Skip to content

A Practical Guide

Process

  1. Familiarise with the Product
  2. Perform a Risk Assessment

    1. Setup Interviews with Stakeholders (📝 template)
      (setup regular meetings)

      Questions to ask
      • Close call incidents and war stories
      • Embarrassing practices that keep them up at night
      • Who has the most privileged access in the company
      • What risks they think you’re supposed to be working on
      • What do they think are existential risks to the business?
    2. Identify Technical Risks

      Questions to ask
      • Spend time enumerating the anatomy of all technology
      • Get a high level of how data moves in and out of systems
      • When do their employees gain and lose the authorization to access what data?
      • Where is that data geographically located when at rest? Is it encrypted? Where are the keys? Who has access to those keys? Who made those keys?
      • How is new code written? How are bugs fixed? How is code released and shipped? How are updates pulled down to a client?
      • Who are the vendors that our company is dependent on?
      • What to look for when reviewing a company's infrastructure
    3. Model Threats

    4. Build a Risk Registry

      Risk registry template
      • Risk ID
      • Area (ProdSec, CorpSec, etc.)
      • System (Cloud, IaC, Code, CI/CD, Endpoints, SaaS, etc.)
      • Risk Name
      • Description
      • Owner
      • Creation Date
      • Risk Level
      • Risk Acceptance
        • Date
        • Expiry Date
        • Status
        • Review Date
        • Review Status
      • Risk Mitigation
        • Plan
        • Status
      • Risk
        • Inherent Risk
        • Reputation Consequences
        • Legal or Regulatory Dictates
        • Threat and Vulnerability Environment
        • Control Economics
    5. Prioritise Risks

    6. Get consensus from leadership
      (You want consensus that these risks are worth mitigating and that cooperation will happen)
  3. Define a Strategy

    1. Map to Implement section below
    2. Pick a Framework
    3. Balance Risk/Trust/Governance
  4. Set metrics

  5. Setup supporting resources
    1. Weekly Digests
    2. WTF document
    3. Decision Log
    4. Learning Hours
    5. Quarterly Security Review

