“Is it safe?” Argh! For anyone who has seen the movie, Marathon Man this line triggers terror. Similarly, being asked “are we secure?” by management instills equal terror. Why? Most organizations lack continuous monitoring and real-time situational awareness of their security posture. Without this, it is impossible to answer the question, and it is impossible to be secure, let alone safe.
In this ongoing series of posts, I am sharing my experience as I work through the NIST Cybersecurity Framework Controls Factory Model (NCSF CFM) training, developed by Larry Wilson, UMass CISO and produced by itSM Solutions. In my previous posts, I provided an overview of the NCSF CFM and touched on the Technology Program Design-Build, the first component of the CFM Technology Center, and the foundation of this discussion, the Security Operations Center (SOC).
The SOC training begins with the NIST 800-137 Information Security Continuous Monitoring (ISCM) methodology:
It is a great place to start. Continuous monitoring is core to NIST CSF (DE.CM1-8), ISO 27001 (A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.1, A.14.2.7, A15.2.1), and COBIT 5 (AP007.06, BA103.10, DSS05.01, DSS05.07).
The training goes through all aspects of a SOC: technology, people, processes, and services. It does an excellent job of putting the role of the SIEM (Security Information Event Management) into perspective for overall situational awareness.
Balancing Strategy with Practical Guidance
So far, this is pretty much bread-and-butter security operations training. What I like about Larry’s flow is he moves smoothly between strategy and practical guidance. For example, the training first dives into the application of SIEM to specific data sources: security devices, servers & mainframes, network & virtual activity, data activity, application activity, configuration info, vulnerability & threat, user activity, etc. After this, it steps back and maps out the different personnel roles and responsibilities of a SOC. Then, it dives into a detailed discussion of cyber threat hunting. I love the cyber threat hunting maturity model that the training draws on from SQRRL!
Once one gets through SOC technology, personnel, and operations, the training provides an excellent integration of NIST 800-61 Incident Response Lifecycle: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
As I have written multiple times, what excites me about this training is the radical simplicity of the practice. But, simple doesn’t mean elementary. For example, Larry Wilson recognizes that the participant might be a team member of a 500 person security operation, or they may be the security operation. At the end of the training, there is an excellent discussion of SOC alternatives including roll your own and MSSP. This section is one area where I think the training could go into more detail on homegrown SOC technology using open source solutions like OSSIM and ELK stack, including Logstash and Kibana. When I start delivering the training, I plan to add a section on homegrown SOC options.
The training concludes with a decision matrix to help organizations figure out their appetite for security operations.
For example, as Larry states, “if the purpose of the security operations program is compliance and audit readiness, then an MSSP is usually the best option.” I like the pragmatism of this type of training: making decisions based on the reality of one’s situation, rather than the fantasy of what one hopes to see happening.
After going through the training, I am much more confident in my abilities to walk into a security operation and quickly assimilate as a newbie or sketch out a SOC for my company as a CISO. Is it secure? Well, not yet. We still have seven more modules to work through in the NCSF CFM. However, this class alone will prevent significant pain and anxiety the next time anyone asks “is it safe?”
In my next post, I am jumping over to the business center of the NCSF Controls Factory Model. In the meantime, please contact me if you have any questions about NCSF CFM. Also, please comment below. I would love to hear from my connections on the front line of cybersecurity, doing their best to keep their colleagues and organizations safe.