On the Rapid7 Labs team, we’re constantly looking for ways to give defenders a boost in the work they need to accomplish. Most of the time, this manifests in research projects focused on detection and response, IoT, and attack surface management, but sometimes, it results in best practices-style research.
In this blog post, we will present one such project: the security program framework. Our intent in this research project is to propose a framework by which most organizations can understand, evaluate, roadmap, and execute on their security programs. While many aspects of this project are still being figured out, one thing is certain: we want to use our knowledge and experience to create a resource for business leaders, security program leaders, and technologists to guide them through achieving business outcomes in their infosec programs.
To kick it off, we believe the three first questions we need to ask ourselves when justifying the existence of an infosec program are:
- What do we need to protect?
- Where is it?
- Who do we need to protect it from?
Without complete and mutually agreed-upon answers to these questions, we cannot properly plan, execute, or manage our security programs.
What do we need to protect?
Knowing attackers’ motivations can help us determine what we have that is of value to attackers. Cyber-attacks are typically motivated by the following six reasons:
- Monetary theft: Where there is money to be stolen, attackers will come.
- Financial gain: While not directly stealing money, attackers are stealing data that can be resold for profit.
- For-hire: An attack group is hired to perform a given task. We see lots of for-hire activity in industrial espionage.
- Ransom: Attackers will disrupt normal operations of a business by holding data, systems, or networks hostage for ransom.
- Opportunistic: When everyone always forgets to lock their car doors, you’re going to have teenagers rummaging through your change cup.
- Disruptive: Some attacks just aim to disrupt operations for personal motivations. Those motivations may be vindictive in causing harm to the brand, or political/nationalistic in nature.
Most organizations will look to protect the following:
- Brand: Companies want to protect their brand from bad press and keep control of the official voice of the brand.
- Operating finances and operating finance processes: Protecting the way that the business makes and spends money ensures the security program is defending against financial theft.
- Employee/customer/partner PII: Many laws and regulations put the liability of data protection on the business that stores and processes it.
- Technology infrastructure: Many businesses cannot operate at all without technology.
Specialized organizations may also include:
- Customer financial information
- Customer health information
- Intellectual property
- Classified data
- Control systems
By understanding what is going on in the cyber-threat landscape, we can better understand what attackers are targeting and prioritize our defenses. Creating and prioritizing this list with business owners (executive team, board members, etc.) ensures that our security program investments are prioritized based on what matters most to the business.
Where is it?
A complete answer to this question will plague every business IT and security owner until the end of time. It’s relatively easy to come to a common understanding of what is valuable and needs protection, but figuring out where that thing is requires great patience, technology, and imagination.
Let’s start with the easy things, data and money:
- Can you find all instances of personally identifiable information (PII) within your systems? Attackers probably can.
- Do you know which systems have access to the PII? Attackers probably do.
- Do you know the process for getting invoices paid? Social engineers do.
- Does your company hold any patents? Your competitors know.
- Who does M&A, and how do they do it? Your competitors know this, too.
So, even the easy things become difficult when trying to answer this question. However, there are no shortcuts here, and this step cannot be skipped. Organizations that do skip this step tend to wind up in the news.
We’ve determined that even the easy part of answering this question is hard, so what about the hard part?
- How do you find out where the company reputation lives?
- How do you know if your business is likely to be targeted for ideological reasons and where those ideologies are kept?
- How do you know where a business process lives?
Infosec isn’t just about technology—it’s about protecting people using technology. The end goal of attackers isn’t always data at rest. It might be data traversing an application. It might be trust and access your organization has. It might be getting a fake invoice paid through social engineering.
The end goal with answering this question is to understand where you have to apply your scarce resource for the best possible return on investment. When you only have so much you can do, applying what you have to protect to what matters most to the business is imperative.
Who do we need to protect it from?
If you’ve made it this far in answering these questions, we commend you. Few make it past “I’ll just try to apply random best practices to my security program and hope for the best.”
Now is where the fun begins. You know what you have to protect, you know where it is, and you know how the business uses it. Once you understand who and what you are protecting your crown jewels from, you can find out how attackers are going to go about conducting their attacks.
Answering this question can be as broad or as specific as your program dictates. Getting very specific will result in narrow solutions that address a narrow segment of threats, while staying broad will result in adaptive solutions with a broad segment of threats addressed.
- Too specific: You've determined that you have widget designs stored on a file server that will probably be targeted by APT1098, so you block the malware most often used by that group.
- Just right: You've determined that you have widget designs stored on a file server that will probably be targeted by hackers for hire, so you segregate the file server to a restricted network zone, apply restricted access controls, create custom alerting for unusual user behavior accessing the file, and roll out a rule in your DLP to terminate transmission of the data.
- Too broad: You've determined that your technology must remain operational and that you'll probably be targeted by ransomware, so you do not allow users to browse the internet or use email.
- Just right: You've determined that your technology must remain operational and that you'll probably be targeted by ransomware, so you roll out thin-client desktops that connect to a virtual desktop infrastructure that employs endpoint next-gen AV, sandboxing for browsing and email activity, and is constantly backed up.
The goal of asking this question is to understand which protections you must roll out to prioritize defending against the techniques used by the threats most likely to affect your organization. You can also use this question to drive the development of a threat-based approach to security program development where you can use a framework such as the MITRE ATT&CK Enterprise matrix to plan, build, and measure the effectiveness of your security program.
We know that answering these questions can seem impossible—and even if it doesn’t seem impossible, you’ll likely spend several months, if not years, in meetings trying to figure this out. However the time investment you make here will pay off in spades when you can demonstrate that your security program addresses the most pressing threats to your business and that you’ve rolled out controls that have the ability to disrupt multiple phases of the attack chain.