Security Technology Executive

NOV-DEC 2017

Issue link: https://securitytechnologyexecutive.epubxp.com/i/917121

Contents of this Issue

Navigation

Page 13 of 71

14 SECURIT Y TECHNOLOGY E XECUTIVE • November/December 2017 • www. SecurityInfoWatch.com objectives for Technology Lifecycle Management, and what people, systems and processes are involved. Get Briefed. Find out IT's initial expectations are for including electronic physical security systems in their lifecycle management program. Tell them that you need to better document your security technol- ogy (or update existing documentation) so that you can provide them with the information they need. Let them know this may take some time. Documentation should include how you manage device passwords (such as for cameras) and user access control to the security systems, and how you maintain backups of device configurations. An updated network diagram of the security systems is important. Let them know that you would like to improve your technology man- agement to be more in line with what IT does and that you may need guidance from them. Involve Your Systems Integrator. Include your integrator's lead servicing technician in the IT brief- ing , as you are likely to need support from your integrator, and a good technical person will be able to translate the IT aspects of the discussion that are unfamiliar. Get Your Documentation to IT. Update your documentation and get the information to IT. This is not just what products you have; it includes war- ranty information, when purchased, how long until it needs replacement, and what the cost to maintain it is. What is the expected useful life of the product? How long will the manufacturer support it? Should you retain it past its supported lifetime? Request a meeting to work out how the management of the networked security systems will be improved. Use software tools to automatically discover and diagram your network and the devices on it. Consider using System Surveyor (www.systemsurveyor.com) if you don't have the level of documentation that you'd like to have, especially if you expect to make system improvements in the near future. Meet with IT and Make a Plan. This could be a small project plan or a large one, depending upon the size of your security systems deployment, and its current state of lifecycle management. Determine what technology lifecycle management responsibili- ties IT will take on, what part Security will handle, and what support will be needed from your inte- grator. IT should have a management process that Security will participate in, that will include cyber- security audits, ongoing reporting, periodic reviews and change management. Many companies have already engaged in proj- ect-based collaboration with IT. Substantial ben- efits can be obtained by including physical security systems in an ongoing technology lifecycle manage- ment program. Continued from page 8 Continued from page 10 Continued from page 12 Incident response playbooks Technology Lifecycle Management Hacking the Lights Out As the definitive SANS/E-ISAC report concludes: "The attacks highlight the need to develop active cyber defenses, capable and well- exercised incident response plans, and resilient operations plans to survive a sophisticated attack and restore the system. Nothing about the attack in Ukraine was inherent- ly specific to Ukrainian infrastruc- ture. The impact of a similar attack may be different in other nations, but the attack methodology, Tac- tics, Techniques and Procedures (TTPs) observed are employable in infrastructures around the world." Integrators with clients spe- cifically in the utility market are encouraged to offer the follow- ing cybersecurity recommen- dations, culled from several sources – although most of them apply to clients in just about any industry: • Identify, minimize and secure all network connections • Disable unnecessary ser- vices, ports and protocols • Enable available security features • Implement robust configura- tion management practices • Continually monitor and assess the security of net- works and interconnections • Implement a risk-based defense-in-depth approach to securing systems and networks • Manage the human ele- ment, clearly identifying requirements, establishing performance expectations, holding individuals account- able, establishing policies; and providing security train- ing for all operators and administrators. • Use two-factor authen- tication for users where warranted • Disable unnecessary remote access Evolving the playbook with data science Cybersecurity attacks are occurring with increased complexity and frequency, and they can no longer be addressed effectively with manual processes or traditional workflow auto- mation tools. The next generation of response requires a deeper understanding of the data involved in each attack, instead of a set list of tasks that may be outdated by the time the next attack hits. With the development of artificial intelli- gence (AI) and machine learning , a new gen- eration of response tools must have the ability to leverage advanced data science to collect and contextualize cybersecurity data from internal systems, such as a SIEM platform, and external sources, such as a security analyst's mitigation notes from a previous attack. This approach will give security teams the power to extract mean- ingful insights and provide more sophisticated automation throughout the entire incident response lifecycle. Implementing the capabilities of data science in response means that traditional playbooks can now evolve into advanced, strategic tools that consider previous threats and how the security team responded – learning from past successes or failures. Instead of automating workflow or processes, this new breed of solutions will use automation to transform threat data into action- able intelligence, and can even escalate incidents using machine learning to score the possible impact of potential threats. This approach allows security analysts to make the call on what needs immediate attention, as opposed to referring to the playbook for a list of static steps that may or may not apply to a specific situation. Under this new model, when incident alerts come into a security team, security analysts can instantly see the direct relationships between past incidents and current indicators, as well as indirect relationships that are uncovered through advanced analysis. Then, the team can fully understand the context associated with an individual alert or security event, so they can take immediate action – no static checklists, no outdated processes. By moving away from playbooks and work- flow orchestration and instead having an aggre- gated, contextualized set of incident and threat data, organizations can automatically create and monitor the customized metrics they need to fully understand their cyber risk landscape and adapt to today's dynamic persistent attacks.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - NOV-DEC 2017