Security Operations in Real Life

Questions and Answers

What is a common characteristic of small companies in terms of cybersecurity?

• They have a dedicated security team.
• They are highly aware of the importance of cybersecurity.
• They typically conduct regular security audits.
• Security is often managed by IT or an IT admin. (correct)

What often leads medium-sized companies to take security more seriously?

• A major security incident or breach. (correct)
• Regulatory compliance requirements.
• Establishment of a dedicated security team.
• Investment in new technology.

What is a significant drawback of having a large dedicated security team in big companies?

• Increased efficiency in security operations.
• Enhanced team collaboration.
• Faster rate of innovation.
• Increased operational costs. (correct)

What is the primary role of Security Architecture?

To ensure security best practices are addressed. (C)

What is a common misconception held by medium-sized companies regarding security?

They feel security is an unnecessary expense. (D)

Which of the following is NOT mentioned as a benefit of large companies having dedicated security teams?

Improved incident response time. (A)

What type of team might be included in the security structure of a large enterprise?

A variety of specialized teams including pentesting and consulting. (B)

What was a key characteristic of the SUNBURST malware regarding its activation?

It was designed to activate only in specific targeted environments. (C)

What is the focus of Security Engineering?

To develop tools to combat cyber attacks. (B)

Which trait was NOT associated with the sophistication of the actors behind the SUNBURST attack?

Weak security on their servers. (B)

What type of organizations were primarily customers of SolarWinds Orion?

Governments and major corporations. (C)

What was the motivation of the SUNBURST attackers?

Murky motivations with no apparent economic gain. (C)

What role does compliance play for organizations using software like SolarWinds Orion?

It assists in passing external audits and identifies new issues. (C)

Which of the following technologies are associated with File Integrity Monitoring (FIM)?

Qualys (A), LogRhythm (B)

What percentage of breaches in 2020 targeted large businesses?

72% (C)

Which key objective of the Security Operations Centre involves monitoring the cyber security posture?

Correlation of Cyber Security Events (A)

What is the average cost of a large breach as reported?

$392 million (B)

Which of the following is not a key function of the Security Operations Centre?

Providing physical security (C)

Which option represents a goal of the change control function within the Security Operations Centre?

Integration into the SOC process (C)

What type of monitoring does proactive security monitoring entail?

Predefined security alerts (D)

Which of the following is essential for identifying security attack vectors?

Integration into the SOC process (C)

What is the primary focus of the CIS controls v8 framework?

Critical processes in a company (D)

Which of the following is NOT one of the five functions of the Framework Core?

Encrypt (B)

What describes the Implementation Tiers of the Cybersecurity Framework?

Qualitative measure of risk management practices (A)

What is one of the aims of the MITRE ATT&CK framework?

Categorize adversarial behaviors (C)

Which aspect is covered by the Risk-Based attribute of the Cybersecurity Framework?

Common language for all organizations (D)

Which of the following statements about the Cybersecurity Framework's Profiles is true?

They align an organization’s requirements with desired outcomes (B)

In a Secure Change Management Process, which step follows the Request for Change?

Impact analysis (A)

What differentiates the DevSecOps approach from traditional SecOps?

Emphasis on software-defined data centers (C)

Which of the following is a component of the Cybersecurity Framework?

The Framework Core (D)

Which security framework is aimed at mapping to well-known frameworks such as CSF and PCI?

NIST Cybersecurity Framework (B)

Flashcards

Small Company Security

The situation where a company has a very small or no dedicated security team. Security responsibilities are usually handled by the IT team or a single IT administrator.

Taking Security Seriously

A stage in a company's security journey where they begin to take security more seriously often triggered by major incidents or security audits.

Medium-sized Company Security

A company with a dedicated but small security team responsible for various aspects of security like infrastructure, applications, and operations.

Big Company Security

Large organizations with dedicated security teams or even specialized teams like privacy teams. They focus on different areas of security and have a well-defined security strategy.

Security Operations Center (SOC)

A Security Operations Center (SOC), a team of security experts responsible for monitoring, detecting, and responding to security threats 24/7.

Penetration Testing Team

A team focused on testing the security of systems, applications, and networks by simulating real-world attacks.

Security Architecture Team

A team that focuses on designing and implementing the overall security framework for an organization. They ensure that security best practices are followed and that new systems fit within the overall security architecture.

Security Engineering Team

A team that develops tools, techniques, and methods to defend systems against malicious attacks. They also work on maintaining and improving security systems.

Security Monitoring

A process of constantly monitoring and analyzing system logs, network traffic, and security events to detect abnormal activity and potential threats.

Incident Classification

The ability of a SOC to identify and analyze different types of security incidents, such as malware infections, data breaches, or denial-of-service attacks, and classify them based on their severity and impact.

