BlueVoyant: How to Build a World-Class Cyber Security Practice

Sponsored by
HOW TO BUILD
A WORLD-CLASS
CYBER SECURITY
PRACTICE

2How To Build a World-Class Cyber Security Practice
Mighty Guides make you stronger.
These authoritative and diverse
guides provide a full view of a topic.
They help you explore, compare, and
contrast a variety of viewpoints so
that you can determine what will work
best for you. Reading a Mighty Guide
is kind of like having your own team
of experts. Each heartfelt and sincere
piece of advice in this guide sits
right next to the contributor’s name,
biography, and links so that you can
learn more about their work. This
background information gives you
the proper context for each expert’s
independent perspective.
Credible advice from top experts
helps you make strong decisions.
Strong decisions make you mighty.
It’s true: Cybersecurity is risky business. It’s all about mitigating risk, but it’s also about keeping up
with the latest threats—threats that are emerging almost too fast to count. It’s about keeping up
with a continuous growth in attack surface and a growing flood of alerts. It’s about keeping up with
the latest security technologies. And, if you miss something, just once, you could have a really, really
bad day.
Industry research shows that most companies believe that their cybersecurity operation isn’t good
enough—that they’re losing ground. Is there a way past the challenges security practices must
contend with every day?
In this eBook, security experts from BlueVoyant explore the challenges facing today’s security
operations. They discuss in detail what it takes to build a world-class security practice capable of
managing the growing volume and complexity of cyberthreats. It’s not an easy task. Doing security
right requires hiring and retaining excellent people, building and maintaining a solid technology
stack, and continually refining processes and workflows.
Speaking from experience, because the company has successfully built its own high-performance,
global security operation, the BlueVoyant experts offer valuable advice. They also tell you how to put
it all together into a tightly integrated security operation.
If you’re concerned about your organization’s security posture—and you should be—I believe you’ll
appreciate these articles from the experts at BlueVoyant.
© 2020 Mighty Guides, Inc. I 9920 Moorings Drive I Jacksonville, Florida 32257 I 516-360-2622 I www.mightyguides.com
All the best,
David Rogelberg
Editor
Introduction:
Building a World-Class Cybersecurity Practice

BlueVoyant is an analytic-driven
cybersecurity company whose
mission is to protect organizations
of all sizes against agile and
wellfinanced cyber attackers.
Founded and led by experts in the
cybersecurity and government
security sectors, BlueVoyant’s
offerings are built with real-world
insight and applicability.
Through our Advanced Threat
Intelligence, Managed Security
Services, and Incident Response
Services, we excel in intelligence
gathering, cybersecurity defense,
detection of attacks, and response
coupled with remediation.
Our 24/7 SOCs, offices around the
world, and our security analytics
platform positions us to best help our
customers defend against emerging
cyber threats. For more information,
visit bluevoyant.com
Foreword
Resource-Constrained Security Teams Can Achieve the Capabilities of the Most
Well-Defended Organizations
Most world-class security technologies are available only to the “security 1%”: banks, national governments,
and the largest enterprises. These organizations have sizeable budgets to hire and retain significant Expertise
and purchase or develop premier security solutions.
These large enterprises drive innovation, but their solutions don’t map well to small-to-mid-sized organizations
the other 99%. Smaller enterprises are typically constrained by budget and resources and are forced to
compromise when it comes to security.
BlueVoyant provides a new approach for resource-constrained teams. We democratize cybersecurity by
protecting organizations of all sizes against agile and well-financed cyber attackers through highly-scalable
service offerings tailored to meet the needs of our clients. We partner with our clients to achieve a level of
security that they couldn’t reach on their own. We provide technology and integration they couldn’t otherwise
afford. We offer threat intelligence that they wouldn’t have access to. We staff our Security Operations Centers
with experts they would have difficulty hiring and retaining. As a result, we trim high costs and help IT teams
achieve a level of security previously only available to the largest and most well defended organizations.
Founded and led by experts in the cybersecurity and government security sectors, BlueVoyant makes superior
technology, proprietary threat intelligence, 24x7 Security Operations Centers (SOCs), and deep cybersecurity
expertise available to enterprises of all sizes. We provide mutually reinforced solutions that allow clients to
right -size services to meet their unique needs.
The first step in determining the proper security for your organization is to arm yourself with the right
questions. The experts that have contributed to this Mighty Guide will help prepare you to move forward on
your quest for improved cybersecurity. Enjoy the book.
Regards,
Thom VanHorn
Head of Marketing
BlueVoyant

Table of Contents
CHAPTER
CHAPTER
CHAPTER
CHAPTER
CHAPTER
1
2
3
4
5
Introduction: Addressing Today’s Dynamic and Evolving Cyber Risks 06
People Are the Foundation of a World-Class Security Operation 12
The Best People Need the Best Tools 21
People and Technology Need the Focus That Process Provides 29
Putting It All Together: 9 Tips for Building a World-Class Cybersecurity Operation 37

