CISO MindMap 2020: What do InfoSec professionals really do?

Most people outside Cybersecurity profession don’t fully realize and appreciate the complexity of security professionals’ job. I have been publishing and updating this MindMap for many years, not only as an effective educational tool but also enable professionals use this MindMap for designing and refining their security programs.

The latest version of CISO MindMap 2020 is here! COVID19 has forced every business to take unplanned actions. CISO’s had to enable work-from-home in a very short period of time to keep the business operational, and in many cases that work is still ongoing. If you say “I don’t like 2020 so far”, I may actually agree with you this time! I have to admit I am missing air travel and meeting with CISOs and other cybersecurity leaders in-person, although I used to complain about missing connecting flights. It was much better than getting stuck at home and staring at computer screen all day during video conference calls!

Download PDF version of CISO MindMap 2020

What is new?

What are some new areas that need your attention in 2020? Following is the list of recommendations, keeping in mind that you need to continue and improve what you have already been doing while considering these. This list does not make any other activities to manage risk as less important; Phishing is still there, ransomware attacks are still happening and you still need to manage compliance needs!

  • Improve SOC analyst productivity with SOAR
  • Reduction/consolidation of tools/technologies
  • Better protection & monitoring of Cloud
  • Explore new architecture models like SASE
  • Consider zero trust, secure enclaves
  • Edge computing security
  • Include deception technologies as part of security tools
  • COVID19 and Work from Home

You will find some text on the MindMap in red color which is to show changes since the last publication in 2019.

How to use CISO MindMap?

How many times people ask you about what you really do? Although the answer could be many things depending upon the context of the question and who is asking it, sending a copy of this MindMap could help. I have heard from many professionals that this MindMap is extremely helpful in explaining the complexity of a CISO job to business audience.

Using as poster, derived work, or commercial use – This is a copyrighted material but is made available for free to all with no strings attached as long it is not altered and not used to make money 🙂 When using this MindMap, please cite the source properly. Any derived work or commercial use requires written permission of the author.

To keep updated about future versions of this MindMap and other posts, subscribe to this blog by entering your email below:

Posted in InfoSec | Tagged , , , , , | Comments Off on CISO MindMap 2020: What do InfoSec professionals really do?

The Case for a SOC Conference

Credits Pixabay

The current model of building security operations center (SOC) is not sustainable. This is probably not a news for many of my readers. Working with many businesses, small to large and regional to international organizations, I have been thinking about this quite a lot lately. I have been publishing CISO MindMap for over eight years to explain and highlight complexities of work that security professionals have to do. With digital economy taking a foothold, the CISO’s work is just getting more complex as new technologies are adopted by businesses, strict privacy laws are enacted globally, and attack surface is expanding by each day. Networks are no longer confined to data centers or corporate offices, and older ideas of managing security operations are obsolete.

With digital economy taking a foothold, the CISO’s work is just getting more complex as new technologies are adopted by businesses, strict privacy laws are enacted globally, and attack surface is expanding by each day.

Working on my latest book “Cybersecurity Arm Wrestling – Winning the perpetual fight agains crime by building a modern Security Operations Center (SOC)” has made me even more convinced that something needs to change (or many things need to change depending upon how you frame the challenges). Managing cost of security programs is a challenge, SOC analysts are stressed out by overwhelming number of incidents, and CISOs are living in the constant fear of when the next data breach is going to happen and how would it impact their career. This can’t continue. It is not sustainable.

Why SOC Conference?

There is a need for major changes in foundational thinking about how to run security operations. Most security conferences are too generic and focusing on tactical and derived work. There is a need for new, original, and thought-provoking ideas to change our practices for managing security operating and optimizing risk. Our industry needs this badly. For these reasons, I have started thinking about a 3-day conference in 2021 to exclusively focus on SOC by gathering best minds and exploring new ideas.

What would be the Focus Areas?

Per my initial exploration, following are some of the major areas of focus for the conference. However, I believe these would evolve and change as I get more feedback from industry leaders.

