Using Security Frameworks to Achieve Effective Cyber Defenses
The cybersecurity community tends to spend a lot of attention to what happens on the offensive side of the line. The latest breaches, vulnerabilities and research projects are generally highly featured, extensively discussed, and good for lots of street credits.
However, just as important as knowing what happens on the offensive side, is being skilled on the defensive side. Possibly with the exception of highly skilled incident responders swooping in to save the day, defensive security is not as sexy, nearly invisible, and, unfortunately, generally under-appreciated.
And that's okay.
Defenders (like me) enjoy building, rather than breaking. We build processes, architectures, people skills, etc. and hopefully keep the bad guys out for another day, while preparing our bosses that, eventually, it will be nearly impossible to keep a determined and well-resourced out.
I had the pleasure of advising Dean Sapp with writing his GIAC Gold paper for the leadership certification. The paper was a pleasure to read, since it focuses mostly in the defensive aspect, while not ignoring the offensive part.
In the paper, Dean describes a Red Team exercise in which penetration testers successfully compromise a corporate database containing sensitive information. The exercise is repeated after the defensive team took the time to implement a subsection of the SANS critical controls. This time, the results are much different and the defenses held.
Having security frameworks like the SANS critical controls, the ISO 27000-series, the Australian DoD top 35 mitigations, or even the PCI DSS and the NIST Cybersecurity Framework offer valuable insights to defenders, and, as this paper illustrates, even implementing a small subsection of just one of those controls can be a great service to your organization.
Dean's paper How the SANS Critical Controls Prevent the Red Team from P0wning your Database can be found here.
However, just as important as knowing what happens on the offensive side, is being skilled on the defensive side. Possibly with the exception of highly skilled incident responders swooping in to save the day, defensive security is not as sexy, nearly invisible, and, unfortunately, generally under-appreciated.
And that's okay.
Defenders (like me) enjoy building, rather than breaking. We build processes, architectures, people skills, etc. and hopefully keep the bad guys out for another day, while preparing our bosses that, eventually, it will be nearly impossible to keep a determined and well-resourced out.
I had the pleasure of advising Dean Sapp with writing his GIAC Gold paper for the leadership certification. The paper was a pleasure to read, since it focuses mostly in the defensive aspect, while not ignoring the offensive part.
In the paper, Dean describes a Red Team exercise in which penetration testers successfully compromise a corporate database containing sensitive information. The exercise is repeated after the defensive team took the time to implement a subsection of the SANS critical controls. This time, the results are much different and the defenses held.
Having security frameworks like the SANS critical controls, the ISO 27000-series, the Australian DoD top 35 mitigations, or even the PCI DSS and the NIST Cybersecurity Framework offer valuable insights to defenders, and, as this paper illustrates, even implementing a small subsection of just one of those controls can be a great service to your organization.
Dean's paper How the SANS Critical Controls Prevent the Red Team from P0wning your Database can be found here.