Cyber-Security, the Continuous Life-Cycle (Part I)
Gary Hayslip
CISO @ SoftBank Investment Advisers | Board Director | Investor | Author | Hacker | Veteran | Servant Leader | Father
This is a two part article on the continuous life-cycle of operational cyber-security, I hope you find it of value.
I was once at a dinner for a local non-profit here in San Diego when I was asked by my boss, the Mayor, the dreaded question all CISO’s hate to hear “Just how secure are our networks”. I at first thought to myself – well my resume is up to date <grin>, just kidding but really that’s a loaded question to answer as a CISO. So I look back at him and told him “It’s a work in progress”. Of course he really wasn’t sure how to take that answer so I proceeded to tell him that networks are like living entities, they need to be managed and cared for and that cyber-security is part of this ecosystem. I then explained to him that cyber-security is a continuous life-cycle and that my team and I with our partners and departmental stakeholders work on it daily and this continuous process never ends. He felt better after this discussion, however I got to thinking about how I could describe this life-cycle and share this knowledge with our community.
So with that in mind, the two-part article to follow is how I have come to view cyber-security as a continuous life-cycle. As cyber-security professionals we are required to assess the deployed applications and technologies in our enterprise environments and identify the risks associated with them to protect our organizations. In doing this continuous assessment, we never come to a stopping point where we say, “All done, nothing else is required, we are totally secure”. I personally think that would be awesome and a reason to celebrate with cold beverages, but in reality the threats we face are dynamic and constantly changing, hence why I believe cyber-security is a continuous life-cycle. Now this doesn’t mean this is the only cyber-security life-cycle, I have seen several that revolve around security by design, threat management, enterprise risk assessment, APT, incident response etc. - this article is about cyber-security as an operations based continuous life-cycle. It is presented from the viewpoint of a CISO or security team leader who must lead their teams in the daily operations of cyber-security.
So now that I have made that distinction, let’s discuss the five steps of this life-cycle. To begin with, it should be noted that these five steps will require knowledge and skill-sets normally beyond one person’s knowledge and as I have stated before “Cyber is a team sport”. What this means to you, to do this life-cycle correctly you will need all of your team members, stakeholders, partners etc. it will take everyone together to effectively manage this life-cycle. So let’s get down to these steps, as I name them you will see there are several used by CISO’s to evaluate their security programs (articles I have previously written – interesting how they are linked) and several more that form feedback loops to regulate remediation tasks until the resultant risk under scrutiny has been reduced to an acceptable level. The five steps that make up cyber-security’s continuous life cycle are:
Step #1 – Inventory
Step #2 – Continuous Assessment
Step #3 – Continuous Scanning
Step #4 – Remediation
Step #5 – Continuous Monitoring
Step #1 - “Inventory”: In the first step of the Cyber-Security Life-Cycle, it’s about visibility for you as a CISO/security team leader and your team. There are five components that make up this step, these components are:
1. Human Network – this first component consists of your team and their skill sets and experiences. It also consists of any 3rd party contractors/partners that fall under your purview and the services they provide (review contracts & SLA metrics). The last part of this component and one of the most important is your network of peers. You have the peers you interact within your organization, they are your stakeholders, and you have the peers you associate with professionally outside your organization. I mention the human network as the first component because it is like a living organism that is crucial for you and your team. This human network is what you will use as a cyber-security professional to move projects forward, to assess risk across departmental business units and to get advice from peers on issues you have never seen before. You should always look to manage this network on a continuous basis which includes you providing information and assistance to those who ask. You will need this network so don’t neglect it, let’s move on.