  1. Alternate models for the SOC of the future
  2. SOC for IoT, OT, Autonomous Vehicles and other emerging industry needs
  3. Implication of Cloud, Containers, Serverless Computing on SOC
  4. Threat visualization, Threat Intelligence
  5. Cooperative SOC for vertical markets
  6. SOC Innovation and frameworks, Meaningful Metrics
  7. SOC in the Cloud, SOC as a Service
  8. SOC People: Stress management and well being
  9. Automation, Machine Learning for SOC technologies
  10. Open source SOC
  11. Incident Response, Digital Forensics
  12. Planning and implementation, Business case development
  13. Emerging SOC technologies
  14. Global SOC challenges, privacy laws, data sharing across physical boundaries
  15. Integrations, APIs, Ticketing Systems
  16. Knowledge Management

Want to be Involved?

In the short team, I would like to create an advisory council for the conference. However, there are many other areas where help is needed. Please check and fill out this Google Form if you are interested in getting involved.

Final Thoughts

While upgrading SOC technologies, bringing in new tools, and continuously training SOC staff are all great things to do, these don’t solve the fundamental issue of long term sustainability of the SOC model itself. With expanding sources of data and ever-evolving new threats, we, as industry need to bring new thought process to question what we are doing today and what is the best path forward. The objective of this conference is to do exactly that by challenging the status quo and bring fresh and original thoughts to meet new challenges. 

Subscribe to this Blog

Subscribe to my blog to keep updated about this and other thought-provoking discussions. You will get an email when a new post is published here.

Recent Posts

Posted in SOC | Tagged , , , , , , , , , , | Comments Off on The Case for a SOC Conference

Managing Cybersecurity Program Cost

With COVID19 and expected budget cuts across the board, cybersecurity leaders must prepare for a shrinking slice of their share in 2021. While hoping for the best, it is still a prudent idea to take a more critical look at security programs and find ways of better/smart management of the overall budget for the program. So where should a CISO be paying attention to find waste and opportunities for smart budget management? Here are some ideas.

Remove redundancy and start consolidating

An average organization is using a large number of technologies, by some estimates as high as 47, according to a Ponemon survey. However, the majority of security leaders (53%) are not sure if their tools and technologies are actually working. It is time to stop buying more and more tools and start consolidating. When you start taking a deeper look, you will see there is a lot of redundancy in technologies that you own. You will also find that you can replace many of the existing technologies with a single new solution. By doing so, you will also improve user experience. For example, imagine how many endpints run slow because of a large number of agents running everywhere.

Eliminate shelfware

You have more shelfware in your organization than you think you have. Many vendors sell tools and technologies in the name of incentives that you never use. We need to stop falling for buy-one-get-one-free tricks.

Use Cloud based security services

Cloud has revolutionized security services by more innovation, less cost, and giving you ability to avoid vendor lock-ins. Consider the following as few examples:

  • Are you using an old full packet capture solution that requires an insane amount of local storage? You must consider new solutions that compress data and store it in the Cloud drastically reducing the cost.
  • Are you spending too much on maintaining honeypots and still not getting the value? Well you have new Cloud based options where modern deception technologies are available “as-a-service” with much lower cost and exceptionally improved functionality.
  • You know how much you spend on network segmentation to protect crown jewels. Why not look at software-defined zero trust technologies provided from the Cloud?
  • Traditionally organizations have been doing content filtering with on-premises technologies that are too difficult and costly to manage when you take into account total cost of ownership. Why not go to Cloud based web content filtering solutions that provide the shortest path to the Internet and protect users whether they are on private network or on public network or working from home.

These are just a few examples of how Cloud based security technologies can help but there are many other areas to look into. Like everything else, security services are moving to Cloud fast.

Use of Open Source Software

The fact is that we already use so much open software in all businesses, but we don’t realize its presence. For example, “all” medium to large size companies use Linux (which is open source). Majority of smartphones run on Android which is also open source. Apache is a common web server used in ecommerce environments, again an open source technology. Many commercial products, including commercial security products also run on Linux behind the scene. There is no harm in looking at open source tools when you are constrained for budget. In many cases, these tools are as good as commercial options, if not better. For example, ModSecurity is an excellent open source web application firewall. Why not consider it as part of Apache web server for hosting web applications? Same is true for many network and host based open source security tools.

Better Distribution of Program Cost

Security program cost optimization is a tricky issue but can be achieved by some creative thinking. Doing everything in-house could be costly and outsourcing the whole program could have its own drawbacks. A balanced approach is usually the best. One of the methods is to split the overall budget into three major areas as evenly as possible:

  1. People and Payroll – This also includes education and training of security staff.
  2. Technology and tools – Purchase of technology and tools needed to run the security program. It also includes subscription based security services.
  3. Services – Instead of building a large security team, it is a good idea to identify areas where a service provider would make sense and outsource it. For example, if you do malware analysis once in a while, it would make sense to use services from a third party instead of building a team for malware analysis.

How much do we Spend on Security Programs?

Last but not the least, this is a common question on many CISO’s minds and is asked in board meetings. How much spending on security programs is good enough? The answer depends upon the current maturity level of the security program, the industry sector, and the risk that an organization needs to manage. According to different surveys and research reports, a good percentage of companies spend between 10-20% of their IT budget on security, with a median around 15%. However in case of data breaches, the portion of the security budget as a percentage of the total IT budget may go quite high. If an organization is spending more than 30% of IT budget on security, there is a good probability that they had a recent major breach.

References

Subscribe to my blog

Posted in InfoSec | Tagged , , , | Comments Off on Managing Cybersecurity Program Cost

Stress and SOC Staff Burnout

SOC staff is dealing with threats and investigations on regular basis every day. In many cases these threats are repetitive. Dealing with continuous onslaught of Cyber threats makes SOC staff stressed. Stress and burnout are real problem.

What is stress?

According National Institute of Health, MedlinePlus, “Stress is a feeling of emotional or physical tension. It can come from any event or thought that makes you feel frustrated, angry, or nervous. Stress is your body’s reaction to a challenge or demand. In short bursts, stress can be positive, such as when it helps you avoid danger or meet a deadline. But when stress lasts for a long time, it may harm your health”.

Chronic stress results in burnout of SOC staff. Burnout is a state of mental and physical exhaustion due to prolonged stress that drains out energy.

Burnout is a result of constant stress. If you find a co-worker calling sick often or coming late to work, it may be a sign of burnout.

Burnout may also manifest in an otherwise efficient person taking longer to finish tasks.  

SOC manager should not only take care of themselves against these very real issues but also make sure SOC staff is healthy with a good work-life balance. I can’t emphasize enough how important this is for a successful SOC.

How to identify if SOC staff is stressed out?

SOC managers need to understand stress and take actions to minimize its impact on SOC staff. Every person takes stress differently while living through the same type of experiences. Prolonged stress results in exhaustion and results in visible signs of damage to one’s health. If you see a co-worker agitated, frustrated, or overwhelmed, it could be first sign of stress.

What SOC managers can do?

Well-being of SOC staff must be at the top of any SOC manager agenda. It is not only a good practice but is also essential for staff retention and operational efficiency of SOC. TO start with, managers must know:

  • What causes stress and burnout?
  • How to find if an employee is stressed out?
  • What managers can do to address this issue?

One of the ways stress manifests in terms of physical health is hypertension. The research in this area is well documented and largely accepted.

Following can reduce stress for SOC staff.

  • Flexibility of working hours
  • Reduce console time for staff, rotate their duties
  • Provide some time where staff can work on “things they like” or on “problems they want to solve”. 
  • Since triage of events could involve performing the same tasks over and over, work on tools and automation to minimize fatigue from these repetitive tasks. If you have not yet, consider investing in SOAR (Security Orchestration, Automation, and Response) tools.
  • Make sure staff members take vacation and other time off.
  • Celebrate successes, no matter how small they are.
  • Making sure staff gets time for lunch and breaks and are not too much absorbed in work such that they forget to take breaks.
  • It may not be a bad idea in investing in buying gym membership for SOC staff.

I would strongly recommend that each SOC should encourage SOC staff to check their blood pressure on regular basis. To address privacy concerns, an option should be provided to staff to buy and keep a blood pressure meter at home. Decent personal use equipment costs less than $100 and is a good investment in SOC staff health.

Another general recommendation is increase awareness of stress among SOC staff. One way to do so is to purchase few stress posters and place these on SOC walls as a constant reminder.

Subscribe to this blog

Recently published articles

Posted in InfoSec | Tagged , | Comments Off on Stress and SOC Staff Burnout

CISO MindMap 2020: Summary of Recommendations for Updating Security Programs

Cybersecurity is a complicated business. Many people outside this profession don’t fully realize and appreciate the complexities of the job. CISO MindMap is an effort to educate public about Cybersecurity professionals’ job responsibilities. The MindMap also enables Cybersecurity professionals design and refine their security programs.

Each year, I also publish recommendations along with the updated MindMap to cover changes in threat landscape and impact of new technologies. The latest version of CISO MindMap includes eight recommendations to consider for updating your security program and roadmap. This paper provides a rationale behind these recommendations, why one should care about these and steps you can take to make a progress.

The eight recommendations included in CISO MindMap 2020 are listed below. The main objective of providing these recommendations is to help you consider specific focus areas that can bring significant value to your program, reduce risk, and enable business. These recommendations are based upon research reports from different security organizations, research, and my interactions with Cybersecurity leaders.

  1. Improve SOC analyst productivity with SOAR
  2. Reduction/consolidation of tools/technologies
  3. Better protection monitoring of Cloud
  4. Explore new architecture models like SASE
  5. Consider zero trust and secure enclaves
  6. Edge computing security
  7. Include deception technologies as part of security tools
  8. COVID19 and Work from Home

The attached paper provides a brief description of each of the above recommendation. Depending upon the current maturity level of your program, you may already be on a journey to explore or implement some of these recommendations. If you have not started yet, please note that these recommendations are provided to further improve and not necessarily as a replacement of any other parts of your overall security program. This list does not reduce importance of any other activities to manage risk to your organization. Phishing is still there, ransomware attacks are still happening and you still need to manage compliance needs!

Please download the PDF version of paper to get detail of each of these recommendation. Last, but not the lease, don’t forget to subscribe to this blog to keep updated on new developments and my upcoming book “Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern security operations center” coming this winter.

Posted in InfoSec | Tagged , , , , , , | Comments Off on CISO MindMap 2020: Summary of Recommendations for Updating Security Programs

Run Away from People with Defeatist Attitude

While negativity usually becomes very toxic for any team fairly quickly, defeatist attitude is probably the worst. Defeatists give up even before trying and urge others to do the same. They fear change. “A defeatist is the opposite of an optimist. A defeatist is convinced that he’s going to fail, and he isn’t surprised when he does”. People with defeatist attitude are not only paralyzed to take any action, they spread despair to others bringing everyone down with them. When you find a defeatist, run away as this attitude can be quite contagious.

How to spot defeatist attitude? It is actually not quite difficult. People with this attitude some very specific characteristics, like:

  • They will always find how million different ways an initiative can/will fail
  • When asked for suggestions about anything, a defeatist will start with list of problems but seldom provide any solution
  • You will hear a lot of complaints
  • A defeatist is keen to transfer blame and responsibility to others
  • Defeatists will hesitate to take ownership of anything
  • You know you are taking to a defeatist when you hear comments like: “we tried it last year and it did not work”
  • They are looking for survival, not to accomplish anything
  • In discussions, they would mention strengths of their competitors and shortcomings/weaknesses of their team.
  • You will seldom hear much of “we will win” or “we are going to get it done” or “we are a great team, nobody can defeat us” type remarks
  • It would be a task to get them excited about new initiatives

This is a self-limiting behavior and toxic for any team, group, or startup that wants to achieve something big or challenge the norm.

You will be surprised that some defeatists may be quite vocal about voicing their opinion. Most of them fail to understand this behavior and actually think that they are helping while doing quite the opposite. This is one of the reasons behind my suggestion “run away from people with defeatist attitude”.

If you are a building a team or starting a new venture, try to identify this behavior during interviews by asking some probing situational questions using the list above. Remember, experience or skills can’t compensate for attitude.

Subscribe to blog via email:

Posted in Leadership | Tagged , | Comments Off on Run Away from People with Defeatist Attitude

CISO Tools to Build (or Tweak) a Cybersecurity Roadmap, Create Business Case and Request Funding

I am not telling you anything new when I say that an essential part of a CISO’s job is to build a Cybersecurity program, communicate it to stakeholders, and continuously tweak it based upon continuously changing threat landscape. Job of a CISO is complex as shown in CISO MindMap for many years and it is getting even more complicated. This article is describe some tools that will help overcome some complexities, build a roadmap and request funding using a simple business case model.

Whether you are building a brand new Cybersecurity program or want to make some changes to improve an existing one, I have found the following tools very useful. These will help you in identifying areas you need to work on, communicate to stakeholders and request funding by building compelling business cases.

MITRE ATT&CK

Mitre ATT&CK is knowledge base of adversary tactics, techniques, and procedures (TTP). While there are many ways to use ATT&CK, using it for an assessment of your Cyber defense capability is one of the important ones. In the framework, there are twelve main areas of tactics and a number of techniques under each of these areas. ATT&CK Navigator is a great tool to start assessment of your current capability of defending against different types of attacks, find gaps, and adjust your strategy and roadmap accordingly.

Following is a screenshot of ATT&CK Navigator where you can use it for assessment, color code your capabilities, identify gaps, and use it as a communication tool.

Use of NIST Cybersecurity Framework

NIST Cybersecurity Framework is an outcome of collaboration among government, universities/academia and industry. It provides five functions and helps you balance your efforts to cover all aspects of building an effective cybersecurity program. These functions help you organize your activities and create a balanced approach towards different aspects of a meaningful program. The functions are listed below:

  1. Identify – Understand what you have and includes activities such as asset management, governance, risk assessment.
  2. Protect – Build safeguards and controls to protect what is important to you.
  3. Detect – Implement capabilities to identify security events and incidents.
  4. Respond – When an incident happens, be ready to respond, have appropriate processes, training and tools.
  5. Recover – Ensure resilience of your systems in the face of incidents and build capability to quickly recover from the impact of these incidents.

There are many success stories about how different organizations have used NIST framework and I am sure some of these will be interesting for you.

CISO MindMap as Communication Tool

Over a number of years, I developed CISO MindMap to describe complexities of job that security professionals and leaders have to deal with on a daily basis. Since then, this MindMap has been adopted by many leaders and organizations. SANS adopted it for training program and published Leadership poster based upon it.

CISO MindMap is a great tool for communicating security programs and complexities of your job to different stakeholders.

Request Funding with 9 Stage Business Case Model

Justifying investment in Cybersecurity and developing a business case is not always straight-forward arithmetic. I have found 9-stage business model by Chris Luxford as one of the great tools. Use it as a single-page business case template and attach it with your funding request. Focus on cost of doing something vs. cost of not doing it.

Balancing Budget

Depending upon where you are in your journey of implementing your security program, your budget may be skewed in certain direction. However, a good advice is to balance it between the following three areas (three Ps):

  1. People – salary and benefits, training & development
  2. Products – purchase tools and technologies
  3. Partners – contract third parties for services that you don’t want to build in-house and that are rarely used

While there are many ways to build and execute a security program and roadmap, I am confident that the above tools are only going to help you continuously improve your Cybersecurity practice and make you successful as a leader.

Subscribe to this blog

References

Posted in InfoSec, Leadership | Tagged , , , , , , , | Comments Off on CISO Tools to Build (or Tweak) a Cybersecurity Roadmap, Create Business Case and Request Funding

A 3-3-4-5 Model for CISO Strategy

Many CISOs and Infosec leaders I meet face continuous challenge to communicate their strategy that is simple and others can understand and relate to. I have created a simple model for CISOs to explain it on a single page and have found it to be an effective tool. Part of this is based on NIST Cybersecurity framework.

