This week Security Managers from all over Europe met up at Gartner’s Risk and Security Management Summit in London. The key question was ‘how to empower security strategies to prioritize, adapt, transform and scale to the needs of a growingly digitalized world?’
In exploring this, the importance of urgent crisis and threat management was pointed out in Gartner’s keynote; highlighting the starting point as creating visibility into assets and ecosystems, designing for resilience at multiple levels, and using analytics and automation as a force multiplier.
One of the key takeaways for me, was the three questions that every security professional should ask themselves in order to empower their security programs.
When implementing a SIEM solution - these questions are also relevant for selecting and implementing meaningful use cases. By running this exercise, it will ensure an outcome of actionable alerts, and not just noise that leaves you overwhelmed and paralyzed. I’ve demonstrated these key questions with two different examples for your enjoyment ;)
The answers to these questions is where your security focus should be. It’s here that you can start to identify the right log sources to onboard, to establish investigation capabilities, as well as setting up early detection and security monitoring. So for my above examples the following actions could be:
Drilling a hole into the vault: Select thicker vault walls, use a vibration sensor, and build a cave around the vault.
Facing Ransomware and Trojans: Implement the latest endpoint protection, network segmentation, security monitoring, early detection of malicious outbound communication in the specific network segment, and regular backups of endpoints and file shares.
We’ve already seen this executed successfully in practice. Nick Bleech, Head of Information Security at Travis Perkins, shared in his Gartner breakout session how the team heavily utilized the risk framework to move away from a legacy SIEM, to a lean SOC with Splunk Enterprise Security. You can see his presentation below:
Nick highlighted the Travis Perkins’ incident response process and how it ran a fire drill exercise recently. They discovered that management wants regular updates of new findings - sometimes asking every 15 minutes. In those situations it’s important that the team have the right technology to allow them to be agile, and ask questions quickly.
So what do you find when you ask yourself these those questions?