Welcome! To recap. We’ll be working through this book together to learn and grow our Blue team skill. Cuz the best offence can be a proactive defence. This book is a fantastic resource, especially for those who are starting out, or need a good overall reference. Based on my real-world experience,I believe it should be a desk reference, and part of any security curriculum. I am going to go on Amazon and say that infact!
Now. Chapter 1: Creating a Security Program. That does not just magically happen. And yet, we really wish it could because everyone needs a good security program in place. If you’ve ever tried to clean your kid’s room, you’ll understand how daunting this can be. Where do you begin? Well, as our insightful authors Amanda and Lee point out, we don’t need to reinvent the wheel. They’re right. They refer to the NIST framework, which I can tell you I get to use on an almost daily basis when doing security audits (let’s not go there, ok?) You want to work from best practices, existing and proven standards that are used to hold organizations accountable ie compliance standards. Good news! Amanda and Lee will take us through all that fun in Chapter 8.
So Point 1: Have the right team in place. You need the right people in the right role to make the right decision. The book recommends establishing 4 main teams: Executive, Risk, Security and Audit. I will tell you from experience that if you don’t have Exec buy in from the get go, you will find yourself spinning your wheels. How do you get that? Speak to the suits in their love language – Risk. And you need Audit to bring the flowers &b chocolates to their door. And yes – this is from my daily reality. Plus, audit lets you put everything down, and organize it, which makes it easier to track things, and reorganize things. Because you cannot secure what you don’t know.
Point 2: Set a Baseline. I love talking about threat intel (holding back – self-control) and how to make it relevant. This is how you make it relevant. What’s your normal? That’s your baseline. Because how else will you know something went bump in the night? The attackers are wery wery quiet. And believe me, they are in your network like those darn carpenter ants are in the woodwork. So this will be a fact gathering mission, and you want to do it well, Plus set it up with automation, and updates. SInce Asset mgmt is the next chapter, so we’ll leave that alone for now.
Point 3: Threat/Risk Assessment. This is challenging, and a learning process for those starting out. The concept of risk and being able to articulate it to business is way hard, I’ll be honest, and I am very good with words. What we in security think is a threat has to be explained in terms relevant to the organization we serve. That’s the crux right there. It’s not what we think so much as what they understand. And true – unless it negatively impacts the organization’s bottom line or existence then even if we think it is a risk, it isn’t. So, you need a parlay with the suits to know how the organization is defined in terms of threat and risk. Then, when Patch Tuesday comes, you can look at what is critical and determine if that is critical to your organization and why as you justify the need to make adjustments to your regular patching cycle (real world). 4 steps process: Assess, Mitigate, Monitor, Prioritize.
Point 4: Practice and Prepare. Are you as ready as you think? So, I like to talk about why everyone, everyone needs a good Disaster Recovery/Business Continuity plan in place. And that means one that has been tested, so that people know how it works, and how they work with it. Let your inner kid come out for this because you need to play “What If” to do this right. There are things called Table Top Drills that are so good especially for addressing ransomware and DDoS scenarios. Or Sharknado. Lol! As stated in the book “testing of tabletop exercises and drills can serve as a proof of concept”. Amanda and Lee are right on the money by stipulating your need participants from across the org like HR, Legal, Marketing, Finance etc. Infact, they provide such a good explanation you should be able to go do one.
Now, I love that the book has used a great tool, the Intrusion Kill Chain, to explain how to think through an event scenario. I happen to be a HUGE fan of the Cyber kill chain (Lockheed Martin), the extended cyber kill chain, and ATT&CK matrix by MITRE.
Point 5: Learn and Grow. The chapter finishes by encouraging us to expand our knowledge and skills through home labs and projects, CTFs, conferences and mentoring. I have done all of these and YES! It’s not hard to do and so rewarding you’ll want to make time. Because my friends, learning never stops in InfoSec. To paraphrase the wise and wonderful Leslie Carhart aka @hacksforpancakes (on the July 11 Down the Security Rabbithole podcast) “It never stops. This job never stops. And if you want to be good at it, if you really want to be good at it, you can’t stop.”
Because it’s not just what we do, it’s so much about who we are. Til next time!