Agile Security Operations E-Book

Agile Security Operations

Engineering for agility in cyber defense, detection, and response

Hinne Hettema

BIRMINGHAM—MUMBAI

Agile Security Operations

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson Dsouza

Publishing Product Manager: Vijin Boricha

Senior Editor: Arun Nadar

Content Development Editor: Sulagna Mohanty

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Subalakshmi Govindhan

Production Designer: Jyoti Chauhan

First published: February 2022

Production reference: 1141221

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80181-551-2

www.packt.com

To all my teachers on the path.

– Hinne Hettema

Contributors

About the author

Hinne Hettema is a practitioner in cybersecurity operations, focusing especially on enabling security capabilities through detection engineering, security monitoring, threat intelligence, incident response, operational technology, and malware research. He works in New Zealand in security operations and the establishment of cybersecurity defensive capabilities in various organizations. He is an adjunct senior fellow at the University of Queensland, researching cybersecurity operations, the security of operational technology, and the philosophy of cybersecurity. He studied theoretical chemistry and philosophy.

About the reviewers

Rene Thorup holds an MSc degree in forensic computing with distinction and a Dean's award from Coventry University and an academic profession degree in IT networks and electronics technology. He has over 20 years' experience within cybersecurity, from cybersecurity analyst to CISO, and he has even been a university lecturer and cybersecurity trainer for a leading incident response company. Rene has built, and led, several SOC and SecOps teams from scratch over the years, both for the military/governments and large enterprises. Recently, he was the technical lead for EMEA and APAC for a well-known cybersecurity firm, and conducted incident response and root cause analysis on several high-profile cyber-attacks.

I would like to thank the professional leaders that always believed in me and my abilities to succeed and supported my continuous development – especially "PT" and "MF" from the Danish Defense. Also, a big thanks to "Lex," who was a great inspiration for keeping up the hard study on my MSc, and made it fun to study.

Beshoy A. Iskander holds two MSc degrees in cybersecurity and technology management and holds other professional certifications in cyber security and incident response, with 15 years of experience in cyber security across multiple security vendors, such as RSA and other firms in the FinTech industry.

Currently, Beshoy is the director of cyber security operations for a multinational crypto-currency company.

I would like to thank God first, for his grace, which led me to this point in my life. I'd also like to thank my wife, Lidia; my first son, Jonathan; my second child to be; and my mother. I'd also love to dedicate my contribution to this book to the soul of my father.

Table of Contents

Preface

Section 1: Incidence Response: The Heart of Security

Chapter 1: How Security Operations Are Changing

Why security is hard

Security operations

Cybersecurity, threats, and risk

Five types of cyber defense

Security incidents

Security solutions in search of a problem

The scope of security operations

Where security operations turn agile

Agile incident response

Agile security operations

Summary

Chapter 2: Incident Response – A Key Capability in Security Operations

Facing up to breaches

The incident response cycle

Knowing an incident – detection and analysis

Detection engineering

Repurposing

Analyzing threats

Branches and pivots – how incidents change

The kill chain model

Expanding the options for defense

Lateral movement

Agile incident response

Compromise is eternal

Incidents and compromises

Why incident response needs to be agile

Team structure for incident response

Learning from incidents – from resolution to tactics to strategy

Summary

Chapter 3: Engineering for Incident Response

From incident response to agile security operations engineering

Mapping the incident loop

Feedback – closing the incident loop

The businesslike weaknesses of attackers

A brief discussion of agile frameworks

Lean

Kanban

Scrum

Agile security operations

Key activities in agile security operations

Breach

Detect

Analyze

Contain

Eradicate

Recover

Develop context and TTPs

Updating the architecture, strategy, and risk

Detection engineering

Improvements – prevention, discovery, and prediction

Tooling – defend to respond

Passive defense

Active defense – Mitre ATT&CK and Shield

Summary

Section 2: Defensible Organizations

Chapter 4: Key Concepts in Cyber Defense

What is cyber defense?

