Editor's note: This is part of a series on achieving cybersecurity readiness. For more on the previous installments...
in this series, see the individual sections of this article.
How will an organization know if it's truly prepared for a cyberattack? The previous article in this series described a typical attack scenario where an organization's network monitor detects a suspicious amount of data being streamed from a customer database to an unrecognized IP address outside the country.
Using that incident scenario, it is possible to use the cybersecurity readiness objectives from the previous articles in this series to significantly improve the security posture of this fictional organization. Here's how:
A cybersecurity plan associates critical information assets, usually identified during a risk assessment, with the core business processes, goals and objectives that have cybersecurity requirements for their continued operation.
In the scenario, the organization would have identified its customer information database as a critical information asset required to support the operation of the organization. The cybersecurity plan would also have identified the security requirements and practices necessary to protect the customer information database and the critical business processes it supports.
Information security architecture
A basic concept of information security architecture is that if the traffic that flows into, out of and through an information network cannot be seen, it cannot be effectively monitored.
In the scenario, the organization did have sufficient network monitoring to detect the flow of customer data out of the network during the attack, as opposed to months or years after the attack occurred. As part of the after-action analysis, the performance of the company's information security architecture would be evaluated, and recommendations for potential changes would be made. Possible considerations for changes include using application proxy service for email and other protocols, controlling data transfers, building a data loss protection system and improving overall network monitoring.
As part of a risk management plan, an organization must first identify critical information assets. A risk management program can then be extended to also identify critical people, business processes and technology.
Risk management also requires you to understand why the chosen critical assets are necessary to operations, mission accomplishments and continuity of operations. These factors are core elements of a cybersecurity plan.
In the scenario, the organization would have used these outputs of its risk management process to develop cybersecurity protection strategies in its cybersecurity plan. As a result of this incident, the organization would also identify phishing email attacks and remote access as significant risks.
Identity management is a core security management function that is intended to increase security and productivity, while reducing redundancy and decreasing cost.
In this scenario, the organization would review its identity and access management policies, processes and procedures to improve the role definitions it uses to prevent user network credentials from accessing critical information assets, such as the customer information database. The use of two-factor authentication would be considered a strong component for improving the organization's identity management program.
Authorization and accountability management
Once a user's identity is authenticated by the identity management system, the user is then granted access in accordance with access control models and policies by the authorization management system. Accountability management provides an additional ability to gain a complete picture of how network resources are being accessed and used.
In this scenario, the organization would review its authorization requirements and ensure that network access does not mean full administrator access. In addition, the review would implement two-factor authentication and prevent administrative database access by remote users, and also restrict access to normal business days and hours.
Network monitoring and traffic analysis are examples of where network operators may be able to improve their situational awareness regarding cybersecurity.
Understanding how corporate networks really operate, consolidating traffic through known secure gateways and watching traffic closely with a variety of monitoring tools are areas where much improvement can still be made in cybersecurity.
In the scenario, the organization did detect the removal of customer information while it was occurring, but did not detect the original incident vector -- a phishing email. As part of an overall network monitoring review, the organization would improve IP address filtering, add an application proxy for email and consider a full data loss protection system.
The role of the SOC in incident response
When incident response teams were originally formed (the first computer security response team, now known as CERT, was created in 1988), incident response tended to be a stand-alone activity at large organizations and government agencies.
Today, the composition of incident response activities has changed dramatically.
In the early 2000s, the Office of Management and Budget directed all U.S. federal executive branch agencies to each operate their own security operations center (SOC) and to send all security alerts to the SOC for analysis. Indeed, the primary role for the SOC has become one of incident detection.
Eventually, the SOC became the point where all automated security alerts, user reports, vulnerability notices, advisories from CERT and other information were sent for analysis. As the SOC became the triage point for all security-related reports and alerts, it also became the front end for computer security incident response.
Computer security incident response is a reactive service that is activated only when cybersecurity incidents are detected, and it focuses on the technical aspects of cybersecurity incidents.
Security incident management, on the other hand, focuses on business planning designed to protect the continuity of core business functions and the information assets that support those business functions. Understanding business objectives, goals and processes, as well as their security requirements and the information assets necessary to operate the business, results in a better understanding of how to protect business continuity and enable more effective incident response when cybersecurity incidents do occur.
Integrating security incident management into the security operations center improves incident detection capability and the effectiveness of incident response, as well as helping organizations bring together all the necessary components of cybersecurity readiness.
Get the latest information on security analytics principles for IT professionals
Read more on the importance of mobile application security assessments
Learn how proper SSH key management can protect enterprises from breaches