Critical Capabilities

Guest Post: Solving the Security Risk Puzzle, Critical Capabilities

This blog is the last in a three part series discussing how to solve the security risk puzzle. In this final blog, we will outline the critical capabilities required to solve the security risk puzzle.

Key Domains

Before we can define the critical capabilities required for solving the security risk puzzle, we first must define the key domains (or areas) that need to be addressed.  My original hypothesis years ago is that there are 6 key domains of security that needed to be addressed:

  1. Discover – Understand your business and technical assets, which are important, and who owns them.
  2. Assess – Determine the state of your assets, what vulnerabilities exist, and their configuration status.
  3. Monitor – Collect asset activity including network, host, application, user, and data.
  4. Analyze – Correlate activity and state to identify abnormal or malicious behavior.
  5. Respond – Investigate and resolve abnormal or malicious activity.
  6. Protect – Apply learnings to proactively automate the security of your assets.

These domains align closely with the NIST Cybersecurity Framework (CSF), except the domain for recover. Applying CSF, we’ll define the critical capabilities for security risk management across four key domains: Identify, Protect, Detect, and Respond.

Critical Capabilities

Identify

Risk starts by understanding the criticality of the asset, but to do so one must first understand their assets. The first set of critical capabilities needs to help you discover, classify, and assign ownership to your assets, including networks, hosts, applications, and data whether on-premise or in the cloud. This domain boils down to three core capabilities:

  1. Asset discovery, including networks, hosts, mobile devices, applications, databases, cloud services, etc., to create a complete asset inventory, including the inter-relationship of assets.
  2. Asset classification, including integration with configuration management databases (CMDBs), to assign asset criticality based on business attributes, including regulations.
  3. Asset ownership, including integration with configuration management databases (CMDBs), to assign business owners for remediation and reporting.

Protect

Once we understand our assets, we can now start to protect them. This next set of critical capabilities will focus on understanding the state of your assets, whether on-premise or in the cloud, as this is required to protect them. This domain boils down to three core capabilities:

  1. Vulnerability assessment of your networks, hosts, mobile devices, applications, databases, cloud services, etc., to identify and resolve weaknesses, missing patches, etc.
  2. Malware detection across your networks, hosts, mobile devices, applications, databases, cloud services, etc., to identify and resolve malicious files and programs.
  3. Configuration audit of your networks, hosts, mobile devices, applications, databases, cloud services, etc., to identify and resolve misconfigurations, policy violations, etc.

Detect

Since your environment constantly changes and new threats emerge, we also need to proactively monitor our assets. This next set of critical capabilities will focus on detecting the activity of your assets, whether on-premise or in the cloud, as this is required to detect abnormal or malicious behavior.  This domain boils down to four core capabilities:

  1. Log collection across your networks, hosts, mobile devices, applications, databases, cloud services, etc., to correlate and analyze asset activity.
  2. Packet inspection across your networks, whether on-premise or in the cloud, to correlate and analyze network activity.
  3. User monitoring across your networks, hosts, mobile devices, applications, databases, cloud services, etc., including social media, to correlate and analyze user activity.
  4. Threat analysis, including integration with threat intelligence sources, to detect and analyze active and emerging threats.

Respond

As abnormal and malicious activity is detected, we need to quickly investigate and respond to this activity. This last set of critical capabilities will focus on responding to active threats, whether on-premise or in the cloud, as this is required to reduce risk. This domain boils down to two core capabilities:

  1. Incident investigation, including forensics, across your networks, hosts, mobile devices, applications, databases, cloud services, etc., to validate and categorize events.
  2. Event response, including automated responses, across your networks, hosts, mobile devices, applications, databases, cloud services, etc., to mitigate and resolve incidents.

What’s The Right Solution?

If the critical capabilities above remind you of Threat and Vulnerability Management (TVM), Security Incident Response (SIR), and Security Orchestration and Automation (SOA) from my first blog, all rolled into a single solution, then you’re on the right track.  It never should have been three separate solutions, as security risk management requires all of these capabilities.  The question is “Which of these solutions is in the best position to solve the holistic set of capabilities?”

I’ll give you a hint…  Go back and look at my comparison chart from my second blog.  Who do you guess?  It should be clear that one market segment, with a few key acquisitions or enhancements, is in a leadership position to actually solve the security risk puzzle.  Otherwise, a new comer may come along and unseat them all.  It will be fascinating to watch this unfold!