Enduring failure

The fit of security operations

Coordination and discoordination

Coordination games

Discoordination games

A framework for uncertainty

A brief overview of the Cynefin framework

Constraints

Resolving crises

Structured analytic techniques

Is this part of the security skillset?

Summary

Chapter 5: Defensible Architecture

The definition of defensible architecture

Pareto optimizable attacks

Understanding the kill chain

Requirements of defensible architecture

Defense in depth

Implied trust in network segments

Trust in the endpoints of the architecture

Defense in depth as an evolution

The new security boundaries

Principles of the defensible architecture

Roots of trust

Identity as a root of trust

Data controls as a root of trust

Algorithmic integrity as a root of trust

Roots of trust and verifiability

Elements of the defensible architecture

Prevention

Visibility and forensic readiness

Threat modeling

Attack path modeling

Defensible architecture tradeoffs

On-premises infrastructure

Cloud

Industrial

Summary

Chapter 6: Active Defense

The role of active defense

Active defense as one of the five types of cyber defense

Compromise is eternal

Agile incident response

An approach to active defense

The agile active defense process

Understanding the adversary

People and processes

Technology

Active defense during a crisis

Active defense for eternal compromise

Assess

Adapt

The pivot or [<>]

Exapt

Transcend

Summary

Chapter 7: How Secure Are You? – Measuring Security Posture

Security as risk reduction

Measuring risk reduction

Description

Financial aspects of risks

Controls

Risk management versus enabling the business

Strategy maps – security as business value

Constructing strategy maps

Strategy map layers

Security strategy maps

Starting a security strategy

Working with the security strategy map

Financial metrics

Customer metrics

Operations metrics

Metrics for capabilities

Summary

Section 3: Advanced Agile Security Operations

Chapter 8: Red, Blue, and Purple Teaming

Red teaming and blue teaming

Why red team?

What is a red team?

What is a blue team?

Threat hunting

Hunt leads

Analytic queries

Alternative hunt leads – alert streams and detections

Implementing a threat hunting practice

Purple teaming concepts

Purple team activities

Characteristics of blue and red teams

Agile approaches to purple teaming

Purple teaming operations

Planning – sources of attack data

Planning – cadence and process

Executing the red side of purple teaming

Feedback – moving to an agile approach

Closing into threat-informed defense

Business value from purple teaming

Security baselining

Security posture improvement

Threat-informed defense

Summary

Chapter 9: Running and Operating Security Services

The essential security services

What is a service?

Service worksheets

Strategy service

Policies

Architecture

Deployment

Monitoring and alerting

Incident response

Other services

Service maturity

Maturity management

Practices – components of a service

Measuring effectiveness

Maturity models

Defining Capability

Maturity does not stand alone

Drawbacks of Maturity

Agile approaches to the six security services

Agile

DevOps cycle

Summary

Chapter 10: Implementing Agile Threat Intelligence

What threat intelligence is and isn't

A threat intelligence program

Acquiring threat intelligence

Running your own function

Using threat intelligence

Direction

Understanding risk reduction

Using past attacks as a guide

Scoping prospective groups

Business capabilities and operational context

The influence on direction

Collection and collation

The data funnel

External feeds

Feeds meeting internal logs

Interpretation

Using structured analytic techniques

Threat groups

Dissemination

Risk analysis

Alerting, hunting, and detection

Infrastructure hardening

Summary

Appendix

Further reading

Background

Cynefin framework

Cynefin Field guide

Structured analytic techniques

Architecture

Threat modeling

Organizations

Operations

Principles for operations

SOC operations

People to follow

Why subscribe?

Other Books You May Enjoy

Preface

This book focuses on how organizations can improve their security posture and build robust and predictable security operations. It is written from the viewpoint that the best way to do that is with something called agile security operations, focused on processes rather than organizational structure, and a strong focus on incident response as one of the key processes that we either prepare for, execute, or improve in well-executed security operations.

This book may turn some received wisdom about security operations on its head. Specifically, in this book I develop and apply a methodology for agile security operations that is primarily focused on the process, rather than the structure, of a security operational capability. I discuss how these processes interact with each other using a map of the incident response process. The word agile is used because security operations need agility – the capability to quickly predict and adapt to a rapidly changing set of circumstances.

