Setting Yourself Up for Success
New threats and vulnerabilities are surfacing every day, and if they’re as significant as Log4j it can cause massive issues for an organization without a clearly defined strategy. For the CISOs and security leaders looking to get off the treadmill of panic and move “left of (the next) bang”, let’s talk strategy:
Most companies assemble products and features from the bits and pieces of open source code they know and like. If that’s you (and it probably is), you need to identify that foreign code, test it, and track it so you can trust it.
Threat intelligence services rarely fail to disappoint when you solely rely upon their API. As in the real world, signals intelligence (SIGINT) isn’t enough, your threat intelligence program must include human intelligence (HUMINT). Ensure you and your team talk to other security professionals, listen to podcasts (ISC Stormcast is terrific!), have an RSS feed of security news sites, create a shared Slack channel for keeping the team informed, etc. Whatever you do, don’t be caught unaware.
Know your entire enterprise. Poor documentation and unknowns cost time, money, and careers. Never let a moment go by without limitless visibility.
You may not have achieved peak zero-trust, but you do know there’s no reason for most of your applications to be reaching out to the world at large. Prevent this from happening, stop LDAP calls from going out, stop reverse shells from breaching your environment, enforce normal, known-good behavior instead of being surprised and caught when it happens.
For your public-facing applications, they too have known-good behavior. When they deviate from this, you should know it. Remember “see something, say something”? Save room in your schedule to evaluate alerts from your WAF, egress filtering tools, SIEM, or EDR that are not well classified. Time spent statistically sampling those ill-defined alerts pays off.
We all receive more total alerts in a month than there are seconds. Most of us receive more critical alerts in a day than our team can close in that same month. If your visibility is comprehensive, use that to create precise triage priorities. Your response team should never wonder whether they’re working on the most crucial item at any given moment. If 1000 alerts are critical, no alerts are critical until the Wall Street Journal or the board of directors’ notices.
Patches aren’t instant and it will take time for you to uncover dependencies, unintended consequences, and their cumulative effect on business goals. You can’t do this alone so enlist allies. Relationships and strong communication bridge this gap: let your peers and stakeholders know the status, next steps, expectations, results of testing, and release to production. You’re not only recovering the application’s uptime but your stakeholders’ business.
Now that you’re off the treadmill of panic, you can focus your treadmill efforts on your New Year’s fitness goals.