2. Reports – this component consists of reviewing the collection of reports and contracts you have with your 3rd-party stakeholders and any previous audit/compliance assessment reports. When reviewing any managed service contracts that fall under the scope of your position, I would recommend you periodically review the contract and any SLA reports/deliverables to keep fresh what you should receive from your vendors/partners. This review of contracts and reports will keep you familiarized with agreed upon SLA measurements and will give you a baseline to verify services are being delivered at an acceptable level. I also would recommend you review other service level objectives with your vendors/partners such as …response times, deliverables, service demarcation, roles & responsibilities, support metrics, incident handling guidelines, etc. are all important elements of a good vendor/partner management review. Doing this as part of Inventory will keep you current with the relationship you have your vendors/partners and if they are meeting contracted services or if there are issues you will need to address.
The next part of this component is to periodically review previous audit and compliance assessments. The findings from these reports will help you prioritize projects, remediation efforts and other risk reduction activities. Remember, these reports are provide a “moment in time” view of how your organization’s enterprise IT portfolio measures against compliance and regulatory frameworks. You will want to periodically review these reports and update them if you are tracking remediation efforts recommended in their executive summaries. All of the recommendations should be followed up in a separate review by yourself and your team to verify if they are still applicable. If you have outstanding remediation work, this should be listed and assigned a priority based on risk to the business. Remember, the business will make the decision as to which ones pose the highest risk to the organization and need to be remediated first.
3. Architecture – for this component to properly protect your organization, you must have an updated current picture of your enterprise IT environment. To do this, you will need to continually educate yourself on how your networks are configured, how enterprise data is stored, processed and transmitted through your enterprise infrastructure as well as what software applications are in your organization’s software portfolio. Equally important, and frequently overlooked, are 3rd-party applications that tend to be procured outside of the standard IT budget process. Vendor management has significant security implications that should never be underestimated as you update and manage your inventory.
So with that said one of the crucial steps under architecture is to collect, update and manage copies of all available network drawings. Hopefully, your organization has a mature network management team and these documents are stored in a centralized document repository. If this is not the case, then this will be a warning to you that the data you need to properly do “Architecture” may be held by multiple stakeholders, across multiple departments, and you will need to use that human network of yours to collect these documents. Once collected, this information should be thoroughly vetted for accuracy and completeness by your team and stakeholders.
Some important information that you should note when reviewing architecture documentation is as follows:
As you review and update this information, write down questions for subsequent discussions with your team and stakeholders. Try to visualize your network environment, lay network drawings side-by-side and view them with a frame of mind as one of your stakeholders. Picture yourself as a member of Human Resources or Financial Management and with that viewpoint, think about how data moves within your key systems and applications. This insight helps document potential application-layer risks and helps with information classification. I have found doing this visualization will often lead me to have questions about how data flows in a datacenter or in a cloud solution that is used by a business unit. Numerous times these questions will be the result of new technologies that were installed but never documented, watch out for this - “shadow IT” and/or “shadow cloud” it can be a brutal hit to plans for reducing risk exposure.
As you finish with updating your network documentation, one last recommendation don’t forget to verify and review your hardware & software inventory, effectively “asset management.” Here I would ensure your organization has some type of IT Asset Management (ITAM) program and it is being updated. Information found in the ITAM program is critical for assessing the status of your network and security suite hardware and software. Some of the information that will need to be periodically verified and kept current is as follows:
As you do with verifying the hardware assets you should also review the software assets in the ITAM system to continually educate yourself on your organizations changing software portfolio and ensure it is current. Some of the software information that needs to be managed includes:
Having visibility into the types of installed hardware and software assets will assist you and your cyber-security team as you do the remaining steps in the cyber-security life-cycle. Having the “correct” data under “Architecture” is critical, you can’t protect it and remediate risk to your organization if you don’t know it exists. You may also recommend incorrect security controls if that data is incorrect so make sure you keep this information current.
4. Budgets – You will want to periodically review your current budget and previous budgets, (I typically look at my current budget at least monthly). Within your budgets, you will have annotated fixed and discretionary costs that are allocated to your team and I have found over time I like to analyze these budgets for trends. I want to look at them to understand what fixed software and hardware maintenance costs are my team’s responsibility and any discretionary costs that may have been allocated to my team’s budget over time. I also look at these budgets to verify specific issues such as – have the funding levels ever changed? Have there been previous budgets that if the business case is made, projects were funded with little or no issues (yes I know this is a fantasy)? This type of insight into your team’s budget is critical for planning the remediation work you will periodically have to manage to reduce any risk exposure to your organization. This honestly happens more often than you think. If you upgrade or install new technologies, the security controls you may need to put in place for this technology to be effective could be an unplanned cost that you may be forced to absorb.
