Ira Winkler

Chapter 18 – Incident Response and Investigations

When an attack begins, eventually an alert fires and kicks off investigative and responsive activities. Then incident response (IR) moves through several different phases intended to act against an attack on an organization. The order of operations associated with IR, from identification of the problem to ongoing resolution, can be defined like many other 12-step programs designed to guide behaviors, control compulsions, and otherwise recover from destructive circumstances. The 12 steps are detailed in this chapter.

Advanced Persistent Security

What we highlight in the book is not a revolutionary new technology, but a revolutionary process of implementing basic security technologies. Although there are many unique points that are covered throughout the book, what we need to do is look at security as a business process that provides a return on investment to the organization.

Chapter 9 – Vulnerabilities to Address

Vulnerabilities are the weaknesses that may be exploited by a threat to create loss. Vulnerabilities can be broadly classified into four categories: operational, personnel, physical, and technical. For the purpose of this book, we have categorized the vulnerabilities as appropriately as reasonable. We summarize the most prominent vulnerabilities, so that security personnel can recognize and triage them appropriately. We do not intend to provide a comprehensive list of vulnerabilities, but we provide the categorization of vulnerabilities to make the content as useful as possible. When you have a proper understanding of your organizations vulnerabilities, you can determine the most useful countermeasures to implement.

Know Your Adversaries

To determine the structure of your security program, you need to determine the likely threats that you will face. By understanding your threats, you can determine the attack methods that might be used against you. Even if the threat is not malicious, you must acknowledge that there will be vulnerabilities exploited. Thus you can determine the vulnerabilities that should be prioritized for mitigation.

Chapter 21 – Define Your Strategy

To create a security program, you need to begin by defining your governance strategy. You need to review your governance and see if it is complete and followed. From there, you need to understand your security posture and see where it differs from the ideal. A review of past incidents also points you to areas that require improvement. You also need to define the information that requires protection. You might also want to perform threat hunting and penetration tests to determine other vulnerabilities to exploit.

Chapter 19 – Know Yourself

To begin defining an organizational security program, you need to first truly understand your organization. You need to evaluate if there is a proper governance program in place. Then you need to understand the culture of the organization to include job functions, industry, and business drivers. This may include performing a comprehensive assessment of the organization. Ideally, you should collect information from similar organizations to see how you compare.

Chapter 6 – Threat

Threats are the who or what that can cause you harm if they are provided with vulnerabilities to exploit. Threats can be described as malicious or malignant. Natural occurrences, such as a natural disaster or a human accident, are called malignant threats, and threats involving a party intentionally causing harm are called malicious threats. Although people focus on malicious threats, malignant threats cause the most aggregate damage. The bulk of this chapter addresses the different types to threats that organizations need to address with their risk management programs.

Chapter 12 – What Is Threat Intelligence?

Threat intelligence in the cyber space refers to a bleeding-edge technology and operational disciplines that enable the collection, correlation, and analysis and the meaningful use of data on threats or threat actors to inform and adopt security defenses. A threat intelligence program provides a neutral, unbiased lexicon and forum by which security teams can share threat information with one another, interoperate more effectively with compatriots and law enforcement, and avail the expertise of others to improve and coordinate advanced countermeasures. There are a number of accepted classifications of intelligence, but to set the stage, we will highlight those that are most commonly collected and consumed as part of an enterprise cybersecurity threat intelligence program.

Setting Reaction Strategy

There is no such thing as perfect security. You have to deal with incidents and, therefore, with response. Because defense itself is innately reactive. To defend is to respond to external forces, both operationally and philosophically. The reality of the situation is that no matter how well our defenses are designed, instrumented, implemented, maintained, and operated, attacks are bound to make their way through them. Being adaptive is defined by reaction. We need to get more comfortable with the idea that more is to be learned about success from failure. Training ourselves, our constituency, and our leadership to embrace such a culture shift can pose a real challenge.

Chapter 4 – Risk Management

Security is unattainable. What security programs are trying to achieve is risk management. In other words, they are trying to cost effectively control the potential loss. Risk is a combination of value, threat, vulnerability, and countermeasures. Traditionally, a security program strives to implement countermeasures that primarily mitigate the vulnerabilities that, if exploited, will create a loss of value. This chapter categorizes the factors that contribute to, and mitigate, risk. The goal is not to get rid of all risk, as that is not practical, but to optimize the risk, given the potential loss and available resources.