The Four Building Blocks for Any Security Team
July 15, 2021 • The Recorded Future Team
The COVID-19 pandemic has increased the threat surface as many organizations shifted to remote work and introduced new access points that could potentially be used by threat actors. For security teams—already faced with increasing challenges, large workloads, and questions on how to prioritize their efforts—this shift caused the need to look inward at their own processes and strategies. What are the true threats facing the organization? What tactics are threat actors using? Which methods would be best suited to defend against an attack?
During a Recorded Future webinar called “Control What You Can in Today’s Uncertain World with Intelligence-Driven Security Workflows” an interesting question came up that prompted the panel into a conversation which ultimately touched upon the basic building blocks any security team should be considering—and provided some actionable steps to take to answer the questions laid out above.
Dave Sauer, Global Director of Technical Alliances asked the panel what “back-to-basics” means to them in terms of orienting a security team for operational efficiency. Essentially the question was: how do you define the basics of Security Operations?
Lou Fiorello, VP and GM of Security Products at ServiceNow, instantly hit upon the four characteristics that he believed any security team should be thinking about.
“Do you know where you are from an attack surface standpoint,” asked Lou as he introduced the first building block, visibility. The ability to actually understand what attacks you are facing and where your organization is vulnerable is crucial for building a defense strategy. There are millions of threats, vulnerabilities, and exploits in the wild, but if you don’t have visibility into how your organization fits into that larger ecosystem, you will simply be guessing in the dark.
As mentioned above, there are too many threats in the wild for any one organization to be able to track everything. This means that the best strategy is to choose your battles and defend against the things that can cause the most harm. As Lou put it, security teams need to ask themselves the question, “Am I working on what’s most important?” If the answer is no, then your organization is at risk.
For more information on how to properly allocate resources, read our whitepaper on prioritizing what matters most.
Once you’ve properly identified the attack, and recognized its priority, how does your security team respond? What processes are in place to handle the various types of threats you are sure to encounter.
“When I’ve identified something I need to work on, do I have the right process in place? Am I tracking the process,” Fiorelleo asked as he put himself in the shoes of a security professional. Without the right process in place, response times will suffer and leave an organization open to attacks.
No man is an island, as the saying goes. An individual cannot properly protect an entire organization against all attacks even with the right processes in place. Security operations is a collaborative effort.
“A lot of security processes are just within the security organization but they stretch across to IT, GRC, and development. Are the teams enabled to collaborate in the right ways? Are they all reading off the same sheet music,” asked Lou. When you’re considering your organization’s security posture, think about the other teams it will impact and how you can prepare for efficient collaboration.
Supporting the Foundation
As he spoke about those viewpoints, Lou touched on an aspect that every security team needs to inform the basics: intelligence. “Intelligence really comes into play in a few areas, but I think in particular in prioritization—am I working on the right things?” He continued the thought, “I think it’s also an element in visibility too. You want to view your risk through the context you have, maybe it’s business service context, maybe it’s an attack actor context. I think [intelligence] plays on multiple levels.”
Another one of the panelists, Stu Solomon, Chief Operation Officer at Recorded Future, added some additional thoughts on the building blocks for security teams. “I would add one additional element to it, and maybe it’s really a subelement to prioritization, which is context,” he said. “That notion of, to do the things you need to do you need to understand a little more of what you’re seeing and be able to connect the dots.”
The third panelist, Tom Sweeney, VP of Sales at Iceberg Networks, also had an idea for an additional foundational aspect. “The other one I would add is awareness. With organizations trying to remain as resilient as possible through the pandemic … a really in-depth robust awareness program across organizations is something that I think is a key element for back-to-basics teams that sometimes gets missed,” he said.
External vs. Internal Threats
During the discussion a question came in from the audience: what about insider threats? The conversation had mostly been relating to external threats but the question spurred the panel into thinking how the building blocks they discussed would react to an insider threat.
“I think insider threat scenarios would be equally critical,” said Stu. “The way I define an insider threat is somebody that has either malicious or non-malicious intent but creates an outcome that’s not favorable to the desired use based on otherwise privileged access. In those kinds of scenarios I think they equally apply to this discussion as we talked about digital transformation and extended boundaries, it lends even more opportunity to misconfiguration for privileged access breakdowns.”
Stu finished his thoughts on insider threats by agreeing they should be considered in the context of the building blocks that had been touched upon. “Whether an individual is knowingly taking the action or is perhaps socially engineered, or otherwise manipulated to take action using their otherwise privileged access, you could get the same outcome. I would absolutely add that to the process.”
Tom agreed with the assessment, especially in the context of collaboration. “When you think of insider threats there’s really that need for coordination across the platform. I think those use cases all come together from this enterprise case management perspective. Obviously, that need for cross-team coordination really drives this workflow conversation and this need for intelligence we’re talking about today.”
To wrap up the discussion, Stu talked about the need for baselines—having an understanding of normal functions makes it easier to determine when something is askew. “One other element in going back-to-basics is: I need to understand my baseline of what normal looks like and I need to be able to identify when there’s a deviation from the expected norm, regardless of whether it’s coming from the inside or the outside,” he said.
“You have to have that baseline of knowledge, understanding, and basic visibility before you can really even worry about some of the advanced threats.”