Thursday, December 10, 2020

Being a Defender

 1. Be a student of (information security, network security, cyber security). Always strive to know what the latest tactics, trends, and tools are and implement that knowledge into Operations.

2. Never allow a vendor to define what your greatest risk is. It will undoubtably be something their  product detects well but be a low risk to your environment.

3. Be passionate about what you do. If you're looking for a 8 to 5 job you can forget about when you go home, information security may not be for you, to paraphrase Lesley Carhart. 

4. Be a an advocate for what your company really needs as far as tools. There is a marked over-reliance on tools in the industry and not nearly enough emphasis on training and development, but you know from experience what tools you truly need. 

5. Build the case, make the pitch, show verifiable results if you can. If you lose the battle, find an open source tool that does the same functionality without all the fancy reporting. Those reports aren't for you anyways; they're for the C-suite. 

6. Cross train as often as you can. Learn as much as you can about penetration testing tools, because hackers and Red Teamers alike use some of the same tools. Using a tool will help you learn what to look for.

7. Always push for more logs, more packets, more flow data. Anywhere and everywhere you can. Your dataset is your bread and butter; the more complete it is, the better chance you'll have in detecting or even preventing an attack.

8. Don't dwell on defeats. Learn from it and move on. You'll see plenty of them, both from attackers and internally fighting for what you really need.

9. Ask to be present at every meeting, call, or demo with a vendor. Management can't always distinguish what is practical from the vendor hype and BS. Be the one to challenge their over-realistic claims and make them back them up with something more than carefully crafted demo data, tuned for maximum detection by their product.

10, Don't stay up nights worrying about nation states/intelligence agencies or highly funded, highly skilled APT entities. If they want in, they are going to get in. Your job is to make sure your company isn't the low hanging fruit. 

11. To quote Mike Poor, prevention is optimal but detection is essential. Looking beyond the initial compromise and seeing what happened next is critical. Piecing together what the attacker did from disparate, seemingly unrelated pieces of information is something humans do better than machines, at least for now.



Blog Archive