After you have reviewed your budget and have made note of any issues or changes that you think will be important, you should also review your department’s and/or your organization’s budgets. One critical point I want to reiterate, “Your security team doesn’t exist in a vacuum, it, however, will excel in a Community.” Part of your team providing superior value to your organization is you understanding the financial health of your organization. It doesn’t help to find out after you assess your security program that the organization has very little budget to correct any security gaps you discover. I look at this as understanding my business environment so if the budget is presently lean, I may need to look at open source options to correct problems or look for grant funding to solve issues. Knowing your organization’s financial reality gives you visibility into the environment around you and will force you to work with your stakeholders as a team to prioritize which issues to remediate first.
5. Processes/Policies – In the final component of “inventory” you will manage and review your team’s policies, written processes, and workflow documents. I also would suggest you review your team’s posted digital content located on any of your team’s web pages such as an internal collaboration portal and/or external website to verify the data is not stale and is still viable. Other critical documents that I would highly recommend that you periodically review and keep updated are any and all documentation for State and Federal Laws, Compliance and Industry regulations that your organization must follow. This information is extremely important because some of these documents may refer to regulatory frameworks that dictate specific security controls or operational procedures that must be in place for your organization to stay in business.
I typically start collecting these documents on my first day as CISO while I am scheduling meetings with my peers and stakeholders. I then periodically review them at least quarterly to ensure I stay up to date with any new requirements. I would also recommend that one document you should periodically review is your organization’s current Information Security Policy. Since this is your organization’s overall security strategy, you and your team will want to review it periodically; I also recommend you review it semi-annually with your executive security committee to ensure it is current with how your organization wants to employ cyber-security. If your organizations Information Security Policy is very general and out-of-date, you know cyber security has probably been very low on the list of priorities for your organization – remember it doesn’t have to stay that way. The key point here is don’t get discouraged, somewhere they realize they need you to help correct these issues and to me I look at challenges like this as a chance to educate the organization. Remember, “You don’t want to do cyber security the easy way, you want to do it the correct way.”
**Note: - All mind-map diagrams are available for download at https://app.box.com/Cyber-LifeCycle
领英推荐
Step #2 - “Continuous Assessment”: In the previous step it is all about visibility, in this step it is about continually assessing the health of your cyber-security suite and measuring the maturity and effectiveness of your program. Here you will review and assess the health of the Cyber Security suite to include such components as installed firewalls, AV solutions, IDS/IPS sensors etc., and security procedures that are in place (patch management and incident response to name a few). Here you will also measure the maturity and effectiveness of your present cyber-security program, is it delivering as advertised or are there areas for improvement. There are two main components for this step:
Remember the assessment step is continuous, it will periodically produce a list of security gaps. This list will become future projects that should be prioritized based on risk exposure to your organization or they will be quick remediation projects to maintain the health of your suite.
1. Verify the Health of the Security Suite – in this component you periodically review and maintain the data you collected from the previous “Inventory” step, most of this data is in document repositories or databases such as a Configuration Management Database (CMDB) or an IT Asset Management (ITAM) database. You can also use tool-sets like Solarwinds to scan and return reports on the installed IOS builds on your security suite hardware. The main point I want to bring across to you is whether you use a software solution or review a data repository you need to continuously review the security suite assets ensuring the equipment (hardware/software) has been updated with the latest software patches. I also would recommend in verifying the health of your security suite you review the maintenance contracts that exist on equipment, whether you own it or it’s leased. You need to verify its current in case you require 3rd party vendor assistance in the middle of the night to resolve a network outage or you need assistance troubleshooting a recurring configuration issue – trust me it’s good to have the policy in your back pocket. One last note, as you are reviewing the equipment within your cyber suite make sure to annotate any that are getting close to “End of Life” (EoL). I like to keep a running spreadsheet on equipment or software solutions and their estimated EoL dates so I can start planning via my budget when they will need to be upgraded or replaced. This is critically important to track EoL equipment because they no longer receives security patches, this results in unintended doorways into your network that you will need to come up with an effective plan to remediate without impacting your organization. Remember the organization will set priorities for you based on budget, business processes, etc. so keep this information current and plan ahead, verbalize the risks associated with required upgrades or replacements and partner with stakeholders and vendors to keep your suite as current as possible.