Meet Our Experts
JOE GIGLIOTTI
Manager, Client Experience
Team, BlueVoyant
TRAVIS MERCIER
Head of Global Security
Operations, BlueVoyant
MICHAEL SCUTT,
Director of Hunt Operations,
BlueVoyant
REAGAN SHORT
SOC Technical Advisor,
BlueVoyant
CHRISTOPHER WILDES
BlueVoyant
Joe Gigliotti is the manager of
BlueVoyant’s Client Experience
Team. He has 17 years of IT
experience, 8 of which have
focused on cybersecurity and
incident response. Before
joining BlueVoyant, Joe was
an analyst on Secureworks’
Security Response team. Joe
holds a bachelor’s degree in
network engineering from
Johnson & Wales University
and several certifications,
including Sourcefire SFCP,
SANS GIAC Certified Intrusion
Analyst, and GIAC Information
Security Professional.
Travis Mercier is head of
Global Security Operations
for BlueVoyant, responsible
for Global Security
Operations Centers (SOCs)
and the Threat Fusion
Cell. He has 13 years of
experience in cybersecurity,
incident response, and
digital forensics. Before
joining BlueVoyant, Travis
led Rackspace Managed
Security’s Customer SOC
and Managed Security
Threat Intelligence Cell. He
holds bachelor’s degrees in
information systems and
cybersecurity/infrastructure
assurance from the University
of Texas at San Antonio.
Michael Scutt leads
threat hunting services at
BlueVoyant, helping clients
uncover advanced adversaries,
cutting-edge malware, and
attacker infrastructure.
His focus areas include
host-based forensics,
malware analysis, and threat
research. Michael has spent
a decade in information
security and played many
roles, from enterprise
infrastructure hardening
and threat mitigation to
managing incident response
engagements for Fortune 50
companies. Prior to joining
BlueVoyant, Mike was the
director of Security Research
at CrowdStrike.
Reagan Short, CISSP,
is a technical advisor
for BlueVoyant’s SOC,
responsible for technical
strategies related to detection
mechanisms and process
improvement. He has 15
years of experience in host,
network, and data security
analysis. Before joining
BlueVoyant, he was a senior
security analyst at LEO
Cybersecurity, responsible
for threat hunting and
signature creation. Reagan
holds a master’s degree
in cybersecurity from the
University of Texas at San
Antonio.
Christopher Wildes, GCIH,
GWAPT, is a SOC technical
lead for BlueVoyant,
responsible for workflow
automation and process
improvement. He has 10 years
of experience in cybersecurity
operations, enterprise
vulnerability management,
and host- and network-based
analysis. Before joining
BlueVoyant, Christopher
was a security analyst
for Rackspace Managed
Security and an analyst for
the US Air Force Computer
Emergency Response
Team. He holds a master’s
degree in cybersecurity from
Pennsylvania State University.

Introduction:
Addressing Today’s
Dynamic and Evolving
Cyber Risks
CHAPTER 1
TRAVIS MERCIER
Operations at BlueVoyant

Introduction:
Addressing Today’s Dynamic and Evolving Cyber Risks
C
ybersecurity has never been easy, and even under the best of circumstances,
it is never perfect. A good practice can and must keep the risk of loss from
cyberattacks at an acceptably low level for the business. Every business has
its own risk profile based on the criticality of its digital assets, the vulnerability of its
systems and operations, and it’s potential value as a target. A cybersecurity practice
must accurately assess these factors and work with business management to
determine what’s needed to deliver the necessary level of protection.
Building a strong security practice capable of achieving that goal is a continuous
challenge because for three main reasons, the game keeps changing:
• Exponential growth in attack surfaces. The days of placing all your high-value
assets in one place secured by access controls and firewalls are long gone.
Today, we live in a world of distributed networks and distributed computing. It
is a world in which data are stored, moved, and processed in the cloud and at
the network edge. The data environment is cluttered with a growing number of
Internet of Things devices that are potential network access points. Some of
these devices are fixed equipment such as appliances, industrial controls, and
machinery. Others are mobile devices, cell phones, vehicles, and specialized
devices such as wireless medical equipment.
Every business has its own risk profile based on
the criticality of its digital assets, the vulnerability
of its systems and operations, and it’s potential
value as a target.

They all contribute to an attack surface that is continuously growing and changing.
Even people have become a big part of the growing attack surface. People spend
more time connected to more data through more devices than ever before, making
them prime targets for attacks specifically engineered to fool them into opening a
door for attackers.
• Exponential growth of attacks. Cybersecurity experts know that attacks are growing
in intensity. Recent business surveys show a 350 percent growth in ransomware
attacks between 2017 and 2018. Over the same period, email spoofing increased
by 250 percent. Increased opportunity provided by a growth in attack surface
is one reason for this sharp increase, but there’s much more to it than that. For
one thing, attack technology has become widely available in kit form, making it
accessible to anyone with modest technical skills. Also, attackers are adopting the
most sophisticated technologies, using automated, multivector strategies driven
by machine learning in an effort to bypass even the best defenses. Beyond the
technical factors, however, are the hard economic realities. Cybercrime pays. Stolen
computer capacity, stolen personal data, stolen intellectual property, and stolen
state secrets—it’s a growing market. Thieves can even make money without actually
stealing anything. Ransomware is growing so quickly because many organizations
pay handsomely to save their data. Cybercrime isn’t only big business in itself, it has
become central to the strategic competition between businesses and nations.
Recent business surveys show a 350 percent
growth in ransomware attacks between 2017
and 2018.
Introduction:

• Increased cost and complexity of defensive technologies. To combat these
growing threats, solution providers are introducing more sophisticated tools
and approaches to cybersecurity. The promise is that these tools speed threat
detection and response as well as increase the productivity of a security practice.
Under ideal circumstances, these providers are able to do these things, but these
technologies are expensive, and effective implementation requires specialized
skills. The challenges for many practices are first, finding the resources to invest
in the technologies they need, and then finding skilled people to implement and
maintain them. The world of cybersecurity suffers from a skills shortage that
has grown more critical in recent years. Finding people with the skills needed
to implement advanced defensive technologies is a serious challenge for many
security practices.
These are the realities that cybersecurity practices face every day. These
organizations face a perfect storm of challenges that make it difficult for any
organization to keep up with the latest threats and the latest defensive technologies.
Does this mean that building an effective cybersecurity practice is an impossible
task? Sometimes, it may seem that way, but the answer is no. You can build a strong
practice, but it takes a lot of work.
The world of cybersecurity suffers from a
skills shortage that has grown more critical in
recent years.
Introduction:

Operating in today’s cyber environment often feels like swimming in shark-infested
waters. To swim it safely, you need a word-class cybersecurity practice that can quickly
and reliably detect, respond to, and mitigate both known and previously unseen threats.
Building a practice with those capabilities requires turning to the fundamentals of
people, processes, and technology. With the right people, processes, and technology,
a security practice can shape itself to effectively address the cyber risks faced by the
organization it must protect.
A significant challenge to developing a security practice is attracting and retaining
people who have the skills the practice requires. Competition for good security people
is stiff, but no matter how desperate your organization is to fill a position, it pays to
be highly selective. You need people who have experience and who live and breathe
cybersecurity. You want people whose passion leads them to explore new technologies
and learn new methods. You want to dig into their technical capabilities, test them,
and work with them to be sure they’re a good cultural fit for your organization. Once
you bring someone on board, you must train them on your technology and processes,
and then keep them sharp. Cultivating a tight security team that has the right skills
and motivation takes time. Maintaining that team requires setting expectations and
providing paths for continued development.
Operating in today’s cyber environment often feels
like swimming in shark-infested waters.
Introduction:

In addition to cultivating the right people, a world-class security practice operates with
fully documented processes that can be automated. You need extensive playbooks that
cover every kind of security event; you must update playbooks based on programmatic
reviews of real cases in your environment. The process is continuous, and you enforce
it through an assumption in the culture that nothing is real if it isn’t documented.
A good security practice doesn’t rely on tribal knowledge. The ultimate goal is to
streamline detection and response so that it’s fast, accurate, and reliable.
Finally, a world-class security practice must invest in a technology stack that supports
the business’ defensive requirements. This investment includes monitoring, detection,
analysis, threat intelligence, and security orchestration. Building this technology stack
is more than just acquiring the right technology. It also involves developing the skills to
implement and maintain those tools. Poorly implemented technology is at best a waste
of money and at worst creates a dangerously false sense of security.
It’s not easy to build a truly effective security practice, but it is necessary for any
organization to thrive in today’s dynamic threat environment. I know from personal
experience here at BlueVoyant that it can be done because we have done it
successfully. In the articles of this e-book, we share strategies that have helped us
find the right people, formalize our processes, build our technology stack, and put it all
together into a world-class security practice.
A good security practice doesn’t rely on tribal
knowledge. The ultimate goal is to streamline
detection and response so that it’s fast, accurate,
and reliable.
Introduction:

People Are the
Foundation of a
World-Class Security
Operation
CHAPTER 2
MICHAEL SCUTT
Director of Hunt Operations,
BlueVoyant

D
efending data has unquestionably become a battle of attackers’
tools and cleverness pitted against the technology and ingenuity of
defenders. In this endless contest, the rapid evolution of both offensive
and defensive capabilities has dominated much of the discussion about
security trends and strategies. Defenders are employing artificial intelligence,
machine learning, and automation techniques to improve the speed and
accuracy of their defenses. They are also continuously adapting to changing IT
environments that, while offering new levels of operational flexibility, come with
plenty of new attack vectors.
Amidst all this focus on the technology of cybersecurity, one critical element
of security operations remains necessary and unchanged: the need for good
security people—the analysts and operators who interpret what the technology
is saying and who make the important decisions. People continue to be
foundational to a world-class cybersecurity practice.
People Are the Foundation of a World-Class Security Operation
Amidst all this focus on the technology of
cybersecurity, one critical element of security
operations remains necessary and unchanged: the
need for good security people.

The Human Factor in a Modern Cybersecurity Practice
Why are people so important to the practice of cybersecurity? It comes down to what
the tools can and cannot do by themselves. Modern cybersecurity tools, properly
deployed, are good at identifying unusual and threatening activity happening in the
network. The ability to identify these events is vital, but when they are discovered, the
assumption must be that an adversary is already in the network. There has already
been a compromise. The key questions immediately become, How far has the attack
progressed? What other parts of the network are affected? Is the attacker continuing to
move? Security analysts are the ones who answer those questions.
When security analysts receive alerts, they must be able to scope out where in the
attack life cycle they are, identify the root cause, and isolate any additional activity
that took place after that notification. The analyst must correlate that event with other
activities, make decisions about contacting affected organizations, and provide those
organizations with context and other information they will need to take quick, corrective
action. The information coming out of the security organization must be accurate and
actionable. To do their job well, analysts must:
The ability to identify these events is vital, but
when they are discovered, the assumption must be
that an adversary is already in the network.

• Have critical thinking skills;
• Be familiar with operating system fundamentals and attacker methodologies;
• Know the tools they’re using and the tools their adversaries are using; and
• Have knowledge of enterprise technologies.
Without the benefits of human analysts, the security tools will continue to faithfully
deliver alerts to the affected organization. The tools may even successfully block an
event. If the organization is dealing with a persistent adversary, however, that adversary
will at some point successfully circumvent the block. For this reason, a consistently
strong security practice is deeply dependent on the quality of the people who make up
the security team.
Finding and Retaining Good Security People
Good security analysts have unique skills that don’t always arise from training and
a background in cybersecurity. Cybersecurity professionals should possess three
essential qualities:
Good security analysts have unique skills that
don’t always arise from training and a background
in cybersecurity.