Agile has, in some contexts in the software development world, evolved into a complex and prescriptive framework for how to develop software. That is not how I operate here. Agile security operations are most certainly not a security or operations variety of agile or scrum, which are primarily software development methods. In the context employed here, agile security operations really focus on the tactical aspects of how teams do security, and how they embed, as a team, into a wider organization.

This book does not specifically adhere to one method of agile that is used in software development, nor does it get overly prescriptive in the practices and methods, although there is enough information here to do so if you want. Security operations, and how they are best done, are specific to each business and need to be carefully tailored and designed to meet the needs of that business. It is important that you adopt a framework that incorporates the idiosyncrasies and context of your business and implement what works for you.

This book will not focus in detail on the latest technology, gadgetry, tools, or clever attack approaches that are common to cybersecurity. In fact, in this book, I care little about such things at all (although they are interesting). This book instead focuses on tactics: the ethos and the way of thinking you need to successfully thwart cyber adversaries in your organization, as well as the processes that drive a credible security capability.

I run my teams, and wrote this book, from the viewpoint that what matters most in security teams is their grasp of context, key concepts, systems, and operations, and the many ways in which they influence the business. To the extent that this book hands down tools, those are the ones that matter most. In security, as elsewhere now, technical tools and approaches are subject to constant and rapid change. The grasp of the technical intricacies of tools is a threshold variable: teams need enough proficiency with the tools to be effective, but beyond that point, it is what they do with them that matters in how much they can influence and improve the security posture of the business.

Despite decades of hawking strategy and best practice by consultants, security has not markedly improved in many businesses, and from the viewpoint of the executive, matters have probably gotten worse.

Companies the world over are now making significant investments in security. Yet the ongoing drumbeat of cyber-breaches suggests that these investments matter less than should be the case. This situation needs to change. It can, if we improve our processes, work on embedding security teams into the organization, and develop the right ethos in our security teams.

Who this book is for

The intended audience for this book is security leadership, especially people managing security operation centers, security engineers, and security analysts. CISO, CDO, and CIO-level decision-makers will also benefit from this book. Some intermediate-level knowledge of incident response, cybersecurity, and threat intelligence is necessary to get started with the book.

What this book covers

Chapter 1, How Security Operations Are Changing, discusses how the landscape of security operations is changing and the pressures that are forcing that change. I focus on why security is hard and why the traditional measures in use in IT are failing when it comes to security.

Chapter 2, Incident Response – A Key Capability in Security Operations, focuses on the aim and purpose of incident response, and the reasons why incident response is the key security capability.

Chapter 3, Engineering for Incident Response, discusses the engineering aspects of incident response, from the viewpoint that incident response is a continuing operational activity that defines agile security operations. We will primarily build on the incident response loop to develop an agile framework for security operations and discuss some of the engineering aspects. This will be the final chapter that builds the framework for agile security operations, and the focus will be both on the agile security operations process and how tooling needs change as a result of that process.

Chapter 4, Key Concepts in Cyber Defense, discusses some key concepts of resilience that need to be understood for the rest of the book. This chapter will introduce the key concepts that make up the culture and ethos of agile security: chaos, constraints, defensibility, strategy, and tactics, and will focus on how to apply them correctly, as well as presenting further pointers to more detailed resources easily available on the internet. This chapter will use the earlier concept of the Cynefin framework to delve deeper into these concepts and how they shape thinking during incident response.

Chapter 5, Defensible Architecture, focuses on the development of defensible architecture. The main idea of defensible architecture is that it focuses on incident response in an environment during the design stage and tries to maximize the options available to defenders.

Chapter 6, Active Defense, takes the lessons from the previous chapter to heart and integrates them into a credible defense, taking us from response activities to tactics to strategy. This chapter focuses on the tactic of active defense and how it is implemented. Active defense is the practice of intelligence-driven breach detection, containment, and purposed engineering that is capable of dealing with persistent and advanced attackers.

