One of the things I love about my job is that I have the opportunity to talk to a huge variety of companies about their security plans, hopes and dreams. Over the course of my career, I’ve been able to sit down with literally hundreds of companies and get a better feel of how they address security, the philosophies they’ve adopted, learn some of their tips and tricks and then share what I can about how others are addressing similar issues, challenges, etc.
One consistent theme that runs throughout the vast majority of my conversations is that we (i.e., security professionals) are pretty big geeks. Of course, being a geek doesn’t preclude someone from being able to nimbly translate their passion for technology and the bits/bytes into how they are serving and/or enabling the business. That said, it does mean that generally we love our tools. I’ve worked with companies that have invested millions in security technology, but won’t pay for any professional training or certifications for the people they ask to operate the tools (just had this one recently at a Fortune 50 company). The obvious impact is that many companies have a strong suite of tools, but limited knowledge of how to apply the technological capabilities they have to provide protection based on the ever changing threat landscape.
I’ve been noodling on this fact for some time, which is the premise of this post, which is: what if security functions couldn’t buy advanced technology until they had mastered the fundamentals? It’s (obviously) not a practical discussion, but one that I think could be interesting.
What if companies had to require all systems to be patched before they could buy a web gateway filtering tool that would identify infected endpoints that would’ve otherwise been protected if an appropriate configuration/patch management process was in place?
What if companies couldn’t purchase a SIEM unless they had already staffed up an security operations team that could interpret the results to recognize some value from the investment in technology?
The model my simple mind came up with was one that paralleled our educational system in the US. You need to demonstrate basic capabilities at lower levels before you’re allowed to graduate up the chain. Without further ado, here’s how I’d structure the grades. Just like in school, you don’t need 100% to pass (higher maturity = A, lower maturity = C, etc) and this is just a first cut off the top of my head and with simple vetting from sources like SANS Top 20.
Elementary School:
- Passwords on all devices
– Firewalls in place, enforcing basic segmentation
– Anti-virus installed
– Basic policies and procedures (acceptable use and the like)
– Spam filtering
– Someone in the enterprise responsible for security (doesn’t need to be a CISO-type, more along the lines of a security administrator who wears a couple hats)
Junior High:
- Default passwords changed for all applications
– Standards that include things like secure build procedures
– Proxy authentication
– Perimeter protection in the form of IDS/IPS, WAPs with encryption
– Application security tool to scan all applications for secure coding techniques
– Basic data protection mechanisms (e.g., DLP in passive mode)
– Formal security awareness program
High School:
- End point protection (A/V, host-based IPS, etc.) installed on all managed devices
– Use of application security tool dictated by policy before ‘go live’
– Data classification defined into basic buckets
– Limited use of local workstation admin and Domain Administrator-type privileges
– User lifecycle processes (e.g., IAM) automated via workflow tool
– Multi-factor authentication required for remote users
– Collection and aggregation of basic log infrastructure
– Dedicated CIRT
– lnline data protection (e.g., DLP) extended to block mode
Undergraduate:
- Asset management system that (substantially) catalogs the applications and non-BYOD devices resident in your environment
– Ability to maintain the integrity of your network via NAC, MDM; ‘dirty’ network for untrusted hosts
– Vulnerability identification processes that proactively identify when systems veer away from approved configurations
– SOC with well-defined processes
– Advanced IAM processes to automate compliance requirements
– Commercial SIEM implementation
Graduate:
- Remote forensic capability
– Web content filtering, including sandbox capabilities
– Network segmentation driven by security, not latency requirements
– Security executive reports no more than two levels from the CEO (e.g., CIO, CRO)
– Internal Red/Blue team capabilities augmented by specialized skillsets
Post-Graduate:
- Use whitelist-based advanced malware detection software
– Minimized Internet points of presence (POPs)
– Inline network forensic capabilities (i.e., full packet capture) to complement endpoint forensic capabilities
– ‘Crown jewels’ reside in the data center, accessible via virtual machine only
– Use of identity analytics
– Security executive reports to the CEO, regular participant at the Audit Committee
As always, I welcome your comments, questions and critiques. Thanks for reading!