• Critical thinking. They need to be able to look at a cyber event; recognize it as
malicious activity; and, based on that activity, determine whether it represents
a particular stage in an attack life cycle. Then, they must be able to decide on
appropriate next steps.
• Passion. Good security professionals must have an unquenchable desire to find the
bad guys and a passion for winning.
• Ability to self-learn. Cybersecurity is a fast-paced industry, and adversaries are
innovating at an alarming rate. Good cybersecurity professionals are always doing
their own research to find out about the latest threats, and they are always sharing
information with their colleagues. It’s the only way to keep up with what’s happening in
the field. This habit is important because attackers are doing exactly the same thing.
Finding people with preexisting cybersecurity knowledge is ideal, but it’s not an absolute
criterion. The best candidates typically have worked in roles where they rely on the
critical thinking skills so important to good security analysts. Interestingly, some the best
candidates we have encountered came from degree programs like nuclear physics and
mathematics, which foster a strong, logical approach to problem solving.
Finding people with preexisting cybersecurity
knowledge is ideal, but it’s not an absolute criterion.

It is no easy task to find and retain top-quality security people. Growing demand for
security professionals who have the right knowledge and skills has created a situation
where there are far more job openings than qualified people to fill them. Recently, more
mature companies have begun to view cybersecurity as a special domain of expertise,
not just a subset of IT. That view helps create a more cohesive security team within
the organization—and a new career path for serious cybersecurity professionals, which
is important for retention efforts. Yet most organizations still see cybersecurity as a
budgetary item necessary to prevent loss. It’s not seen as something that actually adds
value to the core business.
That’s where managed security service providers (MSSPs) have an advantage in
hiring and developing top security talent. Security isn’t just a cost center inside the
business. For an MSSP, security is the business. When the security professionals in that
business perform well, they add value to the core business in a big way. It becomes
an environment in which serious-minded security people can pursue a career; they
can develop themselves through exposure to a much broader range of cybersecurity
experiences than they are likely to receive on a mid-sized company’s security team.
Security isn’t just a cost center inside the
business. For an MSSP, security is the business.

As difficult as it is to find and retain good people, doing it well is critical to building a
top-notch security practice. The skills and dedication of those people enable the team to
perform. These people also help create the culture of security needed for the organization
to work as an effective team.
Strategies for Building and Maintaining a Security Team
When assessing candidates for our team, we assume that they have some level of
computing knowledge. Regardless of what their resume says or their cybersecurity
credentials, we put them through a lengthy interview process that involves several people
on our team. We want to see how candidates think about security challenges and assess
the more intangible aspects of their personality, such as whether they have that passion
to excel and self-learn.
We’ll typically ask several questions to test candidates’ critical thinking skills and see if
they are able to think like an attacker. For instance, we ask them how they would go about
stealing their boss’s 82-inch wall-mounted television, including all the details of how
they would plan and get away with that operation. We ask them to walk us through their
thought process for the entire attack life cycle, from reconnaissance and exploitation to
privileged escalation and lateral movement to staging for infiltration and exfiltration.
We want to see how candidates think about
security challenges and assess the more
intangible aspects of their personality.

We also evaluate their technical knowledge and critical thinking skills in a technical
context by dropping them into an attack scenario. For example, we may describe a
cyber event, and then ask them what they would do next, assuming that they had every
tool imaginable and anything else they needed. We try not to provide them with too
many guard rails around these questions. The goal is to better understand their logic
and how they think about computing, networks, adversaries—their entire view of the
security challenge.
In addition, we want to understand candidates’ personal interest in cybersecurity—
their interest beyond the job. Good security analysts often have a deep curiosity about
cybersecurity. These are the folks who tend to have lab networks and sandboxes in
their own homes, where they’re doing their own testing and red teaming, blue teaming,
and purple teaming to identify how things interact. This process not only tells us
about their interests but also plays into the culture of the exceptional security team we
maintain. In the world of cybersecurity, no one person knows everything. The team is
our collective consciousness.
In the world of cybersecurity, no one person
knows everything. The team is our collective
consciousness.

Another important aspect of good cybersecurity professionals is their desire to learn
more, to identify what’s going on in the environment, and to win. This is important
for us because if something happens in a client environment, these are the types of
people who are going to go the extra mile to determine what happened, find the root
cause, and make sure such an attack can’t happen again. That attitude offers the
best level of protection for our clients.
Building a strong team is key to having a high-performance security practice. So
is maintaining that team. Retaining people depends on providing an environment
in which people have opportunities for personal and professional development.
Financial rewards aren’t the only things that motivate dedicated security pros. It’s
equally important to create an environment that continually feeds their need to
grow and gain knowledge. The team of analysts also needs to know that they are
foundational to what the organization as a whole does. They need to have a strong
sense of mission. In our case, I always tell folks we only have one job to do, and
that’s to save the world.
Without a solid staff of security professionals, the tools and procedures used
in the security practice become less effective. Building and maintaining an
exceptional security team is a continuous task. In many ways, a dedicated MSSP
has advantages that mid-sized and even large businesses don’t have. The MSSP
is a business whose core mission is security. Everything team does is central to
the success of the business. It is also a setting where security people have a lot of
opportunity to learn and develop through exposure to the widest range of security
threats, IT environments, and security technologies. That’s what makes them the
strongest possible practitioners of their chosen profession.