Chapter 7, How Secure Are You? – Measuring Security Posture, tackles the difficult problem of measuring security posture and especially measuring and communicating the value that security operations bring to the organization. Traditionally, these discussions have focused on the reduction of risk, rather than driving business value. This chapter focuses on how practitioners should have these discussions in the context of business value and strategy.

Chapter 8, Red, Blue, and Purple Teaming, covers how active defense applies the principles of blue teaming. A purple team adds a certain amount of adversity to a blue team. Purple teaming aims to give a direct answer to the question, Are we vulnerable?, in ways that can be directly communicated to the business. This chapter outlines how organizations can get the most out of threat hunting and purple teaming.

Chapter 9, Running and Operating Security Services, explains how security operations done well revolve around six different security services. This chapter expands on security operations to the complete set of services that need to be run in the context of a security program with incident response at its core. Defining precise services in the context of a business environment is very important: it allows service strategies to be developed for these services, and allows monitoring and evaluation of these services, just like any other IT service. Many organizations struggle with cyber security precisely because they do not quite understand what the essential cyber security services are and the value they deliver to the business.

Chapter 10, Implementing Agile Threat Intelligence, covers the fact that threat intelligence requires a significant amount of organizational readiness. A credible threat intelligence program consists of a number of activities that are best performed in the context of agile security operations, such as curation, threat hunting and tasking, as well as adversary simulation.

To get the most out of this book

This book focuses primarily on methods and concepts and does not require a technical setup.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801815512_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "This chapter will draw together many of the strands from previous chapters and develop an approach to the core of security operations called active defense."

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Agile Security Operations, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Incidence Response: The Heart of Security

Part 1 establishes incident response as the "why" of security. That incident response is the heart of security should be clear on a moment's reflection: without cybersecurity incidents, there would be no need to have a security team. Yet the model in which incident response sits at the core of security efforts is not widely used. This part of the book explores agile security from this viewpoint.

This part of the book comprises the following chapters:

Chapter 1: How Security Operations Are Changing

Cybersecurity is increasingly important for many organizations. It manifests itself as business risk. Security operations are a key security capability that organizations must implement to be effective in deterring and resolving the effects of cyber-attacks and minimize cybersecurity risk to their business. However, the role and mechanics of security operations is often misunderstood. That is why you are reading this book.

This book is written from a viewpoint on cybersecurity that, for some, turns matters on its head . I take the view that cybersecurity operations, when done well, drive security leadership, auditing, reporting, and risk reduction. This is not the common view on how organizations implement cybersecurity operations. The usual approach, sketched very briefly, is that organizations need executive commitment, funding, a cybersecurity program, often driven by audit results, and a raft of security policies and risk heat maps to be effective. Their job is then to drive this down into the business. The measurement of this is then done with maturity models and metrics.

This book will overturn that view. The viewpoint that I will develop and work out in this book is the following:

The operations piece of cybersecurity also needs funding, commitment, policies, and risk management. Doing cybersecurity operations well is not an excuse to get rid of these things. The difference is a radically changed conversation about their impact and use. Cybersecurity operations, done well, provide a vital context and enrichment to the executive and business conversation that will lead to a tight integration between cybersecurity and the business, reduce risk more effectively, and, in short, lead to an organization that is defensible from a tooling (technical), cultural (people), and management (process) perspective. The part between brackets is sometimes referred to as the people, process, and technology (PPT) framework.

The focus of this chapter is on the following:

The chapter is structured as follows:

Why security is hard

In many organizations, implementing security is hard work. At a technical level, security is often seen as a blocker, at a tactical level, security considerations may change how the business operates, and at a strategic and political level, security often raises problems that many organizations prefer to ignore. This section will place security operations at the core of a security program and introduce the five types of cyber defense.

Security operations

This book takes the view that security operations are the heart of a security program. When organizations do their security operations well, they generate the necessary context to develop strategy, policies, and reporting, and gain the most benefit from audits.

