Security program enhancement - Technology company

Background

A large technology organization with operations across the globe and a broad technical footprint. The current security program had been operational for several years and was  compliant with standard requirements. A skilled team of security professionals were working with elements of the business to deliver a variety of services. All the major programs were in place and no breaches were known to have occurred despite a wide range of malicious activities being uncovered on a regular basis.

"“We’re seeing the compliance requirements we have to meet as the minimum baseline, we need to go beyond that given various new initiatives the business is throwing at us”"
Client

The Challenge

The organization was expanding and branching out into a number of new areas. In addition the security team were becoming concerned about the “known unknowns’ and “unknown unknowns” and wanted to ensure that the security program was up to the challenges they suspected they would soon be facing.

The Solution

A number of fact finding meetings were held and the OccamSec team spent time with the security personnel to gain an understanding of the security program. At the same time, meetings were held with business personnel to discuss the company’s expansion plans.

A threat assessment was conducted of the organization to identify any new threats the expansion would attract. Various assessment activities were also conducted to determine the actual capabilities and effectiveness of the security program.

Some improvement opportunities were identified.  A good foundation was in place so the key was to build upon this. The majority of low hanging fruit was covered and the issue now was the potential for an advanced attack (external, or malicious insider) to cause damage.

The OccamSec team worked with the client to improve the following:

  • Threat identification – multiple  automated feeds were being used which was creating an information overload. Multiple “dashboards” had to be used, conflicting terms were used to describe the same threat, and the majority of information had no contextual information applied so the risk was difficult to determine. A fusion center was created whereby data was aggregated into one central system and then various organization specific data was applied to identify the relevant issues.

  • Vulnerability management – The client was conducting automated scanning, had a penetration test program, and was having some regular external assessments conducted. Asset criticality (primarily with regards to data) was added into this, along with the ability to determine how attacks could be chained across the environment. Data from the fusion center was also added to this data allowing for a more accurate assessment of  risk.

  • Monitoring and detection – Countermeasures were deployed into the environment and tied to the monitoring system. At the same time the current SIEM configuration was reviewed and modifications made to improve the range of activity that could be detected. This data was also connected to the vulnerability management program and threat data, to create a more complete picture of the risk posed to the environment. Furthermore, data from a wide range of recently deployed IOT system was integrated into the monitoring solution.

  • Incident response – A number of exercises were undertaken with both the security team and the larger business crisis response team. Scenarios were developed that were progressively more difficult, some improvement opportunities were identified and implemented.

  • Third party analysis – The risk posed by the multiple third parties being used was assessed and added to the risk model.

These activities, and others,  led to an improved assessment of risk to the business.

Ongoing activities have been conducted including persistent penetration testing of the environment , ongoing threat intelligence assistance, and guidance on various aspects of security strategy. The organization’s expansion has continued and no major security incidents have occurred.