Threat Analysis

Analyzing security events to identify potential attack patterns, common vulnerabilities, and attacker tactics to improve threat detection and response capabilities.

Change Control

A process that ensures that all changes to systems and configurations are documented and approved before implementation to minimize security risks.

Disaster Recovery Plans

Creating detailed plans outlining the steps to be taken in case of a security incident or emergency, including data recovery, communication protocols, and escalation procedures.

Security Automation

Using automation tools and scripts to execute security tasks, such as incident response procedures, vulnerability scans, and reporting, to improve efficiency and reduce manual effort.

Security Information and Event Management (SIEM)

The ability of a SOC to correlate and analyze security information from different sources, such as network devices, servers, applications, and security logs, to gain a comprehensive understanding of the security posture.

Security Metrics

KPIs or metrics used to assess the effectiveness and performance of security controls and processes.

Secure Change Management

A set of best practices and procedures for managing changes to IT systems and applications in a way that minimizes security risks.

Security Design Review

A systematic review of a system's security design, including the justification for the design, the scope of the environment, and the technical details of security controls.

DevSecOps

An approach to security that integrates security practices into the entire software development lifecycle, from initial design to deployment and operations.

CIS Controls v8

A set of security recommendations and best practices that focus on critical processes and activities within an organization.

NIST Cybersecurity Framework

A framework developed by the National Institute of Standards and Technology (NIST) that provides a standardized approach to cybersecurity risk management.

Framework Core

One of the components of the NIST Cybersecurity Framework that outlines desired cybersecurity outcomes organized in a hierarchy.

Implementation Tiers

A component of the NIST Cybersecurity Framework that provides a qualitative measure of an organization's cybersecurity risk management practices based on the implementation of the framework.

MITRE ATT&CK

A knowledge base that describes adversarial tactics, techniques, and common knowledge used in cyberattacks.

SolarWinds Hack

A widely reported cyberattack in which a malicious actor compromised software updates from SolarWinds, affecting thousands of organizations.

What is SUNBURST?

A type of malware that targets a specific set of high-value companies, remaining dormant until activated only if a suitable target is detected.

What is SUNBURST's activation strategy?

SUNBURST uses a hidden or stealthy approach to avoid detection by security tools. It only activates when it's beneficial to the attackers and remains dormant everywhere else.

What is the main goal of the SUNBURST attackers?

The attackers behind SUNBURST aimed to collect sensitive information without disrupting the targeted systems or causing noticeable damage.

What is the scope of SUNBURST targets?

Despite affecting 18,000 companies, the attackers specifically targeted a limited set of high-value organizations.

What are the characteristics of the attackers behind SUNBURST?

The attackers behind SUNBURST have a high level of technical expertise, evidenced by their ability to clean up traces, hide their servers, and maintain good security on their own infrastructure.

Study Notes

Security Operations in Real Life

• A strong reputation takes 20 years to build, but a cyber incident can ruin it in minutes. (Stephane Nappo quote)

Small Company Security

• Often, there's no dedicated security team.
• Frequently, security is handled by one person in the IT department.
• Security is sometimes perceived as unimportant.
• Focus is usually on backups and authentication.
• Pros: at least one person who understands security.
• Cons: lack of knowledge and experience in one person.

Taking Security Seriously

• Security is often prioritized after a security incident or audit.
• Common issues preceding incidents include minimal budgets and resources.
• Lack of respect for security is a common challenge. (e.g., "why should we care about security?")

Medium-Sized Company Security

• A small, general-purpose security team often handles operational tasks, infrastructure, and applications.
• Security is sometimes not a prioritized aspect and nobody excels at everything.
• Can be a bigger issue after security breeches.
• Pros: dedicated security team.
• Cons: Budget constraints and limited security expertise.

Big Company or Large Enterprises

• Big companies have dedicated teams or departments for security, potentially spanning multiple domains (e.g., privacy).
• Not all teams/personnel are solely focused on security.
• Pros: detailed expertise, potentially dedicated budgets.
• Cons: high security costs and slower innovation.

Examples of Focused Security Subteams

• Security Engineering
• Security Architecture
• Security Operations Center
• Application Security
• Pentesting Team
• Security Consulting Team
• CISO (Chief Information Security Officer)

Security Architecture

• Defines security policies, standards, and procedures.
• Ensures modern technologies conform to current standards.
• Performs risk assessments to minimize threats.
• May focus on operations, applications, or products.