The centrality of security operations is a somewhat unpopular view: much of what we see in security writing, focuses heavily on technology – which is the implementation side of security – or strategy, which focuses on the management and maturity of the program. By not considering security operations, the focus of too many organizations is still on prevention and controls. While prevention and controls are important, in this book I argue – based on experience – that they are the result of good security operations rather than the cause.

In a nutshell, security operations are an organization's capability to detect and respond to adversarial events on their systems and networks.

That is a mouthful, but we can unpack this a bit. Detection speaks to the capability of an organization to notice that something is wrong on their networks, preferably in an early stage of an attack, respond speaks to their capability to deal with such an event. Adversarial indicates that the event is caused by humans and has a specific component of intent.

In this book, I'll focus specifically on security operations and the ethos needed to create and sustain a security team that excels in security operations.

Therefore, I'll stay away from talking too much about either technology and strategy and instead focus heavily on tactics. Tactics – the specialty of security operations – is the nitty-gritty of how organizations respond to actual attacks, threats, vulnerabilities, and adversarial activity on their systems and networks.

If you think of strategy as the why of security, and the technology as the what, then tactics is the how – how do we realistically implement a risk program, how do we use that technology that has just been bought, and how do we secure an enterprise? These are the questions I will aim to answer in this book, and it is a critical connecting layer between technology and strategy that has not received the attention it deserves.

Cybersecurity, threats, and risk

Cybersecurity is traditionally approached from the viewpoint of business risk management. This creates a disconnect with security operations, and that fundamental disconnect makes security in many organizations harder than it needs to be.

To understand this better, we can look at how risk management usually approaches areas of risk. While the view of risk management I develop here is very simplified, it captures all the essentials. Risk management is typically based on a risk register, where risks are enumerated and given a priority of high, medium, or low (or a color-coded scale) based on both the exposure to the risk (the likelihood) and the impact (the consequence). In most cases, these assessments are subjective and dependent on the sector and context.

Risk management then relies on a matrix of controls to manage risk. Broadly speaking, risk treatment has four options: prevention, reduction, acceptance, or transfer. Prevention means that the organizations put in a device or measure that prevents the risk from materializing. Reduction means that some compensating control is developed that controls the risk, or at least make it visible in time.

Acceptance of risk means just that – the risk is accepted by the organization and no further action is undertaken to address it; consequences will have to be dealt with as they occur. This can happen, for instance, when a risk is too costly or cumbersome to address, or when the costs and effort associated with addressing it make no sense from the viewpoint of the risk accepted.

A transfer of risk occurs when the risks are borne by a third party, for instance in the case when an organization buys cyber insurance. We will have more to say on cyber insurance in Chapter 7, How Secure Are You? – Measuring Security Posture

Once this table is complete, risks are then prioritized, mitigations costed and budgeted, and the budgets for the highest risks are approved. Then it's rinse and repeat.

Measuring cybersecurity risk

While you might think that risk management is a typical business way of dealing with the risks posed by cybersecurity and is therefore easily understood by senior leaders in an organization, you would be wrong. In How to Measure Anything in Cybersecurity Risk, Wiley, 2016, Douglas Hubbard and Richard Seiersen argue passionately and in depth that this method of dealing with risk is a failure and does not work. While cybersecurity is indeed a business risk, we need to come up with a better method to communicate and treat risk. In Chapter 7, How Secure Are You? – Measuring Security Posture, we will return to the topic of how to make security relevant in a business context based on the model of security operations.

Security operations do not work this way. Security operations focus primarily on dealing with issues as they occur – that is, they focus on the here and now. Beyond the here and now, they focus on threats in the context of the business, and devise methods of detecting those threats.

To better understand the depth of the chasm that opens in this way, it helps to have a clear understanding of how organizations deal with cyber risk. Dealing with cyber risk from the perspective of a risk management framework leads an organization to put in passive defenses: things such as firewalls, antivirus, network controls, and access lists to form a defense in depth architecture. At worst, a strong focus on traditional risk can cause misspending on silver bullets: expensive security solutions that generally do much less than they promise, sometimes because the environment is not mature enough to make the most of the investment. Except for the silver bullet, passive defenses are all necessary in credible cyber defense, but they overlook large areas that organizations should also address when considering cyber defense.