2. Measure Security – In the second component of Continuous Assessment, you will continually monitor and assess your security suite. You will review its audit findings, technical requirements and reported metrics to verify your security controls effectiveness. You will then review and update your findings from the framework you have selected, annotating the new framework maturity score that is your security programs measured baseline.
So at the beginning of this stage, I would recommend you periodically meet with your team, security architects, and network engineers. You want to verify with them that the security suite your organization has in place, from a technical view point, is meeting the requirements for your organizations cyber-security strategy. Part of these periodic meetings should be initiating reports, SEIM logs, and verify your security suite is operating as efficiently as it should. Do not be afraid to ask your team if there are additions or modifications that can be made to reduce risk to the organization. I have found over the years that my teams will have innovative ideas about how the security suite can be tuned for better performance to protect the corporate environment. It is during these discussions that I would recommend a review of any standing security/performance metrics used to measure your programs effectiveness. Some metrics I have used in the past:
Finally, you need to review the findings from the security/risk framework you have selected to assess your cyber-security programs maturity. I have used multiple frameworks in the past and to me they provide a key component required by a CISO or security team leader to measure the progress, or lack thereof, of their security program. Frameworks will provide you with a reference to measure and baseline the growth of your current program and provide a foundation to build upon. What framework you select will be based on the business environment your organization operates in and the types of data (data categories is very important) it processes, stores, and transmits to 3rd-parties.
So in this life-cycle process you will typically have a spreadsheet listing controls that are “fully implemented”, “partially implemented” and “not implemented”. You will be reviewing and managing this list focusing on remediating the incomplete controls that are usually prioritized by their inherent risk to your organization. As this process is a life-cycle, you will continually review and update these findings. Once you have reviewed your security frameworks findings you will also need to review and manage any industry/compliance framework findings that apply to your organization. Remember, compliance frameworks (PCI, HIPAA, GLBA, SOX etc.) are very similar to your security frameworks such as NIST or ISO, however compliance frameworks have teeth such as substantial penalties and fines. You will typically have some type of data repository/portal to track your compliance documentation and as part of this step you need to review those controls that are outstanding, manage the remediation of any control gaps and track them to resolution. For some types of compliance such as PCI this can be a quarterly review and remediation effort, document your processes and stay on top of this.
**Note: - All mind-map diagrams are available for download at https://app.box.com/Cyber-LifeCycle
Step #3 - “Continuous Scanning”: In this third step of Cyber-Security’s continuous life-cycle we are looking at our enterprise network environment and all of its assets with different disparate viewpoints. In this step we continually view the enterprise from multiple perspectives such as a hacker/cyber-adversary, an IT operations manager/system analyst, a network architects and last but not least from a user’s access/data management perspective. This step also operates with a continuous remediation feedback loop, this loop processes and tracks findings until they are remediated and their risk is reduced to an residual risk level acceptable to the organization. This step, “Continuous Scanning”, consists of five components which are as follows:
1. Vulnerability Scanning – in this first component, as the name states we are scanning for vulnerabilities in our networks. After you have initiated a scan, the vulnerabilities typically will be returned in reports or displayed on your SIEM’s dashboard. I have used these types of scanners to look for assets on my network that are missing software updates or to search for deployed security controls that are misconfigured or redundant. To use this step effectively you will want to schedule periodic vulnerability scans, I would usually scan after patches were installed and then remediate any assets that were returned in my scanners vulnerability report. After I had remediated the identified assets I would then rescan again to verify the identified risks had been removed or at least minimized. As a CISO or security team leader, you will want to make this process a part of your teams standard work flow – it should become one of the core competencies that your team provides to your organization.