References

Implement

References

Additional ideas
Controls included in custom Roadmap
Work towards Fundamental ojectives
Objective Description
Centralize and improve logging
  • Decide/Build/Buy a central logging platform or service
  • Decide on critical logs that are critical for investigations
  • Decide/Build/Buy an ingestion strategy
  • Design procedure/playbooks for important investigations
  • Test playbooks
Improve employee responsiveness in reporting incidents
  • Create #security aliases across chat, email, and tasks
  • Launch a propaganda campaign to evangelize the #security alias
  • Maintain a 1 hour SLA in #security ticket acknowledgment for one quarter
Reduce the risks associated with vendors
  • Establish process with legal to escalate data contracts
  • Scan expenses and corporate credit cards for shadow IT vendors
  • Add vulnerability and incident disclosure guidelines to high-risk contracts
  • Add penetration testing language exceptions to all contracts
  • Build rolodex for vendor security teams
Reduce the risk of insider abuse
  • Improve log coverage in administrative tooling
  • Build detection for high-risk actions on high-value accounts
  • Build threshold-based approvals to account deletion/account transfers
  • Build employee role grants through manager approval
  • Build auth token service based on customer approval
Reduce the risk of an endpoint compromise
  • Discover, estimate volume, and retrospective unmanaged hosts
  • Improve HDD encryption coverage past N%
  • Choose/Eval/Deploy EDR product
  • Build and test termination and theft runbooks
  • Decide on patch strategy for highest risk endpoint vulnerabilities
Improve responsiveness to incidents
  • Write an incident response plan
  • Create rolodex for external IR partners
  • Select and train internal IR partners
  • Set up internal communications for compromised scenarios
Reduce the risk of remote IaaS API compromise (leaked credentials)
  • Design/Deploy network restrictions
  • Design/Deploy a strong authentication strategy
  • Choose/Demo/Deploy log ingestion pipeline
  • Choose/Eval/Deploy secrets storage
  • Spend N days on vulnerability finding. Fix all critical issues
Reduce the risks of a SaaS account compromise
  • Choose/Demo/Deploy SSO and MFA Vendor
  • Create a rollout plan for company-wide SSO
  • Estimate # of “Shadow” IT applications being used. Migrate auth towards it
  • Build and deploy “Shadow IT” detection. Migrate auth towards it
  • Follow a similar rollout for infrastructure and production
Lay groundwork for secure development practices
  • Discuss/Decide on engineering quality standards (with ENG)
  • Discuss/Decide on secret storage (with ENG)
  • Add security engineering to the product development workspaces
  • Build security “boot camp” for engineering onboarding
  • Build vulnerability management standards
Lay groundwork for future detection efforts
  • Design/Build/Deploy log management pipeline
  • Decide on alerting and detection strategy
  • Recruit and select on-call rotation
  • Buy/Build on-call incident platforms
  • Build detection/alerting for three risk areas
Lay groundwork for future risk management efforts
  • Create a risk register
  • Interview n organization partners and model top risks
  • Decide on future periodicity of re-assessments
  • Update “priority risk” documentation
  • Represent risk priorities in planning meetings
Lay groundwork for finding and fixing
  • Spend n days vulnerability finding
  • Write up vulnerabilities for policy discussions
  • Decide on SLA’s / Criticality with IT and Engineering
  • Create a central location for known vulnerabilities and associated tasks
Setup basic Incident Response
  • Create an incident response plan to manage these changes → ⭐️ template, explanation
    • A rolodex of contacts: Law enforcement, Forensic, Legal, Leadership, and PR contacts who can come online quickly and contribute to a response
    • A template for collaboration: Incidents are often about managing uncertainty. What are questions we still have? Who is accountable for answering them? What are the short term emergency actions, and what are the long term learnings?
    • Approval Points: Who approves an emergency blog post, an email to customers, or calls law enforcement? Pre-approvals for expected steps will avoid delays and meetings
    • Internal Communications: Who communicates issues with employees?
  • See also Security Breach 101 and Security Breach 102
Secure - Products
Area Description
Strict Engineering Standards NOW:
  • Build into a strong culture of strict code review
  • Get involved in design reviews
LATER:
  • Engineers can build reusable security frameworks that globally handle common issues within your applications
  • Trigger audits on high risk code for extra review
  • Treat every security bug as an incident, document it for posterity and push the lessons onward to new and current engineers
  • Enforce mandatory postmortem of security bugs for leadership, like you would with an outage
Vulnerability Disclosure and Bug Bounty NOW:
  • Set up a policy that protects security researchers when they disclose vulnerabilities to you, and reward them when they discover security issues with your products
LATER:
  • Make it an engineering goal to have the most expensive bugs possible
Engineer Onboarding NOW:
  • Invest quality time in new engineers and inform them on security sensitive areas of the codebase (Auth, DB, Sessions, Crypto, etc)
  • Calibrate code review expectations to the same high standard others will expect
  • Introduce them to security minded folks and make it OK to reach out for help, and show them where security questions can go
  • Build a place for security questions to go (a mailing list, IRC channel, chat room, Google Group, etc.)
LATER:
  • Integrate the history of severe security bugs from version control, bug bounty, and auditor findings into education
  • Teach, in detail, the tools and tactics your relevant attackers would use against your product
Manage Secrets NOW:
  • Review the crypto around your storage of passwords
  • Review how many people have access to private keys and certificates
  • Ensure that infrastructure touching credit cards doesn’t go neglected
  • Build services that can make it simple to keep secrets out of source code
Review Figure out critical security bits, auth flows, etc.
Secure - Infrastructure
Area Description
Authentication NOW:
  • Multifactor every form of authentication that exists
  • Lock down root usage to better reflect the activity of individuals on systems
  • Ensure that prolific root usage doesn’t become the standard for regular administration and deployment
  • Root usage should be treated as an extreme anomaly with heavy alerting
LATER:
  • Focus on authorization, “need to know” and least access
Patching NOW:
  • Your operating systems, kernels, applications, libraries and other dependencies all need to be updated
  • Treat patches that fix remotely exploitable bugs with the highest priority
LATER:
  • Build patch automation within continuous integration
  • Remove dependencies that can’t be automatically updated or frequently introduce breaking changes
  • Keep an eye on Google alerts, Full-Disclosure, and various vulnerability feeds like the National Vulnerability Database for software you’ve deployed
  • Regularly schedule vulnerability scanning with enterprise versions of tools like Nessus, Rapid7, etc, with success measured around reduced known vulnerabilities and low windows of exposure between patches
Centralized Logging NOW:
  • Push system and application logs somewhere centralized and in a separate risk area from the rest of your infrastructure
  • Ensure that SSH logs and any internal tools you’ve built log here
  • Build basic alerting that would tip off engineers when systems are accessed without permission
LATER:
  • Scale this log store and build tools that make review easier or unnecessary
  • Make these log stores trivially accessible to an incident responder who is working as fast as they can
  • Make sure alerting happens when logs stop flowing
  • Build log failures into regular incident meetings
Cloud Fundamentals Secrets management, IAM, API Keys, configuration
Secure - Employees
Area Description
Endpoint NOW:
  • Purchase employees laptops to separate home & work life
  • Standardize everyone on Chrome configured with Click to Play
  • Understand and train employees about spear phishing
  • Enable disk encryption
  • Build a checklist so employees can self-certify to this standard when they’re hired
LATER:
  • Build laptops with these configurations pre-imaged, or managed via a centralized system like chef
  • Don’t rely on a employee to-do checklist
  • Start employing tools like osquery to understand what is being installed across your corporate fleet
  • Be able to swap out laptops displaying suspicious behavior quickly with new machines to keep employees working
Shared Passwords NOW:
  • Train employees about the risk of shared password usage between your employees personal lives and corporate accounts
  • Pay for Lastpass or 1Password so they can manage the nightmares created by actually secure password management
  • Push multifactor authentication for personal lives as much as corporate usage
LATER:
  • Systems like Okta, Meldium, Bitium, all help centrally manage credentials for the disparate cloud applications your employees will use. They will also help enforce uniqueness, multifactor, and termination scenarios
  • Additionally, you can take advantage of SAML (either in house or provided) to centralize authentication as well
On-boarding and Off-boarding
Yubikeys
Secure - Compliance
Area Description
Have public facing security docs Something you can put on your website with technical details about the security things you’ve done that people can reference
Establish Knowledge Base The best use of your time is not completing questionnaires for sales teams. Find a way to make it self-service. Place where sales can get info
GDPR and current laws Make sure you comply with all of the relevant laws