Implementing Security in Organizations: Foundation Building

Hi All,

So I am wondering what kind of resources and opinions are out there for developing a Security Strategy, Vision for an organization that is now realizing the importance of security, and trying to mature its Posture.

I have been in Security now going on almost 8 months.. but my experience is not typical. We are asked to wear many different hats, analyst, engineer, administrator, auditor, threat intelligence, compliance.

So here is my Hypothetical scenario-question-thingy that I would appreciate some kind of opinion on:

Do to the fact we have limited team resources, we are often tasked and forced to implement something(a tool) and have issues maturing it to a fully developed level, as we either have to respond to a fire, respond to an alert, analyze & escalate, or actually start working on a new project for implementing yet another tool designed to bring additional visibility or defense in-depth. However my question is when does the item below come into question:

Risk Management and Risk Analysis (How can any organization truly claim to be performing security without having an accurate evaluation of assets, threat modeling, vulnerabilities, and calculating the risk via Quantitative and Qualitative Analysis?

I guess with the first question I have is, don't you shoot yourself in the foot not knowing exactly what is and what isn't worth securing? And what I mean by securing is choosing how you will respond to a risk, Accept, Mitigate, Avoid, or Transfer. Tactically if we are implementing safeguards and countermeasures that cost let's say 300,000$ but the assets value is 150,0000(and obviously those numbers would come after Quantitative Analysis) then aren't you wasting? And that leads me to due-care and due-delligence.

I guess I am wondering, how important are things like DRP, BCP, Risk Analysis, adopting proper controls and using frameworks and policies to guide your implementations, processes and procedures. I am finding it difficult to understand when it is acceptable to put those things off: If you are implementing tools, responding to alerts, and performing remediation malware... those things are very important too.

I guess what I am asking is, when does anyone get a chance to do those other things? Is that and I guess so a manager level function. How typical is it that a Security posture contains all of those things? (And I know there are ton more I did not mention)

End of Hypothetical Question advice seeking thingy:

Find more posts tagged with

Comments

soccarplayer29

I think that prioritization has to come from the top down of the organization. As you likely know business/generating revenue trumps IT priorities most of the time. It's up to the organization (with some heavy persuasion from IT management/CIO/CISO/etc) to dictate their priorities.

You're correct in that if the cost of the countermeasure ($300,000 tool) vs. cost of exploitation ($150,000) then it wouldn't make sense to implement that countermeasure.

There's a million places to start, but I'd reiterate that it has to be an organization-wide goal or it will just be half-way implemented and quickly deteriorate as you're likely starting to experience. I'd say a good place to start is the SANS top 20 critical controls and work from there.

Not sure of your organization but if there are regulatory standards you can use for justification or a beneficial internal audit department/report maybe those can help drive additional visibility to management.

TheFORCE

Chitownjedi wrote: »

Tactically if we are implementing safeguards and countermeasures that cost let's say 300,000$ but the assets value is 150,0000(and obviously those numbers would come after Quantitative Analysis) then aren't you wasting?

One thing that a lot of people miss during the evaluation is that they only do quantitative analysis. You need to do qualitative analysis also and attempt to give a risk as well. Taking your example, how much would it cost the company if a breach were to happen and reputation was at stake? Would that worth another 200k? How about fines from regulator? Would that be another 30k? As you can see those things quickly add up more than 300k.
Another thing to consider is that when you buy a 300k tool, you are not only securing a 150k asset with it, you are probably using it across different asset types and different types of information. A firewall that costs 300k will not be used to only secure your Windows assets but most likely everything in your environment.

As mentioned already, it has to come up from the top, if you are not at a decision level position it will be tough to get buy-ins. The best thing to do is start there and start creating documentation and policies then make people comply with the policies. Not by using the tools, but by having the policies first.

Chitownjedi

Thanks for the replies. Well, we are definitely driven by tools to the detriment of foundational policies, procedures and controls. It seems that those things only matter when an audit is needed, or for compliance, but outside of those pressing times, we are pretty much ask to respond to alarms and no one is prioritizing which assets or alarms should be investigated first based on a risk assessment and the known vulnerabilities, and asset value

Myself and the other senior are constantly trying to get a roadmap and a strategy for what our department is trying to accomplish, but we are basically ignored because we have the kind of leadership that says "If I didn't come up with it, then it's not worth listening too."

We have no Road Map, visibility gaps, process gaps, and more, however it seems like the only things that matter is not getting in the papers for a breach, and tossing 200,000-350,000 counter measures at everything without taking care of the basics...

Its weird because everyone that is in our leadership has all these Masters, and CISSP's, and CISM's, but within the first 20 pages of starting my CISSP studies I realized we weren't doing 10% of the stuff listed. They toss their credentials around like they mean something every opportunity, but we are not seeing the strategy that goes behind these things, and it had us questioning if legitimately securing the organization was the goal...., versus just saying you were, having fancy tools to print reports, and getting big checks until you are discovered.

I think we know our answer now.

jcundiff

Having come from the GRC side of the house, I have to agree with TheForce... the most logical place to start is with policy/policy development if you dont already have them matured and in place with C-Level buy-in. Policy ( and procedures) will prevent a lot of the fire fighting scenarios, but only when you have day to day tasks well defined "Routine things Routinely" is what my old CSO called it. Risk Management will depend alot on the risk appetite of your company.

By identifying and prioritizing the company's risks via a holistic risk analysis, you should come away with a by product (hopefully) with a better understanding of business units and systems are mission critical (if you dont have this mapped already) and thus should have a higher BC/DR rating.

To answer your question as to how common, it really is going to depend on how mature a company is... I have seen very mature companies that have these all defined, and I have seen companies such as what you describe your current situation, and companies who have no security posture whatsoever. A lot of the "where you are on security posture" is also going to be industry driven... Financial sector for example is typically going to have more maturity than a construction company

jcundiff

From reading what you were typing as I was typing... It doesnt sound like your C suite/board is invested in having the security framework in place and are truly committed to securing the enterprise. Without that buy-in your hands are always going to be tied and you are always going to be in firefighting mode.

Unfortunately, other than a change in leadership, the main driver of changing this type of scenario is a breach

A very large FS company allocated an additional half a billion dollars to security AFTER they were breached. Had they spent a third of that amount before they were breached, they may not have been