Now scanning for malformed security controls or missing software updates are just a couple of examples of how these scanners can be employed by your security team. I have also used these scanners to review the access logs of my organizations restricted data archives. I would use the findings from these logs to train my system administrators on why permissions should be periodically audited because you will always find people with more access than their positions require. One last type of vulnerability scan I want to touch on is the applications scan to identify and review installed enterprise applications. After you have run application vulnerability scans, you should take the reports and compare them to your organizations known application portfolio to look for drift – word of advice, there is always application drift so don’t panic, at least its visible <grin>. This applications drift is evidence that your users have been installing solutions like popular cloud storage apps or social media apps. This resultant application report is also useful to find old legacy apps that are “orphaned” – no one remembers why they are installed (yes that happens more than you would want to believe) or identify organizational custom applications that are now inducing risk into your enterprise and need to be re-written to a more up-to-date development platform.
The main thing I want you to remember is vulnerability scans should be part of your team’s normal workflow and you must ensure your people are comfortable with using them. They will be one of your first tools to troubleshoot and look for problems with your environment and if your team doesn’t have experience with your selected vulnerability scanning tool-set – you are in trouble. Remember “If you can’t see it, if you can’t find it, you can’t remove it – you’re screwed”! Make sure you know how to use this essential tool and how to interpret its results to efficiently manage the basic cyber-hygiene of your enterprise environment (on premise & cloud).
2. Penetration Testing – this type of testing under “Continuous Scanning” is looking at your enterprise assets from the perspective of an adversary. There are multiple types of penetration tests, they can be deployed against your environments either internally, inside your organization or externally from outside your organizations perimeter. Penetration tests are used to stress test your enterprise environment and its assets such as networks, people, security policies/controls and applications to name a few.
I have used application based penetration tests to verify new applications created for my organization meet OWASP framework standards. This enabled us to document and verify our developers were testing their code in Development and QA before deployment into Production environments. I have also seen application penetration testing used against web sites/portals (internal and external) to look for security holes in the coding of the site. Any Security gaps that are discovered would then be assessed as to whether they could be exploited to provide an adversary unauthorized access.
Another good practice I have seen penetration testing used for is after an organizations personnel has completed cyber awareness training. When I did these types of tests we would use different social engineering scenarios to assess our personnel’s understanding of what phishing emails looked like to test their click-rate factor. To properly do these types of penetration tests it is best to test your target group before they have completed cyber-awareness training, then test them afterwards. I have done this numerous times at different organizations and have found training pays off with a decreased click-rate score. Please understand, the reason social engineering penetration tests are important is its human nature to be curious. This curiosity causes even the most seasoned security engineer to click on phishing emails sometimes <grin>. So train your users, test them and train them some more because this basic cyber-hygiene test pays off in protecting your organization.
So to wrap up this component, what is important for you to understand here is penetration testing is not part of your team’s normal workflow or maintenance schedule – it is used to keep you honest. You will want to schedule penetration testing periodically to verify the remediation of discovered risks or if the implementation of new security controls are working effectively. So be familiar with how to use this type of test for verifying your security and make sure you periodically have a 3rd party conduct one to give you an honest assessment.
3. Technology Scanning – the third component of continuous scanning is in a nutshell scanning for unauthorized hardware, network modifications, software installations etc. I call this one “herding the cats”, there are multiple tool-sets you can use to assist you with this process. I have used Solarwinds for documenting network and hardware issues/changes and have used solutions like Hyena or Netwrix to audit Active Directory and track down unauthorized changes or issues with group policy.
