Like most sectors of IT, security professionals can follow a lifecycle model throughout their daily work lives. However, most security professionals will tell you that they do not work in a linear and static fashion. We agree with this statement, but we also believe that these life cycles provide a valuable foundation for any security program or professional to jump off from.
Using a lifecycle model as a security professional gives you a guide which ensures that progress is continuously being made on the security posture of your enterprise. Your security program is not a static assessment or something that could ever be considered a “finished product,” free from any possible improvement. Instead, your security program is something that requires constant attention, upkeep, and enhancement.
However, before we get to the four major components of the information security lifecycle, Identify, Assess, Protect, and Monitor, we must take a look at the policies and procedures that will shape your company’s specific information security lifecycle.
Before you can establish a clear lifecycle for your company’s security, you must first establish the policies and procedures that your company’s security team will base their lifecycle on. These policies and procedures are vital to discuss as a sort of “Step 0” in the lifecycle, as they will serve as the foundation you build your security plan upon.
Establishing clear policy and standards based your security team’s composition will be key to both the assessment and protection parts of your security program. The assessment side of your program will use the standards and policy established as the basis of the assessments they conduct, comparing their efforts and resources to these policies. Additionally, the protection side of your program will be configured and prioritized based on standards set in this preliminary stage.
Overall, the entirety of your company’s security lifecycle is built around the policy and standards that you wish to prioritize as a security team. Without clear procedures to follow and standards to abide by, your lifecycle will be disjointed and ineffective in practice. The importance of policy and standards in your program is further demonstrated in the graphic below:
The very first thing to do when entering the information security lifecycle is to identify what it is that you’re trying to protect. You can’t protect what you can’t see or (don’t know exists for that matter). The first step of the lifecycle is to map your network, identify servers, and understand what applications are running on them. This identification stage should start at a high level and then work itself down to a more granular level. In order to form a proper security posture, you need to both identify and understand the resources you have at your disposal and the assets you need to protect.
Some of the most important questions to ask within your company include:
In order to answer these questions, you need to perform a thorough audit of your company’s posture. This should be done through both interviews and discussions internally and through external tools and platforms. Internally you will be able to learn a lot from fellow security professionals, IT staff, and employees working in other departments at the company. However, you will also need external resources to take an unbiased look at your posture to gather up all the necessary resources required to paint the whole picture.
One of the most popular and useful external tools to use is called NMAP. NMAP is an open source tool which is great for discovering networks and identifying useful details like used applications and operating systems. Additionally, NMAP can be run on almost any device, which will be important in mapping your entire security network.
Once you have gathered all of the necessary and obtainable data, you will want to create a secure document that stores all of the information for later use. This database will contain information like host name, OS, the business applications you utilize, and the network location. All of this will be important for future steps in the information security lifecycle.
The assessment phase of the information security lifecycle looks to take the information gained in the previous step and build on it. Once all of your assets have been identified and documented, the next step is to perform a thorough security assessment on said assets. This step covers all aspects of assessment, from reviewing your current processes and procedures to actually performing vulnerability scans.
It can be overwhelming (especially for larger enterprises) to decide where to start. There are so many components of your network that you are responsible for protecting. So how do you track signal through the noise? The key is to prioritize based on your most important assets! Start on servers and assets that are the most vulnerable and most critical to protect for your organization. Starting with the most important and the most “exposed” areas of your business will help ensure you make the most important improvements first.
When assessing your network, it is vital to continue collecting information, and then actually assess! Learn as much as you can about your applications, how they’re configured, and where the various components reside. This step is all about drilling down from a high level to obtain more granular details. Once you’re done consulting you will want to conduct a thorough vulnerability assessment.
A favorite vulnerability scanner in the world of information is Nessus. Nessus, a tool that integrates with PlexTrac, is capable of providing a wealth of information to your team. Nessus discovers your network, and then identifies and assesses each system for vulnerabilities. In fact, Nessus is important for both the identification and assessment steps of the information security lifecycle. Additional tools like SuperScan and BlackWidow are equally as useful to this step of the lifecycle.
The overall objective of the assessment step is to examine all of the resources you have at all levels to both find vulnerabilities and obtain better information about each resource their company has. This allows you to supplement the high level overlook you obtained in the identification phase and further refine it with more granular details.
After assessing your network and obtaining more granular information about it, it’s important to protect your network by bringing systems up to speed with your previously established policy and standards. Essentially, it’s now time to protect your systems. This step of the information security lifecycle is sometimes referred to as the “mitigation” step, since the actual objective of the step is to mitigate all of the risks identified during the assessment period.
The focus of this phase should be to configure and bolster each system and network component you have. The outcome of this step should be to strengthen your systems and networks to be in-line with the corporate policy established before the lifecycle began. Like earlier steps, you likely have hundreds of servers, routers, and more in use in your network… So, where do you start?
A good standard to set is to start with small changes on the non-critical aspects of enterprise components. Implementing large changes to critical infrastructure can be dangerous if done incorrectly and without thorough testing. Instead, implement gradual change to build trust and ensure that your changes are implemented without the creation of new problems. Additionally, follow your deployment processes for the changes made to your network, especially when moving from gradual change to the larger, more critical issues.
The last aspect of the protection step is that it’s important to discuss the appropriate level of protection for each resource you’re responsible for. All of your resources will be required to hit a certain security threshold, but it’s up to your security team to determine what level of protection is appropriate for each resource. For example, confidential information vital to the successful operation of your business should be protected at the maximum level possible, whereas less attractive information or largely public should be given a lower prioritization and protection level.
The overall goal of this protection phase is to ensure your security standards are in-line with the policies and standards earlier, and to eliminate vulnerabilities so your network is as secure as possible.
The last step of the information security lifecycle is to monitor the security you have in place and the security you’ve recently changed and updated. Once, in your mind, you’ve strengthened your security posture as a whole it’s important to ensure it remains that way. In addition to monitoring changes you’ve made it’s important to monitor new systems that are introduced into the ecosystem of your company’s network. Computer systems and servers are constantly being changed and updated, so a process needs to be implemented that monitors the status of security across the enterprise.
Determining how often you must monitor certain resources depends largely upon the same criteria established in the protection step – the value of the resource. Every system will need to be checked periodically to ensure vulnerabilities have been exploited, but more valuable resources should be checked more often to ensure the “crown jewels” don’t fall into the wrong hands.
Verifying and ensuring security compliance should be your primary goal in the monitoring step of the information security lifecycle. Are we safe? How do you know you’re safe? The continuous assessment and monitoring of your important assets will help ensure you always have the answer to these questions. Additionally, tools like Tripwire, Microsoft’s Security Configuration and Analysis tool, and any of the benchmarking tools relating to the Center for Internet Security (CIS) [like PlexTrac] will be useful to ensure you get a real-time view of your security posture and can collaborate for future remediation efforts on the network.
The overarching goals of the monitoring step of the information security lifecycle are to continually monitor security and measure performance against the standards your company holds. Like the other areas of your business, measuring your security is necessary to ensure that progress is being made and security resources are being properly implemented into the network.
Using and implementing the information security lifecycle within your security team and enterprise will grant you a better security posture, ensuring your team is firing on all cylinders. This plan will also determine you have a process for continuous assessment and monitoring that ensures your security is always learning and improving over time as attacks become more sophisticated. Lastly, having a lifecycle in place will ensure the resources at your disposal are being prioritized based on value and then deployed in areas where improvements are needed the most.
Overall, implementing a lifecycle process within your security team will prove to improve the efficiency and effectiveness of your security team, and ensure your defenses are maximized against the deadly attacks that will inevitably come for your most previous data.