The strategy has three parts:

  1. What do I want to achieve?
  2. Where will I invest – both time and money?
  3. How would I do it?

What do I want to achieve?

Communicating your objectives in clear, concise and easy-to-understand manner that others can relate to is key to success of a CISO. Here are three key objectives:

  1. Enable business to gain competitive edge and using security as an enabler.
  2. Manage risk to an acceptable level
  3. Communicate continuously with and East/West/North/South model. The East represents other IT teams. The West includes business leaders within your organization. The North refers to executive leadership and board. The South means that you communicate continuously with your own team.

Where will I invest?

This is both about time and money investments and falls into the following four areas:

  1. People – People being the most important part of any security program and investing in hiring the best, retain the talent, and train security teams on the latest technologies.
  2. Processes – This is about simplifying and optimizing processes to achieve some goals without relying to fix everything using technology. According to a quote from Bruce Schneier, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”. 
  3. Products – Here you would look at technology, services, consulting from different vendors.
  4. Partners – Spending time and energy in building partnerships with both internal teams and external vendors.

How would I do it?

It is a great idea to pick a framework to communicate how would you achieve your objectives. I like NIST Cybersecurity Framework but you can choose a different one based upon you needs. I prefer NIST because many organizations follow it and it fits well into explaining your strategy. With this framework, you have talk about business outcomes in the following five areas:

  1. Identify – assets and risk that face your organization, build a governance model
  2. Protect – systems, data, and other digital assets
  3. Detect – threats using a number of methods including but not limited to logs, anomalies, network, threat intelligence and others.
  4. Respond – to incidents quickly and effectively
  5. Recover – business quickly after a security incident

Why name it 3-3-4-5 model?

I named it 3-3-4-5 model because it has three parts. The first part includes 3 components, the second one 4 components and the third one 5 components.

Posted in InfoSec, Leadership | Tagged , , | Comments Off on A 3-3-4-5 Model for CISO Strategy

A Threat Modeling Process to Improve Resiliency of Cybersecurity Program

A 5-step threat modeling process by Rafeeq Rehman

Many organizations with mature Cybersecurity program have implemented controls to safeguard their digital assets. However, controls can give a false sense of security as many times mere existence of a control does not mean that it is (a) adequate and/or (b) effective. Protecting crown jewels requires continuous monitoring and evaluating controls. Following is a 5-step threat modeling process to improve resiliency of your program, identify gaps and close these gaps. The process starts from identifying the digital assets you are most concerned about and potential attack scenarios and ends at building a business case to close any identified gaps.

Step 1 – What am I concerned about?

A typical starting point for threat modeling is to identify digital assets that you are more concerned about. A digital asset may be in different forms. It could be an overall system crucial for your business, a process, a data store where business critical data is stored, a specific piece of technology and so on. The important thing is that you select an asset based upon criticality to business operations. Some people may refer to the critical business assets as “crown jewels”.

Step 2 – What could go wrong?

Once you have a digital asset identified, the next step is to brainstorm about:

  • Who are potential threat actors (internal, external, partners, state sponsored, hectivists, financially motivated, corporate espionage, etc.)?
  • Attack methods used by these threat actors (hacking, phishing, malware, physical, and others?
  • How these attacks will manifest in detection mechanisms (logs, behavior/anamolies, network traffic etc.)?

Step 3 – What can protect from attack?

Here you are going to evaluate all controls in place to prevent and/or detect the attacks. These controls could be different flavors:

  • Preventive controls that stop something bad from happening (firewalls, end point protection, IPS, etc.)
  • Detective Controls like IDS, SIEM and others
  • Administrative controls like policies, awareness programs

The important thing is to make sure that controls are (a) adequate and (b) effective. A firewall may be present but may not be properly configured. Similarly you may be using encryption but not managing keys properly. These are the examples where controls exist but not effective.

Step 4 – Is protection sufficient?

