During the time that I’ve managed security teams and operation centres, it has always struck me that the understanding of security leadership in most organizations is either absent or vague. This in turn leads to difficulties in understanding the role of a security team in the organization, which can carry further cost, as this article by Brian Krebs points out.
The understanding of purpose and mission grow out of ‘security posture’, a term that is also often misunderstood or undefined but freely bandied around. In my experience, it matters a lot how we define these terms and thereby shape the mission, purpose, operations and procedures of the security team. The key to that understanding is a clear sense of security posture.
Therefore, in my opinion, it is time to come to a view on how we determine and characterize security posture, which can assist with sharpening our definitions of purpose and mission of security operations, and in turn, diagnose some common problems.
The size of the problem
Research by Mandiant (published yearly), indicates that security breaches have a ‘dwell time’ (the time the attacker spends in the network undetected), counted in months. That means intruders can be active in the environment for a long time before being noticed and evicted.
These long dwell times indicate technical as well as cultural deficiencies. It is likely that the technical tooling being used to monitor for compromises is either not in place (in which case it is a technical issue) or not being looked at (in which case there is something wrong in the culture of the security team).
The underlying reason for this lapse is that far too many organizations assume that intruders can be ‘kept out’ of the network indefinitely, something that seems confirmed by the many false positives that poorly configured tooling produces. As a result, security goes on autopilot. This security posture is implicit and has unconsidered operational consequences.
Security posture: a scale of approaches
Security posture is, in my view, an approach to security that is based largely on a number of presuppositions that in most places go unstated.
Poor security posture is specifically attributable to a lack of understanding of key operational business principles and a lack of understanding of their security context. Taking these two in combination, a workable definition of security posture is:
“… the translation of existing, adopted and explicated business operational principles to a cybersecurity context.”
While this may not be the entire story, it points at least to why security posture, as a term, is often so vague: most organizations only have implicit business operational principles, do not understand their security context, and use a hit and miss translation.
Most organizations lacking a defined security posture instead gravitate to a default posture, which is implicitly adopted. What I am suggesting here is that the lack of stated business principles, together with a faulty understanding of the security context, is likely to lead to a security posture based on fear: a hope and pray security approach coupled to a Hollywood version of a hacker.
In the table below I contrast this version of the posture of fear to one of a continuous breach, which was identified by PWC in 2011. Needless to say, for most organizations a continuous breach posture is more realistic, more evolved, and puts you in a far better position to deal with events as they occur.
But the continuous breach posture is not for everyone, or not for every environment. An Industrial Control System environment, for instance, is not really suitable for a continuous breach posture, but instead adopts an engineering approach to security.
|Fear-based posture||Continuous-breach posture||Industrial-control posture|
|Security approach||Reactive||Proactive||People safety / Continuity of operation|
|Incident approach||Panic||Controlled chaos||Safe shutdown|
|Security monitoring||Haphazard / vendor driven||Controls based on risk / vulnerability / exposure||Controls focused on people safety|
|Predictability||None / little||Events are anticipated||Events are anticipated|
|People impact||Burn-out||Busy||Personal safety|
|Security problem perception||IT problem (Hackers are nerds doing bad things!)||Business problem (Hackers are people too)||Engineering problem|
|Defence focus||Border / Fortress||Defence in depth / Immune system / Rapid detection / Low dwell time||Failsafes / Continuity /Restore of operation|
Table 1 — Fear based posture vs continuous breach posture vs industrial control posture.
Rather than focusing overly on the detail of what the different postures say, focus on the process. What is important is not the uncritical move from one default posture to another, but the fact that the security posture is considered and explicit.
The move from default posture to actual posture, therefore, primarily involves explication: making the implicit and unstated explicit and clear. Following the elements of the security posture given above, security posture can be defined using three specific questions:
- What are the operational principles that ensure the longevity of our business? This is primarily a strategic business question, and good security leaders either ask this question directly of business leadership or know where to look for it in the business strategy.
- What is the security context presented by the answers to question 1? This requires knowing what information is needed on specific attacks or threats — the ATT&CK model, or a threat modelling practice, may be a good place to start — and whether you can sort your our own incidents into a higher-level indication of the threats you’re facing.
- How do we translate cyber threat information into threats to operational business principles? This involves understanding what the consequences of an attack are and having plans in place that anticipate these consequences.
This picture is not static. It is important that these steps are iterative and regular: mistakes will be made but it is important to learn from them, and business principles also change over time.
Providing purpose and mission to security efforts
The two major benefits of having a clear security posture is it: (i) significantly helps target vendor spend; and (ii) provides purpose and mission to a security team. The latter is by far the most important.
Having a clear security posture frees your organization from vendor sales talk, which usually first ‘defines a problem’, puts on the scares, and then posits the solution (buy); the real sales thought process runs, of course, in reverse. Having a clear security posture helps in having a halting condition for such sales talk way before they get to your wallet (which is not to say you shouldn’t buy anything — you should buy stuff you have clearly identified a need for).
With a well-defined security posture in place, we can derive a tactical focus on what security teams need to achieve, and the components that make up security leadership for the business we’re in. Specifically, a security posture provides a mission and focus to security teams. After all, it is the purpose of security operations to maintain the security posture of the infrastructure they are responsible for in order for the business to function.
The mission and focus for security teams is a topic of its own, but for a mature security organization the commonalities will involve reducing dwell time, reducing lateral movement, and impeding attackers’ objectives. These are all important wins.
A robust security posture also turns an audit from a collection of boxes to be ticked into a comprehensive picture of risk and exposure. Such pictures can be communicated to business leadership and convey a sense that security knows what they’re doing, and also understands the business they’re in.
Adapted from the original post which appeared on LinkedIn
Hinne Hettema is the Tactical Cybersecurity Operations Leader at Ports of Auckland.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.