Embedded Files
2018
2018
Apr 09
Apr 09
Frustrated at the end of your cybersecurity assessment?
Frustrated at the end of your cybersecurity assessment?
By Niren Shah
In recent times, we have increasingly run into clients that hand us a cybersecurity assessment report and ask us to either:
- Help them understand the report.
- Help prioritize the findings of the report.
- Implement the recommendations.
- Create a roadmap of the prioritized action items after the initial implementation of recommendations.
Why does this happen? Old fashioned style consulting typically involves an engagement manager (EM) plus a couple of consultants that interact with the client. They try to understand the environment, assets, processes by interviewing the various roles at the client and then delivering a "blue book" or an assessment report. While this process is somewhat necessary to understand the state of things, in our opinion it is extremely flawed and certainly very limiting. Why? Because, a) you're left to fumble through the next step of actions to take and b) this "blue book" is obsolete the day it was delivered to the client.
Limitations of traditional consulting.
- A lot of engagements do not involve an "active" component to augment the traditional interview process. What we mean by this is that the answers from the personnel are taken at face value and little effort is taken to validate them. This is not to imply that people mislead the interviewer but usually they genuinely do not know the correct answer (due to employee churn) or have simply forgotten. e.g. Are you absolutely sure that the only ports open between the DMZ and the AppServer networks are 80 and 443? Or are you sure that there aren't any rogue database servers running that you might have setup for that stress test 2 years ago?
- The discovered information and data is not usually codified in a way that it might be possible to be used in active scanning or monitoring at a later stage.
- The "blue book" is obsolete the day it is delivered due to a) your environment changing with patches or new assets and b) the external landscape has already changed by newly discovered vulnerabilities and threats.
- A lot of times the client's internal personnel do not have necessary expertise to understand, prioritize and implement the recommendations and are forced to engage other service providers to create a roadmap for the next steps.
Do we need to evolve to EM+2+Service? So what is missing from the above? We would say that it is the service component - more specifically a managed service offering. In our opinion, we need a service component that is "active" during and augments the traditional consulting process. Followed by a transition to either a managed or self service offering that lets the client mitigate the results in a practical and efficient manner. At a minimum, we would need:
- An endpoint component that can be deployed to collect information and validate the answers that are collected via the interview process. e.g. Deploy discovery agents to ensure that no unexpected assets and services are running in the environment.
- A mechanism to codify and collect this discovered information so that it can be used to prioritize assets and more importantly understand that we have covered all important assets. e.g. Does the asset list look ok? Are we missing some important ones? And can we account for all the ones that we found? Any rogue ones?
- A highly scalable event processing that collects large amounts of data from these discovered assets, other deployed cybersecurity products (SIEMs, vuln. scanners, proxies, IDS/IDPs, etc.) and other hardware devices (switches, firewalls, etc.) and then is able to correlate them continuously for threats.
Benefits? We have created a system that is a win-win from both the clients’ as well as the consultants’ standpoint:
- Client:
- Provides immediate value at the end of the traditional consulting cycle
- Validates the theoretical assumptions that are normally error-prone
- Provides targeted insight into what is important to them while de-prioritizing others
- And, above all, provides ongoing KPIs to tangibly determine if they are more secure than before
- Consultant:
- Augments the standard cybersecurity consulting model
- Allows for continuing revenue in either managed or recurring fashion
- Automates a lot of normally tedious work
- Is highly customizable so that it can be adapted quickly for changing clients’ needs
Report abuse