Figure 1.1 shows a risk treatment approach to threats that is often used in cybersecurity. Where a threat is identified, it is usually translated into risk, and then the risk treatment process defines whether a vulnerability exists and what the extent of it is (sometimes called the attack surface). Several controls look at how to reduce exposure, how to mitigate it (for example, by timely patching), and arrive at a residual risk that can be put on the heat map, or further reduced:

Figure 1.1 – Risk treatment of threats

This approach to threats focuses on passive defense. Thereby it misses out on important additional components of cybersecurity defense. Specifically, it misses out on what organizations may do (and, in my view, should do) in the areas of architecture, passive defense, active defense, intelligence, and perhaps even offense. These together make up the five types of cyber defense, which we discuss next.

Five types of cyber defense

As Rob Lee points out in The Sliding Scale of Cyber Security (2015) (https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240), passive defense is only one of the five available modes of defense that organizations should consider when designing a cyber risk program. The five options sit on a spectrum, ranging from architecture, through passive defense to active defense, intelligence, and offense.

This spectrum can be read as follows:

Figure 1.2 gives a representation of the five defense modes and the respective focus of risk-driven and operations-driven security programs. Well-managed operationally driven programs will tend to expand to encompass the five modes of defense, whereas risk-driven programs will tend to focus on architecture and passive defense:

Figure 1.2 – A representation of the five defense modes and the respective focus of risk-driven and operations-driven security programs

Risk management and security operations therefore operate from radically differing but also complementing perspectives and assumptions about how to best secure an organization.

This book is written from the conviction that starting with security operations, security risk management can be done much better than is usually the case. An operationally driven program changes the conversation from driving down an externally defined program to a fact-based discussion on what happens in this business.

It is, from that perspective, surprising that many organizations that do have extensive security programs and policy frameworks are weak when it comes to security operations.

The security 1%

In an interesting blog post (https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html), Richard Bejtlich points out that the people having somewhat credible detection and response capability form part of the security 1%. He focuses on membership in first.org and then performs a quick estimate of the percentage of organizations that would be able to mount a credible defense when they are attacked. The conclusion is that only around 1% of organizations would have detection and response capabilities and are not running just planning and resistance/prevention functions. While this is a back-of-the-envelope calculation, it does underscore the need to improve security operations across the board. The problem of the security 1% also leads to several other problems, especially the question of whether advanced penetration testing tools and IOCs should be made as widely available as they are: they are nearly useless to the security 99% but may lead to improvements in the capability of attackers, making the overall security situation worse.

The focus on security operations does not mean that governance, risk, and compliance are unimportant. The main takeaway from this section is that the focus on security operations as a central activity alters the point where organizations should start first: governance, risk, and compliance is not a strong starting point for a security program in the initial stage – it is better to focus on developing operations that inform the governance program, and develop the governance, risk, and compliance program from what the security operations discover.

All the preceding points hinge on the assumption that an operations-driven security program is managed well. In Chapter 7, How Secure Are You? – Measuring Security Posture, we will return to the topic of governance, risk, and compliance in detail, and outline how a well-managed program can base itself on its operations.

Security incidents

A security incident is what most organizations hope will never happen. In agile security operations, incidents are the lifeblood of defense. During incidents, attackers reveal important information about their capabilities, intentions, methods, and tools, thereby turning a threat into reality. Good defenders will take advantage of the opportunity they are offered in this way to learn more about threats and improve their operations once the incident is over.

But to do this effectively, we need to be crystal clear about the intent and mode of incident response that organizations need to deploy. Learning from an attack is not useful if an organization doesn't survive the attack.

