A large technology organization with operations across the globe and a broad technical footprint. The current security program had been operational for several years and was compliant with standard requirements. A skilled team of security professionals were working with elements of the business to deliver a variety of services. All the major programs were in place and no breaches were known to have occurred despite a wide range of malicious activities being uncovered on a regular basis.
The organization was expanding and branching out into a number of new areas. In addition the security team were becoming concerned about the “known unknowns’ and “unknown unknowns” and wanted to ensure that the security program was up to the challenges they suspected they would soon be facing.
A number of fact finding meetings were held and the OccamSec team spent time with the security personnel to gain an understanding of the security program. At the same time, meetings were held with business personnel to discuss the company’s expansion plans.
A threat assessment was conducted of the organization to identify any new threats the expansion would attract. Various assessment activities were also conducted to determine the actual capabilities and effectiveness of the security program.
Some improvement opportunities were identified. A good foundation was in place so the key was to build upon this. The majority of low hanging fruit was covered and the issue now was the potential for an advanced attack (external, or malicious insider) to cause damage.
The OccamSec team worked with the client to improve the following:
Threat identification – multiple automated feeds were being used which was creating an information overload. Multiple “dashboards” had to be used, conflicting terms were used to describe the same threat, and the majority of information had no contextual information applied so the risk was difficult to determine. A fusion center was created whereby data was aggregated into one central system and then various organization specific data was applied to identify the relevant issues.
Vulnerability management – The client was conducting automated scanning, had a penetration test program, and was having some regular external assessments conducted. Asset criticality (primarily with regards to data) was added into this, along with the ability to determine how attacks could be chained across the environment. Data from the fusion center was also added to this data allowing for a more accurate assessment of risk.
Monitoring and detection – Countermeasures were deployed into the environment and tied to the monitoring system. At the same time the current SIEM configuration was reviewed and modifications made to improve the range of activity that could be detected. This data was also connected to the vulnerability management program and threat data, to create a more complete picture of the risk posed to the environment. Furthermore, data from a wide range of recently deployed IOT system was integrated into the monitoring solution.
Incident response – A number of exercises were undertaken with both the security team and the larger business crisis response team. Scenarios were developed that were progressively more difficult, some improvement opportunities were identified and implemented.
Third party analysis – The risk posed by the multiple third parties being used was assessed and added to the risk model.