The Best People
Need the Best Tools
CHAPTER 3
CHRISTOPHER WILDES
BlueVoyant
REAGAN SHORT
BlueVoyant

A
top-performing cybersecurity team depends on the skills of its people;
thoroughly documented processes; and technology for monitoring,
detection, analysis, and security orchestration. Technology is not just the
tool set that detects and alerts analysts to malicious and suspicious activity,
it’s the glue that ties everything together. Technology alone cannot protect
an organization, but a robust technology stack is necessary for building and
maintaining an effective security practice in today’s threat landscape. The
cyber battlefield has become an accelerating arms race between defenders and
attackers, each deploying ever-more-sophisticated tools to accomplish their goals.
The shift from mostly preventive defense strategies—those that relied heavily on
firewalls and signature -based end point protection—to primarily detection and
response strategies has accelerated over the past few years. It is a fundamental
shift that affects not only technology in the security stack but also the workflow
and required skill set of security practitioners.
The Best People Need the Best Tools
Technology is not just the tool set that detects and
alerts analysts to malicious and suspicious activity,
it’s the glue that ties everything together.

Much of this change is driven by new kinds of attacks designed to evade older
security tools, such as file-less malware that uses legitimate applications and
social-engineering campaigns that deliver fast-moving and highly automated
malware. Another factor is that attacker tools have become commoditized. With
malware and ransomware widely available on the dark net, it becomes much easier
for bad actors to change their means of gaining access and focus on their ultimate
goals. Furthermore, not every adversary needs to dedicate resources to developing
exploits to vulnerabilities or establishing a command-and-control infrastructure.
Exploit developers can monetize their efforts by selling their wares in forums and
move on to the next exploit. This ability to segment the constituent elements of
successful campaigns exponentially increases everyone’s exposure.
These changes in tactics have necessitated new tools for monitoring, detection, and
security automation as well as more extensive threat intelligence. They have also led
to a change in how technology and information must be used and integrated to be
effective. These advanced detection and response tools are not “set-it-and-forget-it”
solutions. An effective security operation must monitor what the tools are saying
and continuously adjust the tools to meet the latest threats.
An effective security operation must monitor what
the tools are saying and continuously adjust the
tools to meet the latest threats.

What’s Required in a World-Class, Modern Security Stack?
A top-performing security operations center needs to have the following
essential capabilities:
• Network- and device-level data. Early detection and response depend on having
visibility that goes beyond atomic indicators like IP addresses, domains, email
addresses, and file hashes. Analysts must look into end point telemetry and
see what’s happening on the devices themselves; they must monitor trends
and patterns in network telemetry. Firewalls and end point protection are useful
for stopping known threats, but they can also provide contextual data useful
for threat hunting, which thrives on end point and network data that go beyond
the signatures built into end point agents and network appliances. Security
specialists must be able to undertake deep packet inspection and traffic anomaly
analysis as well as correlate information with logs and machine data from any
asset that can generate data relevant in a security context. Such assets include
virtual private networks and cloud service providers that reside outside the walls
of the organization.
Early detection and response depend on
having visibility that goes beyond atomic
indicators like IP addresses, domains, email
addresses, and file hashes.

• Threat intelligence. Threat intelligence is a critical piece of the puzzle because
it provides additional context for particular behaviors detected. Good threat
intelligence provides advanced notice of threatening activity before it happens in
the network. When analysts detect those behavior patterns, they can much more
quickly correlate those activities with a larger security context. Actionable threat
intelligence enables rapid investigational pivots to help find additional activities that
have gone undetected.
• Security information and event management (SIEM). A SIEM is essential for
effective and efficient detection and response. With it, analysts can correlate event
and data sources and enhance situational awareness by employing statistical
aggregations that put different lenses on network and machine data to determine
whether something suspicious is happening. A well-engineered SIEM is an
important tool for threat hunting because it puts everything in one place so that
security teams can visualize and analyze that data with one workflow. Consolidating
security data into dashboards and visualizations built to cover everything that’s
important in the company’s environment enhances overall security workflow, but
it’s not just for the security team. It’s also a valuable tool for senior decision makers
who need to know the organization’s risk profile.
A well-engineered SIEM is an important tool for threat
hunting because it puts everything in one place.

Using a SIEM is an efficient way to gather all that information and make it
available to key decision makers. Teams can manage the security of a small
operation without a SIEM, but doing so diminishes visibility and makes event
correlation more cumbersome, time consuming, and error prone.
• Security automation, orchestration, and response (SOAR). SOAR is the primary
platform for security automation. It enables security organizations to automate
the tasks analysts perform frequently and manually so that they can focus on
tasks that require deeper analytical skills. SOAR makes several things possible.
First, it enables a team to triage more alerts, which is important because
the volume of alerts increases as organizations grow and as the number of
adversaries on the internet increases. Second, not all detection tools and
signatures are easily tunable; SOAR empowers security teams to automatically
handle high-fire false positives. Finally, automating certain aspects of event
analysis and remediation speeds event response. Today’s attacks move fast,
and if response depends on manually working through a playbook, the attacker
could very well accomplish his or her goals before the security team is able to
respond and remediate. With SOAR, it’s possible to make decisions quickly and
automatically push policies forward that will mitigate threats in the future.
With SOAR, it’s possible to make decisions quickly
and automatically push policies forward that will
mitigate threats in the future.

