I took these notes from "Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats" for my current job in cybersecurity (which is my first), there is no CISO position nor even a senior security position in my company, so I decided to do the boring work myself, I did this, so you don't have to do it. To be fair the book was really good, and I enjoyed reading it.
I suggest every technical person to read the book I mentioned, you will have a foundation about security from a manager perspective, and you will understand why your CISO makes the decisions that he does.
- Note taken on
Notes taken from chapter 2 of the book
Reduces risk probability by blocking all the threats and preventing incidents from occurring.
Reduces risk impact by generating alerts when systems are compromised.
Supports detective controls by collecting records to all activities related to the risk.
Investigates the presence of the risk
An independent group with no knowledge of current systems that tries to penetrate an enterprise architecture.
Assures the security of the computer systems.
I reduced functional areas from 11 mentioned in the book to 7.
- Note taken on
Notes from chapter 3 of the book
Prevent attackers from gaining system control
Alert when a malicious system activity occurs
Log every privileged administrator activities:
- Generate detective control alerts
- Support investigation of incidents
The System audit focuses on proving that user activities are not malicious
- Attackers compromise logins to do lateral movement to other machines on the network
- Attackers compromise sensitive enterprise data
- Network isolation
- Users audit trail
- Analyze command logs
Black malicious traffic from passing from one part of the network to another
Detect malicious intent from network traffic
Log network traffic to detect user intent
Analyze network traffic in order to identify malicious intent
- Attackers use compromised servers to move laterally to other servers
- TLS intercept
- Network traffic analysis
- Network Intrusion Detection System (IDS)
- Network Intrusion Prevention System (IPS)
Block exploitation of web application exploitation
Detect compromises of web applications and attempts of exploitation
Log data about application activity that can be used for audits and investigations
Prove that applications are safe
- Attackers find vulnerabilities in in-house developed web apps
- Attackers use CVEs to attack web applications
- Attackers use zero day exploits
- Webshell detection
- Web Application Firewalls (WAF)
- Software code vulnerability analysis
- Database firewalls
Identity and authentication
Make it harder for attackers to impersonate users or using legitimate users accounts
Alert the enterprise when accounts are being attacked
Log all user data (connection time, ip address …), the data can be used to identify attack patterns
Prove that accounts are not being abused
- Attackers use accounts that are no longer used but not removed from the enterprise systems
- Attackers use weak authentication methods to login as other users
- Attackers escalate privileges from normal user account to administrator
- Identity life cycle management (password rotation)
- Multi factor authentication
Data protection and cryptography
Protecting the confidentiality and integrity of the enterprise by using cryptography
Detect weak or broken cryptography
Track keys and algorithms used in enterprise to ease the audit phase
Collecting information about keys and algorithms that are used and the weaknesses that occur
- Attackers steal keys to strong crypto and use it for login (ssh for example)
- Attackers brute force to compromise passwords encrypted using weak cryptography
- Key life cycle managment and rotation
- Complex passwords
- Brute force attack detection
Monitoring, vulnerability and patch management
Ensure that vulnerabilities are fixed before that they could be exploited by attackers
Monitor all security automation systems to detect incidents so they could be investigated immediately
Logging events that can be investigated
Centrally collecting forensic data that can be analyzed by auditors
- Attackers use methods that are not detected by monitoring systems and invisible to the blue team
- Attackers exploit vulnerabilities that are not patched or even zero-day exploits
- Attackers attack the logging infrastructure to avoid detection
- Red team penetration testing
- Security Information and Event Management (SIEM)
- Log aggregation
- Honeypots and Honeytokens
- Privilege change detection
- Files change detection
Assess the ability to respond to a wide range of adversary situations
- In a cyber attack, the integrity of certain systems is compromised for example injecting code into files
- Virtual machine snapshots
- Data mirroring and replication
Implementing Cybersecurity protocols
Organizing the personnel
IT and Security departments should be tightly coupled and be able to coordinate easily
- Evaluates obscurity threats
- Defines policies to manage those risks
- Engaes with IT projects to manage risks
Security Operation Center
Involves routine controls to identify cyber incidents when they occur.
Cyber Incident Response Team
Responds to security incidents and supervises their investigation and remediation.
Responsible for collecting security infrastructure and operations artifacts that provides evidence the security protocols are behaving as intended.
The anatomy of attacks
Usually attackers penetrate systems using 5 steps and use many paths
These steps are not always in sequence.