Agile Security Operations
eBook - ePub

Agile Security Operations

  1. 254 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Agile Security Operations

About this book

Get to grips with security operations through incident response, the ATT&CK framework, active defense, and agile threat intelligenceKey Featuresβ€’ Explore robust and predictable security operations based on measurable service performanceβ€’ Learn how to improve the security posture and work on security auditsβ€’ Discover ways to integrate agile security operations into development and operationsBook DescriptionAgile security operations allow organizations to survive cybersecurity incidents, deliver key insights into the security posture of an organization, and operate security as an integral part of development and operations. It is, deep down, how security has always operated at its best.Agile Security Operations will teach you how to implement and operate an agile security operations model in your organization. The book focuses on the culture, staffing, technology, strategy, and tactical aspects of security operations. You'll learn how to establish and build a team and transform your existing team into one that can execute agile security operations. As you progress through the chapters, you'll be able to improve your understanding of some of the key concepts of security, align operations with the rest of the business, streamline your operations, learn how to report to senior levels in the organization, and acquire funding.By the end of this Agile book, you'll be ready to start implementing agile security operations, using the book as a handy reference.What you will learnβ€’ Get acquainted with the changing landscape of security operationsβ€’ Understand how to sense an attacker's motives and capabilitiesβ€’ Grasp key concepts of the kill chain, the ATT&CK framework, and the Cynefin frameworkβ€’ Get to grips with designing and developing a defensible security architectureβ€’ Explore detection and response engineeringβ€’ Overcome challenges in measuring the security postureβ€’ Derive and communicate business values through security operationsβ€’ Discover ways to implement security as part of development and business operationsWho this book is forThis book is for new and established CSOC managers as well as CISO, CDO, and CIO-level decision-makers. If you work as a cybersecurity engineer or analyst, you'll find this book useful. Intermediate-level knowledge of incident response, cybersecurity, and threat intelligence is necessary to get started with the book.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere β€” even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Agile Security Operations by Hinne Hettema in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2022
eBook ISBN
9781801812559
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Section 1: Incidence Response: The Heart of Security

Part 1 establishes incident response as the "why" of security. That incident response is the heart of security should be clear on a moment's reflection: without cybersecurity incidents, there would be no need to have a security team. Yet the model in which incident response sits at the core of security efforts is not widely used. This part of the book explores agile security from this viewpoint.
This part of the book comprises the following chapters:
  • Chapter 1, How Security Operations Are Changing
  • Chapter 2, Incident Response – A Key Capability in Security Operations
  • Chapter 3, Engineering for Incident Response

Chapter 1: How Security Operations Are Changing

Cybersecurity is increasingly important for many organizations. It manifests itself as business risk. Security operations are a key security capability that organizations must implement to be effective in deterring and resolving the effects of cyber-attacks and minimize cybersecurity risk to their business. However, the role and mechanics of security operations is often misunderstood. That is why you are reading this book.
This book is written from a viewpoint on cybersecurity that, for some, turns matters on its head . I take the view that cybersecurity operations, when done well, drive security leadership, auditing, reporting, and risk reduction. This is not the common view on how organizations implement cybersecurity operations. The usual approach, sketched very briefly, is that organizations need executive commitment, funding, a cybersecurity program, often driven by audit results, and a raft of security policies and risk heat maps to be effective. Their job is then to drive this down into the business. The measurement of this is then done with maturity models and metrics.
This book will overturn that view. The viewpoint that I will develop and work out in this book is the following:
  • Passing audits is the result of security operations done well. Audits do not drive improvement – making improvements in security operations drives improvement overall.
  • Security operations vitally develop and enrich cybersecurity conversations at executive level mainly through the enhanced visibility they provide. Having a conversation about what happens on your network as opposed to what one reads about in the newspaper is inherently more powerful and convincing, especially if it can be backed up with evidence.
  • The visibility and context provided by well-executed cybersecurity operations inherently changes the strategy and risk discussion, leading to better grounded risk and compliance programs.
  • Building in the visibility and response components into applications and networks from the outset leads to better security architecture and changes the conversation from security being a blocker to security being an enabler of the business.
  • If security operations are the core of an organization's cyber risk management, then the activities undertaken to resolve security incidents are at the heart of security operations. The viewpoint that I will take in this book, and that in my view defines agile security operations, is that effective incident response is the key measure when it comes to risk reduction from threats. In turn, the need to perform incident response then drives the rest of the security operations.
The operations piece of cybersecurity also needs funding, commitment, policies, and risk management. Doing cybersecurity operations well is not an excuse to get rid of these things. The difference is a radically changed conversation about their impact and use. Cybersecurity operations, done well, provide a vital context and enrichment to the executive and business conversation that will lead to a tight integration between cybersecurity and the business, reduce risk more effectively, and, in short, lead to an organization that is defensible from a tooling (technical), cultural (people), and management (process) perspective. The part between brackets is sometimes referred to as the people, process, and technology (PPT) framework.
The focus of this chapter is on the following:
  • Understanding the role of security operations in risk management
  • Defining security operations
  • Understanding why security operations need to be agile
The chapter is structured as follows:
  • Why security is hard
  • Security incidents
  • Security solutions in search of a problem
  • The scope of security operations
  • Where security operations turn agile

Why security is hard

In many organizations, implementing security is hard work. At a technical level, security is often seen as a blocker, at a tactical level, security considerations may change how the business operates, and at a strategic and political level, security often raises problems that many organizations prefer to ignore. This section will place security operations at the core of a security program and introduce the five types of cyber defense.