Building and Maintaining a Security Stack
The security stack consists of the technologies needed to stay ahead of today’s
threats. Building this kind of security stack is not a simple matter. It requires
investigating and choosing the right tools; integrating them with the current
environment and existing technologies; and configuring them with the rules,
visualizations, and automations that are important to the business.
The technology must also be maintained. From our experience, this is a never-ending
task that requires skilled people knowledgeable in the technologies, the environments
they are protecting, and advanced threats that are continuously evolving. In fact, a
large part of a security manager’s job is to be aware of technology changes and threats
that require modifications to the security stack.
If a tool adds capabilities through its application programming interfaces, we need to
revisit playbooks that interact with that tool and any automations associated with it.
When our threat intelligence informs us of new adversary behaviors and tactics , we
have to update our SIEM with additional correlations, aggregations, and visualizations.
As attackers use new exploits and find new paths to their target, we need to adjust
our playbooks or create new ones. It is an environment of continuous change, whether
that change comes internally from organizational shifts or externally from attackers
constantly adapting their tactics to become stealthier and faster.
A large part of a security manager’s job is to be
aware of technology changes and threats that require
modifications to the security stack.

For any business, maintaining that level of technical capability becomes an issue of
cost, time, and priorities. That’s why many companies turn to a managed security
services provider whose primary business is the continuous improvement required
to sustain responsiveness and a strong defensive posture. Maintaining the security
stack is essential because the tools empower the security team to perform at their
highest level. In a true positive feedback loop, this improvement goes both ways.
The people with expertise and knowledge of how adversaries work are the ones
who continuously tune the tools for maximum operational effectiveness. The right
technology and the right people are both necessary, and neither is sufficient on its
own. Armies don’t gain battlefield dominance by putting an ace pilot in a crop duster
or a layman in an F-22 Raptor.
In a world-class security practice, people and technology need each other, but
both depend on process for operational direction. The next article explores the
importance of process and how to enforce it.
Maintaining the security stack is essential
because the tools empower the security team to
perform at their highest level.

People and Technology Need the
Focus That Process Provides
CHAPTER 4
JOE GIGLIOTTI
Manager, Client Experience
Team, BlueVoyant
REAGAN SHORT
BlueVoyant
CHRISTOPHER WILDES
BlueVoyant

W
ithin the security operations center (SOC), the security team works with
technologies to perform the following essential security functions:
• Detect, classify, and determine the best way to mitigate threats.
• Take the necessary threat response and mitigation actions.
• Acquire threat intelligence and engage in threat hunting.
To successfully perform these core activities, the SOC requires interaction among
the people, technology, and client organizations it’s charged with protecting.
Without well-documented processes that span all these functions, security staff
won’t be able to perform their mission or use the technology tools available to
them efficiently.
People and Technology Need the Focus That Process Provides
To successfully perform these core activities,
the SOC requires interaction among the people,
technology, and client organizations it’s charged
with protecting.

In the world of cybersecurity, process is the methodology a security team follows to
achieve its security objectives. Those processes are documented at a more granular
level in scenario-specific playbooks. Playbooks provide step-by-step action plans
that tell analysts exactly how they should respond to an incident. Each playbook
is specific to a type of incident. For instance, ransomware would have its own
playbook; there may even be playbooks for different types of ransomware. A good
security practice has playbooks that cover every kind of security event that poses a
significant risk.
Playbooks are structured to ensure that analysts can make a determination about
an event and pass on recommendations with as much contextual information as
possible so that the client organization can take corrective actions. Some playbooks
or portions of playbooks are also encoded in security orchestration, automation, and
response (SOAR) as automated functions. But, where do processes and playbooks
come from?
A good security practice has playbooks that
cover every kind of security event that poses a
significant risk.

Creating Processes and Playbooks
Processes, playbooks, and workflows begin at a high level with the broad mission
and goals of the security practice. The cultural integrity within the team forms the
basis for how it approaches its mission. Specific processes are the methods this
team devises to achieve its goals, and playbooks become granular action plans that
contain detailed workflows. For many organizations, playbook creation begins with
a generic playbook related to a specific type of incident. This playbook may come
from an industry-accepted security framework such as Integrated Adaptive Cyber
Defense, sponsored by the US Department of Homeland Security. Quickly, however,
these generic playbooks must be customized for the unique approach the security
practice uses.
Building customized playbooks requires a two-prong strategy rooted in the
experience of the security team:
Specific processes are the methods this team
devises to achieve its goals, and playbooks
become granular action plans that contain
detailed workflows.

• Proactive playbook development. This aspect of playbook development relies
heavily on threat intelligence, understanding your threat landscape, and building
playbook scenarios to address recognizable threats. If you discover a newly
emerging threat, create a playbook for responding to it. Playbook creation
requires dedicated work by threat intelligence specialists who continuously
monitor the latest attacks. It requires subscribing to threat intelligence services,
downloading and testing attack code, and creating a response workflow that
you believe will provide a sufficient response if and when that type of attack is
detected. A world-class security practice must proactively develop playbooks
continuously to minimize the chance of being caught by a new kind of attack.
• Reactive playbook development. This is a process of continuous evaluation
of actual incident response workflows. Every time a critical incident occurs,
the entire team needs to review how it handled the event, what worked well
and what didn’t, and the lessons it learned from how it managed the event.
These takeaways become the basis for either modifying an existing playbook or
creating new playbooks.
Playbook creation requires dedicated work by
threat intelligence specialists who continuously
monitor the latest attacks.

