Episode 20 - Security Dichotomies

Written By Stuart McIntosh

We're riffing off a talk Stuart gave with Jason Lang about the elements within Cyber Security that sit in tension with each other in order to make the whole better. And if you don't know when and where they exist, they can become tar pits that cause us to get stuck.

Notes:

What is a dichotomy: a division into two especially mutually exclusive or contradictory groups or entities

https://www.merriam-webster.com/dictionary/dichotomy 

In our security work we can easily leverage thinking in terms of offense (red team) and defense (blue team). 

Jason Lang and Stuart McIntosh gave a talk around offense and defense steps for a security program, Victor or Victim Strategies for Avoiding an InfoSec Cold War. Jason has also made the slides of the security programs steps directly available, https://github.com/curi0usJack/slides.

Each step on the ladder has an offense and a defense anchor point for that level. These rungs of the ladder are common areas where people get stuck. We want to break down a few of these that we frequently see. 

Vulnerability management/Patching 

  • First rung but most ignore or do the minimum 

  • The chopping wood and carrying water of the security world 

  • Indicators of stuck – not remediating as fast as things come in, will always be changing so measuring the high tide and low tide is important 

  • Stretch goals – remediation of vulns within 90 days, applying patches < 90 days, known inventory of hardware and software 

Purple Teaming/Centralized logging 

  • Middle of the ladder but marks a significant unlock – visibility 

  • If you don't have a centralized logging solution that allows you to efficiently search then you are maxed on value you can create 

  • Indicators of stuck – not closing the gaps identified from audits and pen tests, detection ideas but not able to add to production, not reducing alert volume 

  • Stretch goals – never have a pen test finding repeated, integrate alert feedback into hardening controls, alert volume lower but the diversity of alerts expands 

Red Teaming/Threat Hunting 

  • We put these on separate upper rugs but I combined them here since it is common to hear one or both with customers 

  • Typically, people jump to these before getting the other functions addressed which guarantees these will not be as impactful 

  • Indicators of stuck – lack of value stories/examples from the work, no direct connection back to the work other teams do 

  • Stretch goals – Conversion of hunts into production detections, sophistication of red team techniques needed to succeed increase, ability to show knowledge from these efforts influencing other security priorities

This X post really seemed to help frame approaching these, https://twitter.com/hopsoft/status/1754952220578324693 

Summary

  • Get knowledgeable about where you are, honestly 

    • Go through the slides and think about what is working well and what needs improvement 

  • Prioritize improvement and proficiency of lower rungs on the ladder 

    • It can be boring not to be focused on red teaming or AI but the basics are the key to success 

  • Foster creativity not cleverness 

    • Using host based firewalls to restrict living off the land executables is creative, a 400 line detection may be an attempt at being clever 

    • One improves resilience, the other adds brittleness 

Stuart McIntosh
Previous

Episode 21 - Automatic Security
Next

Episode 19 - Power of Small Teams