Based upon adequacy and evaluation of existing controls, you can estimate residual risk of a breach that may include a sum of multiple risk factors, including but not limited to:

  • Business interruption risk
  • Regulatory fines from different government agencies (e.g. Federal Trade Commission and SEC) or industry groups like PCI.
  • Risk of data loss 
  • Impact to brand value

Step 5: How do I justify cost?

Creating a business case is one of the best ways to justify investment in Cybersecurity. Why you need funding? It may be for one of the following purposes:

  • Add a new control because none exists
  • Improve effectiveness of an existing control
  • Replace an existing control with a better one

While there are many templates and recommendations about building business cases, one simple way is to focus on cost of doing it vs. cost of not doing it. There is a cost in both ways and if your cost of doing it is lower, only then it makes sense to request for funding. One template that I like is 9-stage business model by Chris Luxford.

How to use this approach?

I use this process in the form of a workshop, three to four hours long. My recommendation is that the exercise should be carried out throughout the year, may be once a month or at least every quarter, selecting a different digital asset each time or picking a different scenario for the same digital asset.

Subscribe to this blog

Posted in Digital Transformation, InfoSec, Leadership | Tagged , | Comments Off on A Threat Modeling Process to Improve Resiliency of Cybersecurity Program

Verizon White Paper: CISO’s Guide to Cloud Security

A 5-step process to evaluate and purchase Cloud security products and services

Verizon security recently published a white paper titled “CISO’s Guide to Cloud Security: What to know and what to ask before you buy” that points out five steps to help decision making on purchasing Cloud products and services. For each step, the white paper also provides recommendations to consider. This is a summary of this white paper.

Step 1: Assess your situation

According to Forrester research, 28% of enterprises have already moved to public Cloud, 44% are actively building private clouds. When you assess your situation, consider:

  • Where are you in the process of migrating to Cloud
  • What is your Cloud strategy? Cloud-first or Cloud-only?
  • Is this right time for you to move to Cloud?
  • Are you ready to move to Cloud?

Step 2: Define your requirements

To make sound decisions, defining security requirements and making sure the selected Cloud platform meets these requirements is essential. Following are recommendations from this white paper.

  • Scalability – Will the Cloud solution grow as your needs grow?
  • Extensibility – Does the platform offers APIs and other means to extend it?
  • Automation – Will you be able to automate routine security tasks in the Cloud?
  • Intelligence – Can you get contextual information for analysts and threat hunters?
  • Ease of Use – Is the user interface easy to use?

Step 3: Identify Use Cases

Legacy products may not be effective in Cloud environment. Adding new products for Cloud may not a good idea either. The recommendation is to identify use cases and consider the following:

  • IDS/IPS – Consider products that provide machine learning, full packet capture capability, passive visibility and help in investigations.
  • SIEM and Analytics – Consider capability in terms of your requirements mentioned in step 2 and support of new types of logs including IoT and support for 5G.
  • Incident Response – Responding to Cloud incidents brings new challenges in terms of visibility and ownership.
  • Threat Hunting – Consider speed, visualization, contextual data and packet capture capability.

Step 4: Define Success Metrics

How would you prove success of any Cloud security product or service? Consider building success metrics and dashboard with the following in mind:

  • Reduction in false alarms
  • Improvement in threat detection
  • Reduction in time for detection, deployment and dwell time
  • Increase in visibility and network coverage

Step 5: Evaluate your options

The white papers provides a sample table for evaluating different solutions that you can modify based upon your needs defined in steps 2 to 4 above.

When it comes to making purchase decisions for Cloud security products and services, this white paper provides a systematic approach for planning, evaluation, and decision making. The approach is not limited to a particular product or service and can be applied universally to any Cloud solution.

References

Verizon White Paper on CISO’s guide for moving to Cloud – https://enterprise.verizon.com/resources/whitepapers/cisos-guide-to-cloud-security-final.pdf

Subscribe to my blog for latest posts

Posted in InfoSec | Tagged , , | Comments Off on Verizon White Paper: CISO’s Guide to Cloud Security