Notes from a recent whitepaper outlining cyber security strategies in 2022. Modern application development requires responsibilities across all of IT. Gartner estimates that by 2025 at least 75% of IT organizations will have faced at least one ransomware attack.
Terminology / Concepts
Shift Left
Moving security review processes and tooling to earlier parts of the application design and development process. Using tools like automated Software Composition Analysis (SCA) to help with these efforts.
Can also leverage Static Application Security Testing (SAST) to help analyze code, dependencies and spot issues early in development. This can be done using dynamic code analysis and interactive analysis tools.
Dynamic analysis of code is done when software is running and is great for API-centric architectures with multiple front ends.
As part of CI/CD pipeline, implement things like Infrastructure-as-Code (IaC) and Policy-as-Code (PaC), each requiring rules to effectively audit for vulnerabilities and compliance.
Right Shield
Security practices in preventing or mitigating attacks while application in operation. Enabling things like Digital Forensics and Incident Response (DFIR) where teams are able to quickly respond and remediate findings.
Security Program
Practices and tools that promote a balance of shift-left and shield-right security approaches during the full application lifecycle.
NIST Cyber Security Framework (CSF)
This is to help better understand, manage and reduce cybersecurity risks. The frame consists of 5 concurrent and continuous functions:
- Identify: Map critical business resources and related security risks to focus and prioritize efforts
- Protect: Implement safeguards to limit the impact of cybersecurity events on critical business services
- Detect: Enable continuous monitoring and detection to facilitate the timely discovery of anomalies and events
- Respond: Ensure readiness to take action to contain the impact of cybersecurity incidents
- Recover: Develop and maintain plans to resource services to reduce the impact of security events
Following are tools to help application infrastructure, their hosts, networks, and the applications themselves.
- Intrusion Preventions Systems (IPS)
- Next-Generation Firewalls (NGFW)
- Web Application Firewalls (WAF)
When working in the cloud, security tools need to consider cloud control-plan and capabilities that are defined as:
- Cloud Security Posture Management (CSPM)
- Cloud infrastructure Entitlement Management (CIEM)
- Cloud Workload Protection Platforms (CWPP)
- Cloud Native Application Protection Platforms (CNAPP)
These tools can help verify cloud misconfigurations and bad permissions to resources in the cloud environment.
SOC
A security operations center (SOC) is responsible for protecting an organization against cyber threats. SOC analysts perform round-the-clock monitoring of an organization’s network and investigate any potential security incidents. If a cyberattack is detected, the SOC analysts are responsible for taking any steps necessary to remediate it. It comprises the three building blocks for managing and enhancing an organization’s security posture: people, processes, and technology. Thereby, governance and compliance provide a framework, tying together these building blocks.
SEIM vs SOAR
Although security information and event management (SIEM) and security orchestration, automation and response (SOAR) have capabilities that compliment each other, they are not the same thing. With this in mind, the most successful security operations (SecOps) teams use both technologies to optimize their security operations center (SOC).
Security information management (SIM) is an information security industry term for the collection of data such as log files into a central repository for trend analysis. SIM products generally are software agents running on the computer systems that are monitored. The recorded log information is then sent to a centralized server that acts as a “security console”. The console typically displays reports, charts, and graphs of that information, often in real time. Some software agents can incorporate local filters to reduce and manipulate the data that they send to the server, although typically from a forensic point of view you would collect all audit and accounting logs to ensure you can recreate a security incident.
Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes.
The National Institute of Standards and Technology provides the following definition for Security Information Event Management (SIEM): “Application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.” Information assurance has become a forcing function for system logging. System logging can enable traceability for an account on a system used to perform system actions. In combination with the operating system, the SIEM can index and parse system logs and be made available for searching.
On May 17, 2021, United States President Joseph Biden signed Executive Order 14028 Improving the Nations Cybersecurity.[5] This Executive Order mandates endpoint protection, further defining logging requirements, implementing audit logging in a unified way, and enhancing the capabilities to provide further insight into system and account actions. Audit logs were identified in three separate technical areas, all relating to incident response and knowing what is happening on a system at a given time. This Executive Order responds to an increase in cyber-attacks that use ransomware to cripple critical infrastructure components related to national security and the public. Enhancing existing information assurance security controls as part of a Risk Management Framework is a suitable mechanism to force compliance and justify funding based on these Presidential requirements.
SOAR tools are designed to help security teams reduce alert fatigue and streamline incident response processes. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow and reporting to provide organizations the ability to implement sophisticated defense-in-depth capabilities.
- SOAR solutions gather alert data from each integrated platform and place them in a single location for additional investigation.
- SOAR’s approach to case management allows users to research, assess, and perform additional relevant investigations from within a single case.
- SOAR establishes integration as a means to accommodate highly automated, complex incident response workflows, delivering faster results and facilitating an adaptive defense.
- SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform, including interaction with third-party products for comprehensive integration.
Put simply, SOAR integrates all of the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to automate incident response workflows.
SOAR’s main benefit to a SOC is that it automates and orchestrates time-consuming, manual tasks, which enables security teams to speed up response times and better use their specialized skills. The result is faster MTTD and MTTR, reduced dwell time, and a higher level of preparedness.
MTTD vs MTTR
eof