Security Operations in Real Life

Questions and Answers

What is a common characteristic of small companies in terms of cybersecurity?

They have a dedicated security team.

They are highly aware of the importance of cybersecurity.

They typically conduct regular security audits.

Security is often managed by IT or an IT admin. (correct)

What often leads medium-sized companies to take security more seriously?

A major security incident or breach. (correct)

Regulatory compliance requirements.

Establishment of a dedicated security team.

Investment in new technology.

What is a significant drawback of having a large dedicated security team in big companies?

Increased efficiency in security operations.

Enhanced team collaboration.

Faster rate of innovation.

Increased operational costs. (correct)

What is the primary role of Security Architecture?

To ensure security best practices are addressed.

What is a common misconception held by medium-sized companies regarding security?

They feel security is an unnecessary expense.

Which of the following is NOT mentioned as a benefit of large companies having dedicated security teams?

Improved incident response time.

What type of team might be included in the security structure of a large enterprise?

A variety of specialized teams including pentesting and consulting.

What was a key characteristic of the SUNBURST malware regarding its activation?

It was designed to activate only in specific targeted environments.

What is the focus of Security Engineering?

To develop tools to combat cyber attacks.

Which trait was NOT associated with the sophistication of the actors behind the SUNBURST attack?

Weak security on their servers.

What type of organizations were primarily customers of SolarWinds Orion?

Governments and major corporations.

What was the motivation of the SUNBURST attackers?

Murky motivations with no apparent economic gain.

What role does compliance play for organizations using software like SolarWinds Orion?

It assists in passing external audits and identifies new issues.

Which of the following technologies are associated with File Integrity Monitoring (FIM)?

Qualys

What percentage of breaches in 2020 targeted large businesses?

72%

Which key objective of the Security Operations Centre involves monitoring the cyber security posture?

Correlation of Cyber Security Events

What is the average cost of a large breach as reported?

$392 million

Which of the following is not a key function of the Security Operations Centre?

Providing physical security

Which option represents a goal of the change control function within the Security Operations Centre?

Integration into the SOC process

What type of monitoring does proactive security monitoring entail?

Predefined security alerts

Which of the following is essential for identifying security attack vectors?

Integration into the SOC process

What is the primary focus of the CIS controls v8 framework?

Critical processes in a company

Which of the following is NOT one of the five functions of the Framework Core?

Encrypt

What describes the Implementation Tiers of the Cybersecurity Framework?

Qualitative measure of risk management practices

What is one of the aims of the MITRE ATT&CK framework?

Categorize adversarial behaviors

Which aspect is covered by the Risk-Based attribute of the Cybersecurity Framework?

Common language for all organizations

Which of the following statements about the Cybersecurity Framework's Profiles is true?

They align an organization’s requirements with desired outcomes

In a Secure Change Management Process, which step follows the Request for Change?

Impact analysis

What differentiates the DevSecOps approach from traditional SecOps?

Emphasis on software-defined data centers

Which of the following is a component of the Cybersecurity Framework?

The Framework Core

Which security framework is aimed at mapping to well-known frameworks such as CSF and PCI?

NIST Cybersecurity Framework

Study Notes

Security Operations in Real Life

• A strong reputation takes 20 years to build, but a cyber incident can ruin it in minutes. (Stephane Nappo quote)

Small Company Security

• Often, there's no dedicated security team.
• Frequently, security is handled by one person in the IT department.
• Security is sometimes perceived as unimportant.
• Focus is usually on backups and authentication.
• Pros: at least one person who understands security.
• Cons: lack of knowledge and experience in one person.

Taking Security Seriously

• Security is often prioritized after a security incident or audit.
• Common issues preceding incidents include minimal budgets and resources.
• Lack of respect for security is a common challenge. (e.g., "why should we care about security?")

Medium-Sized Company Security

• A small, general-purpose security team often handles operational tasks, infrastructure, and applications.
• Security is sometimes not a prioritized aspect and nobody excels at everything.
• Can be a bigger issue after security breeches.
• Pros: dedicated security team.
• Cons: Budget constraints and limited security expertise.

Big Company or Large Enterprises

• Big companies have dedicated teams or departments for security, potentially spanning multiple domains (e.g., privacy).
• Not all teams/personnel are solely focused on security.
• Pros: detailed expertise, potentially dedicated budgets.
• Cons: high security costs and slower innovation.

Examples of Focused Security Subteams

• Security Engineering
• Security Architecture
• Security Operations Center
• Application Security
• Pentesting Team
• Security Consulting Team
• CISO (Chief Information Security Officer)

Security Architecture

• Defines security policies, standards, and procedures.
• Ensures modern technologies conform to current standards.
• Performs risk assessments to minimize threats.
• May focus on operations, applications, or products.