Security Engineering

• Develops tools, techniques, and methods that resist malicious attacks, helping protect systems and data.
• Builds SIEM (Security Information and Event Management) using tools like ELK (Elasticsearch, Logstash, Kibana), Splunk, OSSEC, etc..
• Implements FIM (File Integrity Monitoring) using utilities like Qualys, Tanium, LogRhythm
• Also includes Network Segmentation (Palo Alto, Cisco, or Illumio).
• Can include (Micro)Services management (e.g., container security) tools.

Security Operations Center (SOC)

• 3,950 breaches occurred in 2020.
• 72% of breaches affected large businesses.
• 28% of breaches affected small/medium-sized businesses.
• 43% of breaches targeted web applications.
• Average cost of a large breach is $392 million.

SOC - Key Objectives

• Manages and coordinates cyber threat and incident responses.
• Monitors cybersecurity posture and reports deficiencies.
• Correlates system/application/network logs in a consistent manner.
• Performs threat and vulnerability analysis.
• Analyzes cybersecurity events.
• Maintains a database of cyber security incidents.
• Provide alerts and notifications of general or specific threats.
• Provides regular reporting to management.

SOC - More Key Objectives

• Automate compliance, vulnerability assessments, and risk management.
• Ensure change control is integrated into the SOC process.
• Provide identification of security attack vectors and incident classification.
• Define disaster recovery plans (ICE) in case of emergency.
• Build a comprehensive dashboard with metrics aligned to security metrics.
• Proactive security monitoring based on pre-defined metrics/KPIs

SecOps processes

• Secure change management lifecycle (request/impact analysis/implementation/approve/deny).
• Security design review (operations view) aspects including justification, use cases, environments, diagrams, network/user control, data sensitivity, security architecture, logging/auditing, vulnerability management, business continuity, and secrets management).
• DevSecOps concept
• DevOps lifecycle with automated functions for compliance assessment, vulnerability management, and risk management.
• Software defined Data Centers (AWS, Azure, Google Cloud, OCI) with security driven code (Ansible, Terraform).
• Examples of security frameworks.

CIS Controls v8 (formerly SANS Top 20)

• Focuses on security activities rather than personnel.
• Contains 18 controls.
• Addresses critical business processes and activities.
• Provides 153 safeguards grouped into implementation groups (IG1/2/3).
• Maps security to well-known frameworks (CSF, ATT&CK, CSA, PCI, SOC2...).

Another Security Framework

• The Cybersecurity Framework (NIST) focuses on cybersecurity outcomes in a hierarchical format.
• It encompasses core, profiles, and implementation tiers (levels of risk management practices).

Key Framework Attributes

• Common language for accessibility and adaptability.
• Adaptable to various technologies and lifecycle phases across diverse sectors.
• Risk-based methodology accounting for international standards.
• A living document that is subject to ongoing guidance.
• Perspectives of various stakeholders (private sector, academia, public sector) are considered.

The Framework Core

• Describes desired cybersecurity outcomes understandably by all.
• Applies to all risk management situations.
• Covers the entirety of cybersecurity considerations including prevention and response.

An Excerpt from the Framework Core

• Provides details on the function, categories, subcategories, and informative references for the interconnected framework's outcomes.

Implementation Tiers

• A method of quantifying cybersecurity risk management practices by measuring the level of risk awareness, implementation, and responsiveness.

Incident Example: SolarWinds

• Security firm FireEye released a blog post about the UNC2452 group hacking SolarWinds.
• SolarWinds, an IT firm, possibly suffered a sophisticated attack affecting 18,000 companies, governments, and other entities.
• Their network management product, Orion, was a critical component and was used in several sensitive settings.

The Vector

• SolarWinds is a software company, and their network management product Orion in particular, was a vector of the attack because of its use in sensitive areas.

The Targets

• SUNBURST malware was targeted to specific deployments.
• It was designed to only activate if installed in certain locations.
• Attack only happened in certain areas.

Attack Timeline

• Timeline detailing the events of the attack, including when the harmful code was injected and deployed.

Attacker's Traits

• Attackers were sophisticated, cleaning up traces and hiding themselves skillfully, utilizing secure servers to enhance their strategy.
• Minimal target selection, likely focused on organizational interest rather than large-scale financial gain.
• Limited evidence of data destruction or ransomware actions or financial gain. No evidence of personnel information theft.

Nobody Likes Compliance but it is Important

• Compliance is usually disliked, but is required due to legal and regulatory requirements and is essential for passing audits and managing internal standards and best practices.

Risk Management

• Diagrams illustrating the different types of cybersecurity risks (high probability/low/high impact).

MITRE ATT&CK

• Categorizes adversarial behaviours for offensive and defensive activities.
• Offers a standard classification scheme for better threat understanding and response planning.
• Provides a customizable knowledge base across enterprise, mobile, and broader frameworks.