Cyber incident response has four key aims:

The first aim of cyber defense is to ensure that an attacker – any attacker – will not achieve their objective and will be forced to leave before they achieve what they came for. This is quite an important point to understand: contrary to common opinion, the aim of cyber defense is not to prevent any attack at all costs, it is to prevent the adverse consequences resulting from an attack. Smart or experienced (or both) defenders know that attacks cannot be prevented, but they can only be dealt with once they occur.

Dwell time – the time attackers get to spend on our networks before they are discovered – is usually measured in months for the most advanced attacks. This really means that defense teams must improve their visibility and opportunities to detect the presence of attackers.

The second aim is to limit lateral movement of attackers or slow them down. The first point of compromise is rarely the end goal of an attacker, and attackers will need to pivot – or move laterally – to the point where they want to be. A hardened architecture with identity, data, and network segmentation will make it harder for attackers to do so and provide more opportunities to discover an attacker before they do their damage.

The third aim is to evict successfully and prevent re-entry. This speaks to how the activities should be sequenced: if an attacker entered the network through a particular vulnerability or backdoor, make sure that this issue is fixed before an attacker is removed. Also, many attackers set up a series of re-entry points and backdoors, so sometimes it is better to observe an attacker for a while to determine what they are and then evict them once all backdoors are discovered and can be closed.

The last aim is to discover as much as possible about an attacker while all this is going on. Also, store this information alongside any artifacts, somewhere securely. With many attacks going on, it is easy to forget important details and it is sometimes handy to have them at hand once the same attacker comes knocking again.

The Q model

Thomas Rid and Ben Buchanan developed a model for the attribution of cyber incidents that also indicates some of the key problems with incident response (Journal of Strategic Studies, Vol. 38, 2015, pp. 4-37, https://www.tandfonline.com/doi/abs/10.1080/01402390.2014.977382; a copy is also available on the author's personal website https://ridt.co/d/rid-buchanan-attributing-cyber-attacks.pdf).

The Q model is primarily intended to address the complexity in attributing cyber-attacks, but also contains much that is useful during and after incident response.

The idea is that attribution, like incident response, takes place on a strategic, operational, and tactical/technical layer, and focuses on the concept, the practice, and the communication/reporting.

A detailed diagram of the Q model can be found in the supplemental material on the publisher's website: https://ndownloader.figstatic.com/files/1860725.

Security solutions in search of a problem

Before we really go into the nitty-gritty of security operations, I need to make one more point. A trivial one. Technological silver bullets don't exist. The security field is rife with solutions that pretend to be able to solve most of an organization's security problems (that is, address its risk) in a single stroke of technology (it should come as no surprise that this never works).

Organizations that fall for the seductive sales pitches of the silver bullets are getting less protection from their security investments than they think they are, misunderstand their real risks, and are likely to underinvest in security capability. A large reason for the failure of advanced tooling in immature businesses is that advanced tooling is seen as a silver bullet, is not understood in context, and lacks much of the data it needs to be effective. Even if the solutions themselves work as advertised, the implementation may fail primarily due to three reasons:

Robust security operations play a significant role in avoiding such a misspend, since it is only through security operations that organizations can understand the context in which advanced tooling functions best, the value it can provide, and the data and visibility it needs to be effective.

The scope of security operations

It is a mistake to think that the scope of security operations is limited to information technology, or wherever there is a computer or network. This is a leftover of a time when security operations were centered around network intrusion detection and malware operations.

These days, common exploits such as business email compromise are very common and successful. Business email compromise does not involve a technical intrusion on the network but instead exploits a business process. It involves sending an email to a person in an organization, pretending to be someone else, and then asking for money to be transferred for some reason.

The focus of this book will be how to do security operations well. Security operations done well focus as heavily on the context of security as they do on the technology. This means understanding the business and its operations as well as security technology.

What security operations do differently is that they view people, processes, and technology with an adversarial mindset: the view of an attacker.

Where security operations turn agile

Up to this point, we have discussed why security operations are central to a credible defense capability and a credible cyber program. But why do security operations need to be agile?

Agile is primarily a software methodology that just happens to describe, in my view, how the best security teams have already been operating for a while.

We can understand this better by considering the agile manifesto (https://agilemanifesto.org/