Security Operations is the technology, controls, and processes that allow a security organization to be able to prevent, detect, and identify cyber intrusions and be able to accurately and efficiently respond to and recover from them.

https://warontherocks.com/wp-content/uploads/2017/02/Cyb-Army-1024x637.jpg

After building a few security operations teams and programs, I was inspired to write down my basic framework. Your team may look and be structured differently due to different business risks or a higher tolerance for risk, but I believe everything listed below is necessary for a successful and informed security operations team.

The first thing you may notice about this framework is that it’s not focused around a security operations center (SOC) and it’s not focused around any individual technology like a SIEM. Modern security operations teams are responsible for much more than alerts and investigations. A security operations…


Before you turn on 2FA, think about it from an an adversary’s perspective.

Lots of security teams like to turn on 2FA because it’s “obvious,” it’s a compliance requirement, and it’s nearly 100% effective against password reuse and credential stuffing attacks. And while password reuse and credential stuffing are two of the most common and fastest growing tactics among adversaries, there are some cases where an organization may not tolerate mandatory 2FA, like employee friction or customer retention. …


“What’s in the ******* box?”

When I talk to organizations and executives, I see the same security mistakes and misconceptions over and over again. I see security leaders make these mistakes and wonder how they could have alienated their coworkers and their executive leaders. I see businesses and executives confused why they keep getting breached and why they are spending so much on security incidents, but aren’t making progress in preventing incidents.

This is meant to be an incomplete list of mistakes I see security organizations make. Use it to sanity check your security organization and their strategy.

Compliance (and Regulatory Frameworks)

Many security teams use regulatory and compliance…


This is a followup to an old article I wrote called A Mature Security Program at Any Size where I laid out security processes and procedures that you could implement and scale at any size organization.

https://previews.123rf.com/images/nightman1965/nightman19651501/nightman1965150100048/35225727-many-buttons-and-switches-control-panel-in-a-machine-.jpg

In this article, I will do the same thing for a set of basic controls you can implement and scale that any size organization should have.

Endpoint Security

Endpoints are often one of the most neglected areas of a security program. …


Many organizations use cyber insurance to satisfy legal or regulatory requirements, as a financial risk mitigation, or as a last resort control. However, most folks don’t know where their insurance policies fall short. Here’s what you need to know.

Types of Insurance

Business Owners Policy (Commercial Business Policy) — An insurance package policy that typically includes Commercial General Liability Insurance that covers liabilities like bodily injury and property damage and Commercial Property Insurance that covers equipment, inventory, and furniture against theft and damage (not flood damage).

Errors and Omissions Insurance (Professional Liability Insurance) — A form of liability insurance which helps protect professional…


Source: https://miro.medium.com/max/2400/1*TBSV23ud8tae3E4szI5EDA.jpeg

Most risk analysis is done by assessing potential impact and ease of an attack. This kind of risk analysis that’s done in the absence of an adversary is naive and leads to bad priorities. In this post, I’ll describe how to accurately analyze the risk of vulnerabilities, weaknesses, and potential attacks while keeping real adversaries in mind, resulting in more sound and defensible priorities.

Scalability and Repeatability

Adversaries are more likely to use techniques that are easily scalable and repeatable. Adversaries are more likely discover vulnerabilities using publicly available tools. Adversaries are more likely to exploit vulnerabilities in ubiquitous targets. Adversaries are more…


Source: https://www.istockphoto.com/photo/basketball-game-plan-gm869782498-144829921

Most threat models start with attack surface or critical assets. Those threat models are useless and lead to bad decision-making. In this post, I demonstrate how to develop more accurate and actionable threat models, based on our adversaries.

Process

  1. Determine our adversaries
  2. Understand our adversaries
  3. Build their playbooks from threat intelligence
  4. Design defenses for their playbooks
  5. Prioritize defenses based on adversary economics
  6. Predict future adversary evolution

Frameworks and Best Practices Don’t Work

Security teams often choose frameworks, best practices, and what feels most secure over what is actually necessary to defend against an adversary. Either due to ignorance or poor critical thinking or lack of information, security…


The new principles of cybersecurity.

Source: https://www.kent.ac.uk/courses/postgraduate/212/physics

Constraints

Adversaries of all kinds — criminal enterprises, intelligence agencies, and lone wolves — have political, financial, and technical constraints just like conventional organizations have.

“Attackers are resource constrained” Dino A. Dai Zovi (source)

“Attackers have bosses and budgets” Phil Venables (source)

Operational Requirements

Adversaries determine the least costly and most valuable attacks based their operational requirements, which may include:

  • The number of targets they have
  • The complexity of their targets
  • Their required success rate
  • Their required speed of conversion

Playbooks

Adversaries want their attacks to be reusable and low-overhead.

Repeatability: The capability to change the target…


Image credit: Shutterstock

Everybody needs good security these days. Here’s some common advice that I recommend for high-risk individuals.

Account Security

Most folks are worried about their accounts. Their e-mail, which could allow password resets for all their other accounts. Their mobile device backup (iCloud or Google), which could contain intimate photos and location information. Their bank accounts and investment accounts, where their money is kept.

Password Manager

Use a password manager. A password manager is not a secure place to keep your passwords, but an easy place to generate and store unique and random passwords. The main goal here is to ensure that each password you…


Image credit: Shutterstock

Vendors are increasingly becoming one of the easiest and cheapest ways to attack organizations. Passwords are being reused from previous breaches. Vendor access is being leveraged into lateral movement. Software supply chains are being used to place malware into otherwise secure systems. Organizations are being compromised through malicious and vulnerable software.

Target was hacked through their HVAC vendor. Atrium Health was breached through their billing vendor. BitPay was compromised through a Node.js dependency. Marriott was breached through an acquired organization.

A lot has been written on how vendor due diligence doesn’t accurately measure or increase security. But we can change…

Julian Cohen

Risk philosopher. CISO. Team and program builder. Ex-vulnerability researcher. Ex-CTF organizer and competitor.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store