Security Engineering

• Develops tools, techniques, and methods that resist malicious attacks, helping protect systems and data.
• Builds SIEM (Security Information and Event Management) using tools like ELK (Elasticsearch, Logstash, Kibana), Splunk, OSSEC, etc..
• Implements FIM (File Integrity Monitoring) using utilities like Qualys, Tanium, LogRhythm
• Also includes Network Segmentation (Palo Alto, Cisco, or Illumio).
• Can include (Micro)Services management (e.g., container security) tools.

Security Operations Center (SOC)

• 3,950 breaches occurred in 2020.
• 72% of breaches affected large businesses.
• 28% of breaches affected small/medium-sized businesses.
• 43% of breaches targeted web applications.
• Average cost of a large breach is $392 million.

SOC - Key Objectives

• Manages and coordinates cyber threat and incident responses.
• Monitors cybersecurity posture and reports deficiencies.
• Correlates system/application/network logs in a consistent manner.
• Performs threat and vulnerability analysis.
• Analyzes cybersecurity events.
• Maintains a database of cyber security incidents.
• Provide alerts and notifications of general or specific threats.
• Provides regular reporting to management.

SOC - More Key Objectives

• Automate compliance, vulnerability assessments, and risk management.
• Ensure change control is integrated into the SOC process.
• Provide identification of security attack vectors and incident classification.
• Define disaster recovery plans (ICE) in case of emergency.
• Build a comprehensive dashboard with metrics aligned to security metrics.
• Proactive security monitoring based on pre-defined metrics/KPIs

SecOps processes

• Secure change management lifecycle (request/impact analysis/implementation/approve/deny).
• Security design review (operations view) aspects including justification, use cases, environments, diagrams, network/user control, data sensitivity, security architecture, logging/auditing, vulnerability management, business continuity, and secrets management).
• DevSecOps concept
• DevOps lifecycle with automated functions for compliance assessment, vulnerability management, and risk management.
• Software defined Data Centers (AWS, Azure, Google Cloud, OCI) with security driven code (Ansible, Terraform).
• Examples of security frameworks.

CIS Controls v8 (formerly SANS Top 20)

• Focuses on security activities rather than personnel.
• Contains 18 controls.
• Addresses critical business processes and activities.
• Provides 153 safeguards grouped into implementation groups (IG1/2/3).
• Maps security to well-known frameworks (CSF, ATT&CK, CSA, PCI, SOC2...).

Another Security Framework

• The Cybersecurity Framework (NIST) focuses on cybersecurity outcomes in a hierarchical format.
• It encompasses core, profiles, and implementation tiers (levels of risk management practices).

Key Framework Attributes

• Common language for accessibility and adaptability.
• Adaptable to various technologies and lifecycle phases across diverse sectors.
• Risk-based methodology accounting for international standards.
• A living document that is subject to ongoing guidance.
• Perspectives of various stakeholders (private sector, academia, public sector) are considered.

The Framework Core

• Describes desired cybersecurity outcomes understandably by all.
• Applies to all risk management situations.
• Covers the entirety of cybersecurity considerations including prevention and response.

An Excerpt from the Framework Core

• Provides details on the function, categories, subcategories, and informative references for the interconnected framework's outcomes.

Implementation Tiers

• A method of quantifying cybersecurity risk management practices by measuring the level of risk awareness, implementation, and responsiveness.

Incident Example: SolarWinds

• Security firm FireEye released a blog post about the UNC2452 group hacking SolarWinds.
• SolarWinds, an IT firm, possibly suffered a sophisticated attack affecting 18,000 companies, governments, and other entities.
• Their network management product, Orion, was a critical component and was used in several sensitive settings.

The Vector

• SolarWinds is a software company, and their network management product Orion in particular, was a vector of the attack because of its use in sensitive areas.

The Targets

• SUNBURST malware was targeted to specific deployments.
• It was designed to only activate if installed in certain locations.
• Attack only happened in certain areas.

Attack Timeline

• Timeline detailing the events of the attack, including when the harmful code was injected and deployed.

Attacker's Traits

• Attackers were sophisticated, cleaning up traces and hiding themselves skillfully, utilizing secure servers to enhance their strategy.
• Minimal target selection, likely focused on organizational interest rather than large-scale financial gain.
• Limited evidence of data destruction or ransomware actions or financial gain. No evidence of personnel information theft.

Nobody Likes Compliance but it is Important

• Compliance is usually disliked, but is required due to legal and regulatory requirements and is essential for passing audits and managing internal standards and best practices.

Risk Management

• Diagrams illustrating the different types of cybersecurity risks (high probability/low/high impact).

MITRE ATT&CK

• Categorizes adversarial behaviours for offensive and defensive activities.
• Offers a standard classification scheme for better threat understanding and response planning.
• Provides a customizable knowledge base across enterprise, mobile, and broader frameworks.

Description

Explore the complexities of security operations in various company sizes. Understand the challenges faced by small and medium-sized companies in prioritizing and implementing security measures. This quiz delves into real-life security scenarios and the impact of cyber incidents on business reputations.