Security operations

This book takes the view that security operations are the heart of a security program. When organizations do their security operations well, they generate the necessary context to develop strategy, policies, and reporting, and gain the most benefit from audits.
The centrality of security operations is a somewhat unpopular view: much of what we see in security writing, focuses heavily on technology – which is the implementation side of security – or strategy, which focuses on the management and maturity of the program. By not considering security operations, the focus of too many organizations is still on prevention and controls. While prevention and controls are important, in this book I argue – based on experience – that they are the result of good security operations rather than the cause.
In a nutshell, security operations are an organization's capability to detect and respond to adversarial events on their systems and networks.
That is a mouthful, but we can unpack this a bit. Detection speaks to the capability of an organization to notice that something is wrong on their networks, preferably in an early stage of an attack, respond speaks to their capability to deal with such an event. Adversarial indicates that the event is caused by humans and has a specific component of intent.
In this book, I'll focus specifically on security operations and the ethos needed to create and sustain a security team that excels in security operations.
Therefore, I'll stay away from talking too much about either technology and strategy and instead focus heavily on tactics. Tactics – the specialty of security operations – is the nitty-gritty of how organizations respond to actual attacks, threats, vulnerabilities, and adversarial activity on their systems and networks.
If you think of strategy as the why of security, and the technology as the what, then tactics is the how – how do we realistically implement a risk program, how do we use that technology that has just been bought, and how do we secure an enterprise? These are the questions I will aim to answer in this book, and it is a critical connecting layer between technology and strategy that has not received the attention it deserves.

Cybersecurity, threats, and risk

Cybersecurity is traditionally approached from the viewpoint of business risk management. This creates a disconnect with security operations, and that fundamental disconnect makes security in many organizations harder than it needs to be.
To understand this better, we can look at how risk management usually approaches areas of risk. While the view of risk management I develop here is very simplified, it captures all the essentials. Risk management is typically based on a risk register, where risks are enumerated and given a priority of high, medium, or low (or a color-coded scale) based on both the exposure to the risk (the likelihood) and the impact (the consequence). In most cases, these assessments are subjective and dependent on the sector and context.
Risk management then relies on a matrix of controls to manage risk. Broadly speaking, risk treatment has four options: prevention, reduction, acceptance, or transfer. Prevention means that the organizations put in a device or measure that prevents the risk from materializing. Reduction means that some compensating control is developed that controls the risk, or at least make it visible in time.
Acceptance of risk means just that – the risk is accepted by the organization and no further action is undertaken to address it; consequences will have to be dealt with as they occur. This can happen, for instance, when a risk is too costly or cumbersome to address, or when the costs and effort associated with addressing it make no sense from the viewpoint of the risk accepted.
A transfer of risk occurs when the risks are borne by a third party, for instance in the case when an organization buys cyber insurance. We will have more to say on cyber insurance in Chapter 7, How Secure Are You? – Measuring Security Posture
Once this table is complete, risks are then prioritized, mitigations costed and budgeted, and the budgets for the highest risks are approved. Then it's rinse and repeat.
Measuring cybersecurity risk
While you might think that risk management is a typical business way of dealing with the risks posed by cybersecurity and is therefore easily understood by senior leaders in an organization, yo...

Table of contents

  1. Agile Security Operations
  2. Contributors
  3. Preface
  4. Section 1: Incidence Response: The Heart of Security
  5. Chapter 1: How Security Operations Are Changing
  6. Chapter 2: Incident Response – A Key Capability in Security Operations
  7. Chapter 3: Engineering for Incident Response
  8. Section 2: Defensible Organizations
  9. Chapter 4: Key Concepts in Cyber Defense
  10. Chapter 5: Defensible Architecture
  11. Chapter 6: Active Defense
  12. Chapter 7: How Secure Are You? – Measuring Security Posture
  13. Section 3: Advanced Agile Security Operations
  14. Chapter 8: Red, Blue, and Purple Teaming
  15. Chapter 9: Running and Operating Security Services
  16. Chapter 10: Implementing Agile Threat Intelligence
  17. Appendix
  18. Further reading
  19. Other Books You May Enjoy