Article by Hans Enders
This morning my son was complaining that he was tired of attending swim lessons. He gets to complain about having a cool summer morning exercise while the rest of us run to real jobs with a coffee in our hand.
Lovely, no? So his complaint was that at age seven he has already endured three sets of swimming lessons (that he currently recalls) and does not need any more, since he knows it all.
We tried to convince him that practice makes perfect and all that typical parental advice, but to no avail. What fixed his protests was pointing out that his earlier lessons were the "how to prevent drowning" variety while these lessons are stroke development sessions to make him "race through the water".
Ribbons and glory still work as seven year-old inspiration.
A security team can suffer the same argument. They acquired the certifications and the shiny new technology. After a lot of late nights, a bit of training, and tuning the defensive software, everything is good and it's time to sit back. Management is out of their hair and things are humming along smoothly. But that is when the real fun should start.
This is when they should be planning or revamping the incident response scenarios. They should be hitting up the business groups for new information on what is coming down the pipeline, or where the business is suffering.
Of course the IT department generally helps with performance issues, but knowing what the business needs or is planning can only help the security group lay their own plans. Is the board of directors reading up on the use of cloud systems?
Do they love their new iOS/Android/WebOS phones so much that they might be swayed to standardize the company on that mobile platform in the near future? Is the Red Team growing fat and lazy, do they need to hack something?
This is the challenge, not to simply meet the needs, but to swim out beyond the painted lines and work towards open waters. There may be a risk that was previously accepted by the business group that can now be managed with new techniques.
Perhaps there are secondary systems that got overlooked in the massive vulnerability testing push of last spring. We know how quickly time can get away from us during a security incident, so now is the time to plan.
Recent headlines prove out this as the best mindset. Sony, Fox/Murdoch, et al, are all being harried by vulnerabilities left open in the backwaters of their infrastructure, not by bruteforce through the main gates. What little surprises might one find by using this time for review and planning?
Once upon a time we would have said, "it is time to sharpen the saw". That adage still holds true for the individual team members, as they should be pursuing additional training inside and outside of work. The team however should be actively prepping for the next storm.
It is time for that too infrequent social/discovery meeting with your local CERT responders (police, fire, legal, COO). It is time to walk the halls and surf the organization's network looking for overlooked details. It is time to white board what it might look like when trouble comes to call.
Beyond just checking the door knobs and browsing the cubicle farms, you need a real plan, an exciting goal of a plan. If money, time, and effort were not an issue, what resources and capabilities would your team have at its disposal?
Dream big and look beyond simple comparisons to other organizations. Now look at the tools you currently have and consider how to meet that goal without adding any tools. Without any new tools you are left with solving this with people and processes.
It should be apparent that a plan must be laid to reach that future and that the current status quo is good but not enough. This is when you need to ask for advice. Find someone who knows how that mature vision actually deploys and operates.
What services and processes can they assist with and which ones can you or your staff access and learn now? Your swimming will not improve without an instructor!
Cross-posted from Following the White Rabbit