Another aspect of playbook creation is making decisions about which parts of the
playbook can be offloaded to the SOAR platform for automation and which parts to
put into a physical document that analysts can follow. This continuous balancing act
optimizes how the security technology and analysts work together.
A lot goes into determining what belongs in playbooks and which portions of the
playbooks are offloaded to the SOAR platform. Those decisions come back to the
central role of security operations: being at the forefront of risk mitigation. Every
possible security event has a risk impact based on the probability of its occurrence
and its severity to the business should it occur. Risk impact is a primary factor in
deciding what goes into highly specific playbooks and which parts of those playbooks
should be automated. The difficulty of task performance is also a key consideration.
When you’re building a playbook, you want to make sure that the humans in the SOC
are getting it right, especially when there is some level of difficulty or a large chain of
actions that must take place to enrich, normalize, and provide additional value to system
data. Playbooks ensure that nothing is missed. Automating portions of the playbook,
especially high volumes of heavily repeated tasks, frees analysts to work through more
complex operations that require human analytical skills. When responding to fast-moving
events, getting the workflow right is critical because the stakes are often high.
Risk impact is a primary factor in deciding what goes
into highly specific playbooks and which parts of
those playbooks should be automated.

Playbook workflows enrich and are enriched by the data available to the security
operations team. Interpreting events and deciding on best mitigations requires
correlating data points that are coming from the network and from endpoints in
the environment you’re protecting. The more and better data that are available,
the more effective playbook workflows will be in correlating the most relevant
contextual data, which will result in more explicit, accurate, and timely responses.
Having that visibility and supporting data makes those playbooks more meaningful
as it drives the process of detection and response.
Creating good playbooks isn’t easy, especially if you are totally unaware of the
threat that could become your next big event. If you’re trying to build a playbook
for something you haven’t seen before, it’s like shooting in the dark. That is
one advantage an managed security services provider (MSSP) has over most
businesses. By handling security for a large number of clients, a good MSSP deals
with a much larger attack surface than most businesses will ever have to manage.
They see a higher percentage of campaigns that are active in the wild, far more
than individual organizations are likely to see. All this puts the MSSP in a better
position to build and maintain strong, up-to-date playbooks.
Creating good playbooks isn’t easy, especially if
you are totally unaware of the threat that could
become your next big event.

Maintaining Process and Balance in the Practice
Maintaining processes in a security practice largely involves maintaining
playbooks. That requires continuous threat research and performance evaluation.
The more exposure a security practice has to actual security events and the
more threat hunting resources it can deploy, the more opportunity it will have to
keep playbooks and workflows current based on the latest attacks and the best
response strategies.
Continuous playbook development and evaluation are central to striking the
best balance between manual and automated tasks for maximum performance
of security operations. Playbooks mediate the relationship between people and
technology in a security practice. The best outcome for the practice is when the
right person with the right skills, the right expertise, and the right instinct has
access to the best technology to maximize output. That’s what keeps a security
practice ahead of the enemy.
The hard work of process and workflow refinement never ends because in the
world of cybersecurity, everything changes. The IT environments you’re protecting
change, attackers change their strategies and tools, and defensive capabilities
change. One key to building a world-class cybersecurity practice is recognizing
these changes and understanding where the opportunities lie to either use or
respond to that change. Building and maintaining playbooks is a critical, unifying
activity that defines a world-class security practice.

Putting It All
Together: 9 Tips for
Building a World-
Class Cybersecurity
Operation
TRAVIS MERCIER
Operations at BlueVoyant
CHAPTER 5

Putting It All Together:
9 Tips for Building a World-Class Cybersecurity Operation
A
high-performance security practice depends on a dedicated, well-equipped
team of skilled security experts working from the established processes
currently relevant to the threat landscape they face and the environment
they’re protecting. It’s not enough to simply set up good detection and response
tools and let them do their thing. Successfully protecting digital assets requires
tight integration among people, process, and technology.
Achieving that cohesion in a security practice demands focused effort to find
good people, sharpen their skills, research the latest defensive technologies, and
adapt processes to current threats and operational capabilities. Maintaining a
world-class security operation is work that never ends because attackers never
rest. For example, Kaspersky reports that the number of ransomware variants it
detects grew 153 percent in the one year—from quarter (Q) 3 2018 to Q3 2019.
Cyberthieves work hard to create new variants because ransomware is a highly
lucrative business for them. That’s bad news for potential ransomware victims,
which is pretty much all of us.
Successfully protecting digital assets
requires tight integration among people,
process, and technology.

Without a strong, dedicated cybersecurity program, it’s difficult to defend against the
growing number, variety, and complexity of cyberattacks. This eBook drills into the
foundations of a world-class security operation: its people, processes, and technology.
The key to strong security is how these pieces come together to work as a tightly
integrated security machine. To that end, here are nine tips for building an exceptional
security practice:
• Treat security as a specialized discipline, not a branch of IT. In many security
practices, especially those in small and midsized businesses (SMBs), security is
a function within the IT organization. IT people are assigned security tasks like
installing and configuring tools, investigating and responding to alerts, and patching
vulnerabilities. As long as security is considered a subset of IT, it will never have the
cohesion required of an exceptional security practice.
Making security a specialized organization within the business, with its own
budget and mission, gives it focus. It becomes a destination for security-minded
professionals who will share knowledge as they work together toward a common
goal. It provides a career path for serious cybersecurity professionals. It creates
continuity in the security operation. These are the characteristics of a security
practice that will attract and retain skilled security professionals.
As long as security is considered a subset of
IT, it will never have the cohesion required of an
exceptional security practice.

