Security Teams and Limited ResourcesAaron Louks
Coping with limited resources is a common challenge for security operations teams. Whether it’s due to budget constraints, staffing shortages, or other factors, security teams often need to find ways to do more with less. Let’s talk about some strategies we can use to achieve success in this environment.
By identifying, quantifying, and categorizing the most critical risks to the organization, security teams can focus their limited resources on mitigating the most probable attack vectors first. This typically involves a multi-faceted approach that begins with a risk management plan that defines remediation timelines you are able to achieve. How does this timeline compare to industry standards?
Next, you need to gain situational awareness of the environment by diagramming the network, scanning the subnets for hosts, and identifying all ingress/egress points. Are your firewalls restrictive enough? Is there VLAN segmentation? With this information, you can conduct in-depth scans of each asset to find exposed services. Are there known vulnerabilities for the services you identified? What are the CVSS base scores of the vulnerabilities? Have you implemented secure configuration baselines on your systems (such as NIST or CIS frameworks)? What is the secure configuration baseline score of each system? With this information you can begin to prioritize the obvious risks, which brings us to the next point: we’re a small team, how can we practically remediate all these vulnerabilities?
Collaboration with other teams, such as IT / Operations, can be an effective way to leverage limited resources. By working together, teams can share information and expertise, which can help to identify and mitigate security risks more effectively. Security is a team sport, in that it requires solid communication and cooperation to improve the organization’s posture. Over time, you build relationships and trust which can be invaluable in times of crisis.
Now we are starting to get a handle on the risks and communicating with teams within our organization. How do we improve our reaction times to incidents?
Implement Automation & Orchestration
Automating routine tasks, such as vulnerability scanning or log analysis, can free up a security team’s time to focus on more complex and high-priority tasks. Setting up scheduled tasks and consolidating telemetry data into a SIEM is the first phase of implementing automation. The second phase is creating rules (ex: Sigma) to trigger alerts on specific conditions during the processing of logs and events. By utilizing rules to trigger playbooks that coordinate actions across multiple systems, you can leverage orchestration to reduce mundane repetitive work while also mitigating the risk of human error, which is especially important in high-stress environments with low tolerance for mistakes. Automation and Orchestration will allow your environment to react quickly during incidents to contain affected systems and services. So how do we know what to react to?
Leverage Threat Intelligence
External sources of threat intelligence allow security teams to gain insights into emerging threats and trends, as well as being informed of specific indicators of compromise. There are three types of threat intelligence feeds: Strategic, Operational, and Tactical. Strategic feeds contain high level information on threat actor campaigns that allow policymakers to make informed decisions pertaining to risk assessment. Operational feeds are for information on the types of tools and techniques threat actors are using. Tactical feeds are for specific indicators that can be used to identify threats such as hashes, ip addresses, and urls. Implementing tactical feeds into your system allows for high speed blocking or remediation of malicious activity through quarantining, blacklisting, isolation, and null routing. Having situational awareness that you are being attacked and being able to correlate that to a specific known threat actor is crucial to incident response.
With automation and orchestration configured in your environment, integrating threat intelligence feeds would be the next logical step to fully realizing the value of your system for responding to active or potential threats against your organization.
Invest in Training and Development
Finally, investing in training and development is an effective way to cope with limited resources. By providing employees with the skills and knowledge they need to perform their jobs effectively, security teams can improve their overall performance and productivity while reducing case load. This can involve providing employees with training on new tools or technologies, conducting regular phishing tests, or investing in certifications or other professional development programs. Employees are the first line of defense; Enabling them to make sound decisions during their work day is a force multiplier.
In conclusion, coping with limited resources is a common challenge for security operations teams. However, by implementing the aforementioned strategies, security teams can find ways to do more with less. By taking a strategic and proactive approach to managing limited resources, security teams can help to ensure that their organizations are protected from a wide range of security threats.
For more information about automation and orchestration, check out the ThreatQ Platform, ThreatQ TDR Orchestrator, or the Online Experience. To learn about ThreatQ online training please visit the ThreatQ Academy. Need more information or have questions, please contact us or request a demo.