OODA Framework for TI / DFIR / CSIR Process Engineering

THE OODA Loop (https://en.wikipedia.org/wiki/OODA_loop) can be used to develop workflows for TI / DFIR / CSIR, including leveraging TIMP implementations, like MineMeld (https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld).

Offensive Security vs. Enhanced (Defensive) Security

Offensive / obfuscation tools (e.g., honeypots, bastion hosts, anti-reconnaissance: Microsoft NetCease) and techniques are now gaining more attention as of late.

So, while next-generation (defensive) security tools and techniques (e.g., behavioral analytics: UBA / UEBA via Cisco StealthWatch, binary sandboxing, advanced threat protection: ATP) are all the craze, InfoSec leadership will have to address prioritization for budgets and bodies.

Said prioritization may be assisted by identifying the defense-in-depth posture, as well as the threat environment.

Cybersecurity & Strategic Planning

Senior leadership in InfoSec functions need to perform annual strategic planning with budgets, staffing plans, project planning, etc.  However, this activity should not take a considerable amount of time.  Suggested timelines include one hundred and fifty (150) hours of aggregate effort.

Should strategic planning require more time an observation has been that a re-org / redesign may be required.  Said changes should focus on clarity with respect to roles & responsibilities, reporting structures, procurement / solution requirements, operational work streams, P&L, and vendor mgmt.  Furthermore, strategic planning activities should include both grassroots and  top-down involvement.

Digital Signatures Are Worthless Without Compensating Controls

Many orgs leverage crypto to verify software / firmware / patches / updates; however, many do not leverage integrity safeguards on the versioning of those platforms.

Checksums and other compensating controls should be utilized to ensure the stability of the platform in question.  Such methods would negate the rogue installation of software / firmware.

Ransomware Response: A Service Continuity Challenge

While many security solutions (e.g., CASB, ATP, MTD, DMARC/SPF, EDR) look to catch malware / ransomware threats before they are experienced, isn't the response to a ransomware incident a service continuity challenge?

 With proper RPO terms, as well as tested BCP/DR procedures, ransomware response should be relatively painless.  The real concern is your ecosystem, as many third parties wont have the same governance regarding BCP/DR as a large enterprise.

Vetting Security Policies

There always seems to be a considerable gap between policy development and execution.

This often stems from a delineation between the org that develops versus audits said policies.

Beyond administrative controls, many companies are now deploying security solutions (e.g., DLP, CASB, EMM/MDM, MAM, IAM/IDM, DMARC/SPF, ATP) w/ policy engines.  To implement either admin and/or technical safeguards and not validate their utilization is a noticeable risk.

Focus First on Mobile Threat Defense (MTD) or Endpoint Detection & Response (EDR)

A reality of corporate life is economics, defined as the allocation of scarce resources.  So, with finite budgets, what is an IT shop to do regarding malware protection outside of the data center?

While the prevailing opinion is that traditional anti-virus (AV) no longer works for contemporary threats, and the fact that mobile device management does not handle malware, EDR stands as the apparent silver bullet.  However, most EDR solutions do not extend to the mobile space, and due to that a MTD may be the better investment to embark on first for a distributed enterprise.

Additional decision points include: industry, allowance of local admin rights, how distributed is the enterprise, usage of local drives vs EDM / ECM (e.g., SharePoint, network file shares), and the global network topology.