• Hire the best people. The best people aren’t necessarily those with the most
security experience. They are people who have good analytical skills, are passionate
about cybersecurity, can think like attackers, and are energetic self-learners.
They should also be people who will work with others on the team. Cultural fit is
important. That’s why hiring security people is itself a team activity.
• Build the technology stack in your security operations center (SOC) using
• best-in-class tools from proven vendors. Avoid building or buying into proprietary
tools. This approach creates a security “black box” that becomes difficult to develop
and maintain—one that the rest of the organization may not understand. It’s better
to pick best-of-breed technology and ingest data from those tools so that the team
can focus its energies on analyzing the output rather than configuring
the tools.
• Maximize data inputs from your environment. Your security practice is only as
good as the data it has to work with. You need to capture as much data as possible
from traffic flow in the network, from firewalls and other network appliances,
endpoints and their abstraction layers, applications, and hosting environments. With
more contextual data, your processes and playbooks become more effective for
helping analysts quickly detect and respond to incidents.
Pick best-of-breed technology and ingest data from
those tools so that the team can focus its energies on
analyzing the output rather than configuring the tools.

• Build and maintain detailed playbooks. Create playbooks that detail what to do for
every kind of security event you experience. Also, create playbooks that cover serious
potential threats you may not have experienced, yet. To create such a forward-looking
playbook, you’ll need to conduct threat research, test malicious code to see how it
behaves, and use that research to develop detailed playbook workflows. Finally, you
must update these playbooks continuously through regular review and as part of
incident post mortem analyses.
• Be aggressively proactive in your practice. Subscribe to threat intelligence, and
actively engage in threat hunting. Be highly proactive in playbook development by
creating playbooks that cover threats you haven’t experienced yet so that you will be
able to detect and mitigate them as soon as they appear in your environment. Share
information, and learn continuously about new defensive capabilities and threats.
• Use security automation. Deploy a security orchestration, automation, and response
(SOAR) platform, and use it to automate portions of you playbooks. In this way, you
can offload repetitive tasks from skilled security analysts, freeing them to focus on
more complex tasks, such as analysis and workflow. Automation also significantly
increases the speed of incident detection and response. Security automation makes it
possible to more efficiently examine a higher percentage of alerts.
Security automation makes it possible to more
efficiently examine a higher percentage of alerts.

• Continuously evaluate and update technology, processes, and playbooks.
Everything security touches is constantly changing, whether it’s the IT environment,
the tools used to defend it, or the threats it faces. Team members must be
passionate and self-learning because cybersecurity is a continuous learning
endeavor. It’s critical that the culture and workflow of the security practice include
regular playbook assessment, postevent assessment, threat research, and
investigation into the latest tools and strategies. These activities should be as
normal as breathing.
• Cultivate the habit of working as a team. When it comes to cybersecurity, no
one person can know everything. A high-performance security practice is a highly
collaborative one. When there’s a problem to be solved, a post mortem assessment
of an incident, or a need to rethink a process, it pays to have as many people
involved as possible.
Team members must be passionate and
self-learning because cybersecurity is a
continuous learning endeavor.

What if you lack the resources to build your own world-class security operation?
Not every company is in a position to build its own security practice with all the
capabilities it needs to adequately defend the business. SMBs are particularly
vulnerable for several reasons. For example, SMBs often don’t have the time or money
to build the level of security they really need to sufficiently lower their risk exposure.
Furthermore, they often fail to recognize how vulnerable they are. It’s easy to assume
that if you’ve set up pretty good endpoint protection, you have firewalls, and you keep
up with patches, you’re in decent shape. Besides, you’re just an SMB. The bad guys are
really going after much more value than you have to offer, right?
Well, not really. Industry research shows that nearly 60 percent of companies suffering
data breaches are SMBs. These same business are also ripe targets for ransomware
because the disruption such attacks cause is more costly to SMBs than to enterprises.
However, these companies can still have world-class security protection. Increasingly,
they are working with managed security services providers (MSSPs) to strengthen
their security posture. The best MSSPs are totally focused on security, which gives
them all the advantages of a dedicated operation—the ability to hire and retain the best
people, build and maintain the best technology, and have the resources to be proactive
in developing and maintaining processes that keep up with the latest threats. Also,
through their client relationships, MSSPs typically see and can mitigate a substantial
array of threats. If you’re considering working with an MSSP, pay particular attention to
these points:

• How does the MSSP acquire and develop staff expertise?
• Which technologies does the MSSP use and how? Do its tools include having
endpoint detection and response, security information and event management,
SOAR, and other essential tools? Does it use best-in-class solutions from proven
vendors rather than proprietary, black box solutions?
• Does the MSSP take a proactive approach to threat hunting?
• Does the MSSP maintain a global footprint? Even if your business is a local or
regional one, cyber threats have no boundaries.
Building a world-class security operation requires adherence best practices for people,
processes, and technology. However for companies that don’t have the knowledge
or resources to build a SOC internally, a best-in-class MSSP can provide the security
coverage they need.
For companies that don’t have the knowledge or
resources to build a SOC internally, a best-in-class
MSSP can provide the security coverage they need.

BlueVoyant: How to Build a World-Class Cyber Security Practice

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Mehr von Mighty Guides, Inc.

Mehr von Mighty Guides, Inc. (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

BlueVoyant: How to Build a World-Class Cyber Security Practice