One of the key points to remember with this component is it is really about asset management from a hardware, software, data, and user perspective. When I work in this component I typically automate as much of the reports as possible. I then have my team periodically review them for critical issues and outliers, I always look for those patterns of activity that are outside the norm. In technology scanning, the more you understand your network, its traffic flows, user behavior, bandwidth rates at specific times of day – you will see outliers that aren’t normal and could have been missed by your suite. With all of the hardware and software in your suite a properly trained carbon-based unit in this component is critical.
4. Processes & Procedures - In the fourth component of “Continuous Scanning” it is all about how your personnel and partners access the enterprise network and its data. As with the previous step, you will use different solutions to continually monitor and review your organizations user accounts/profiles. You will periodically scan for accounts demonstrating an escalation of privileges, or accounts being denied access (multiple times) as they try to access specific shared folders/data stores. To assist you with this monitoring, I would suggest you configure your tool-set to observe any critical data stores and log their access, then through automation have a report generated for your teams review – the more critical the data store, the more often it should be scanned and reviewed. I have even had reports generated to monitor not just personnel access to data but the location of data being accessed and how much data is being downloaded. Once you have done enough of these types of reports you will learn what size your average data download is for a day. This is important because when you see small, miniscule downloads at odd hours of the day – everyday (sometimes in sequence), or large downloads all at once - It’s time to dig into what is happening and verify is this legitimate traffic? Do I have a breach? Maybe it’s time to fire up a different life-cycle like Incident Response <grin>.
One last piece to cover under this component is the review of your team and stakeholders workflows. I would try to automate this as much as possible with a GRC tool-set, if not and you have to do it manually make sure to set time aside to review and monitor how your team conducts its work. As a CISO, I have assigned this duty to specific team leaders to see how they view their respective teams work processes and to test them on their view of the enterprise environment. The main reason you will want to periodically scan and verify your work processes are being followed correctly by you team and the processes still apply to your environment is technology changes. As your stakeholders implement new software/hardware solutions your enterprise networks will change, this will affect your security program and you have to continually scan and monitor it so you are not operating with unknown security gaps.
5. Architecture Modifications – this last component under “Continuous Scanning is probably one of the most tedious but one of the most important. This component consists of scanning for changes to your enterprise architecture, obviously these are changes that have not been through change control and there is no documentation for them. These changes can be something like the deletion or creation of new subnets, this can be critical because you now have data flows being created or removed that you were unaware of and this could be the indication of a privilege escalation from a breach. In this component you can also have new vlans that were created, modified or removed you have no documentation on how these changes were authorized. Both of these issues I consider critical because in essence the landscape of your enterprise network is being changed which makes it hard to protect it if you are unaware of the modifications.
One last point I want to touch on under architecture modifications is changes to protocols or network topologies. The changes in protocols is very important to me, I periodically scan the protocols that are active on my enterprise networks at random time intervals and look for unusual protocols associated with applications, processes or cloud solutions I know my organization doesn’t have in its application portfolio. Obviously, to do this step you need to have a current CMDB and a current application portfolio so you have a baseline of what ports, protocols, applications and processes should be active in the normal everyday work on your organizations network. With that list set automated periodic scans and review for outliers. If you keep scans for over a specific time period in archive, compare a current scan to one that was done two weeks ago, one month ago, two months ago and look for the “delta” – once you find it, what caused that change?
**Note: - All mind-map diagrams are available for download at https://app.box.com/Cyber-LifeCycle
So as we bring Part I to a close, you are now ready to start remediating issues that you find and monitor for anomalous activity. The next article will cover the last two steps in this life-cycle "Remediation" and "Continuous Monitoring". Remember this is a continuous process, use your team and stakeholders as you move into the remediation phase and don’t be afraid to ask for assistance. Good luck!
Vice President & Head- Enterprise Security, AI ,Cloud
7 年Excellent Gary.
.
8 年Great Sir it's really impressive and helpful thank you
CISSP, I27001LA Independent Security Consultant
9 年Very good, thanks.