order to even begin applying these concepts to your security operations, you have to become truly proactive in your security efforts.
The goal for threat hunting is to allow teams to have a constant, proactive, and iterative process involving specific methodologies, people, and tools to seek out these advanced threats hiding in your network and systems.
Sqrrl laid out a threat hunting maturity scale, which helps determine where you’re currently at and more advanced stages in the model. These include:
- HM0 Initial: Automated alerting is in place, and teams focus attention on alert resolution
- HM1 Minimal: Routine collection of IT data (of a few types), and tracking of threat reports from open and closed sources
- HM2 Procedural: Collection of large amounts of data across the organization, and teams learning and applying threat hunting procedures from external sources
- HM3 Innovative: A team of hunters on staff, and the creation and publishing of procedures and techniques
- HM4 Leading: The same as HM3, but adding automation to the process
Of course, you can’t even begin applying threat hunting concepts if you don’t accept you’ve already been compromised, which brings us full circle to our first point: the right mindset for proactive security measures.
Achieving Proactive Security Measures
While this list is by no means a finite number of ways to be proactive, it’s a start to help get you going in the right direction. Switching from reactive to proactive will also take time, dedication, and budget. So just because it may not be a night and day switch does not mean you should give up on proactive measures.