Proactive Infosec

Ongoing security incidents, are we spending in the right places?

Are our investments in ‘information security’ aligned with today’s reality? It seems that every day there is a new security incident making headlines. has nominated the word ‘exposure’ as word of the year. The word exposure has been popularised by events such as Ebola, but more relevant to us in the world of ‘infosec’, data breaches and other related security incidents.

So with all this popularisation and awareness being generated, why are businesses still struggling to prevent or even detect a security incident until way after the fact? For me the answer is a complete misalignment in thinking as to how security is viewed. Certainly it is an admirable goal to avoid being breached or a victim of a security incident, however the reality is that this is an unrealistic goal as we can see from the frequency, diversity and apparent ease of breaches occurring.

Where do we start?

There are many areas that we could focus on within the discipline of ‘infosec’, but the area that I would like to focus on is incident response (IR). Often I’m asked ‘we haven’t had a security incident, so why do we need to invest more?’ In my opinion this is the wrong question. Why? Very few organisations are actually looking for indicators of compromise, or that an incident has even taken place, so of course many incidents are taking place without them knowing.

An analogy would be the iceberg, with most of the danger lurking below the water, invisible to all but the most prudent individual.

Few adversaries want to draw attention to themselves, unless it directly assists their cause. An example of this would be hacktivists rendering a very public website unavailable via a DDoS attack, as this will draw more publicity to their cause. So it is unrealistic to expect out-of-the-box consoles of the security products you’ve purchased to light up telling you that some foreign state or cyber-criminal has just stolen your customer database or most sensitive trade secrets.

Supporting my statements is the huge uptick and increased focus and investment in threat intelligence and incident response technologies and services for organisations that wish to have this level of insight. I would like to say though, we need to push a little further and even change some of our language so as to recalibrate our thinking and the way we view infosec in the rapidly evolving and hyper-connected world.

Incident Discovery and not response

Discovery to me implies a level of pro-activeness, continually ‘hunting’ for indicators that a security incident has or is about to take place. Response, on the other hand, implies a passive nature, where organisations are waiting for the event that may or may not take place. The reality is, though, that events are taking place every day, and even if it’s not a 100Gbps DDoS attack, there are many events that when connected together certainly constitute an incident. Perhaps a minor incident, perhaps not, the point is though, that unless organisations are prepared to ‘hunt’ for these events, and understand where to look, and what to look for, only the biggest of security incidents will be detected, and often only when it’s too late.

Wisdom and hindsight are great bedfellows is one of my favourite sayings, and if we look at some of the biggest data breaches in history and what is known publically about these breaches, it is clear that there were a number of indicators and tell tail signs that something wasn’t right.

So where do we start?

Data points that hint at Indicators of Compromise (IOC) are everywhere and not ‘just’ in the log files of your firewall, antivirus management platform etc.

I recommend to customers adopting a five-step plan, and for those of you who are seasoned security professionals you’ll notice that none of this is revolutionary, and is based around good risk management practices.

Step 1: Know how your business makes money, services its customers, constituents and delivers its services, and how does your Information Systems support this?

Step 2: Where does the data reside, and who and what access this data? Are there multiple feeds that when integrated create a higher degree of sensitivity and importance of information?

Step 3: What does good look like? This is easier said than done; however it is necessary to know what ‘normal’ looks like for your organisation. This gives you a baseline which you can operate from. This is where there are some impressive analytical tools and dare I say it – big data even plays a significant part in all of this.

Step 4: Define the top 3-5 ‘use cases’ in which an adversary could seriously disrupt your business. An example could be obtaining trade secrets or customer records. So the use case would firstly understand where the data resides, who has access to it, what technology is being used, how would an adversary conceivably access this information and obtain it (exfiltration), and where would you look to know that this has occurred? 

Step 5: Establish a workflow, aided by the necessary tools that will allow you to quickly cycle through the previously defined threat use cases so as to identify any anomalies (IOCs). Establishing these workflows and making them part of standard operating procedures (SOPs) will not only provide deeper understanding your business, areas of importance, and how technology aids supports the business, but will also give you a baseline from which current and future security investments can be assessed.

These five steps serve as the foundation of proactive information security and embody many of the principles that good infosec practitioners have been advocating for years. 

The litmus test

The questions are often asked of executives to help them get a sense where their infosec programme is at are:

1.     Do you know what good looks like within your environment?

2.     The bad guys are already stealing your information, how would you know this, where would you look and what would you look for?

3.     How do you know that your security investments last year improved your security posture? You spent $2 million on security and you achieved what? The business is growing, new programs are happening, you want more money, but can you demonstrate your investments are aiding the business to achieve their security objects (think back to the use cases previously defined).

Simplify, focus, control

Rapid innovation, explosive growth, and a world that is changing faster and faster everyday makes a tough job even more tougher for today’s infosec professional. It’s not easy, and that’s why they call it work; however, with a battle plan that allows you to strip away the unnecessary clutter, you are more free to focus on what is important to you and the business, and in turn give you a degree (perhaps only a sense) of control. 

Join the CSO newsletter!

Error: Please check your email address.

Tags DDoS attackinformation securityncident response (IR)headlines‘infosecDictionary.comhacktivistsexposuresecurity incidentdata breaches

More about IOC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Ellis

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts