Friday, April 17, 2020

From my Gartner Blog - New Research: Open Source Tools!

After finishing the wave of research that covered pentesting, monitoring use cases, SOAR and TI, I’m excited to start research for a net new document covering an exciting topic rarely covered in Gartner research: Open source tools! The intent is to look at the most popular open source tools used by security operations teams out there. Things like the ELK stack, Osquery, MISP and Zeek. What I’d like to cover in this new paper is:

  • Why is the tool being used? Why not a commercial alternative?
  • How is it being used? What is the role of the tool in the overall security operations toolset, what are the integrations in place?
  • How much effort was put to implement the tool? What about maintaining it?
  • Is it just about using it or is there some active participation on the development of tool as well?
  • What are requirements to get value from this tool? Skills? Anything specific in terms of infrastructure, or processes?

It is a fascinating topic, which bring a high risk of scope creep, so the lists of questions answered and tools covered are still quite fluid.

In the meantime, it would be nice to hear stories from the trenches; what are you using out there? Why? Was that picked just because it was free (I know, TCO, etc, but the software IS free….) ? Or is it a cultural aspect of your organization? Do you believe it is actually better than the commercial alternatives? Why?

Lots of questions indeed. Please help me provide some answers 🙂

The post New Research: Open Source Tools! appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2Kbxglh
via IFTTT

Thursday, April 9, 2020

From my Gartner Blog - Developing and Maintaining Security Monitoring Use Cases

My favorite Gartner paper has just been updated to its 3rd version! “How to Develop and Maintain Security Monitoring Use Cases” was originally published in 2016 as a guidance framework for organizations trying to identify what their security tools should be looking for, and how to turn these ideas into signatures, rules and other content. This update brings even more ATT&CK references and a new batch of eye candy graphics! So much different than the original Visio built graphics!

This is the anchor diagram from the doc, summarizing our framework:

Some nice quotes from doc:

“Some organizations create too much process overhead around use cases — agility and predictability are required. Processes must not be too complex because security monitoring requires fast and constant changes to align with evolving threats.”

“The efficiency and effectiveness of security monitoring are directly related to the appropriate implementation and optimization of the right use cases on the right security monitoring tools.”

“Do not simply enable everything that comes with the tools. A considerable part of that content may not be aligned with the organization’s priorities, or may not be applicable to its environment.”

“Make use case development similar to agile software development by being able to quickly implement or modify a use case to adapt to changing threat and business conditions.”

I hope you enjoy it, and let me know if you have the framework implemented in your organization. Please don’t forget to provide feedback about the paper here.

Next wave of research is about Open Source tools for threat detection and response, in parallel with interesting stuff on Breach and Attack Simulation.

The post Developing and Maintaining Security Monitoring Use Cases appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2JQhigf
via IFTTT

Tuesday, March 31, 2020

From my Gartner Blog - New Research on Threat Intelligence and SOAR

Since my blogging whip was gone I haven’t been posting as frequently as I’d like, but I realized we had recently published new versions of some of our coolest research and I completely missed announcing them here! So let me talk a bit about them:

The first one is a big update to our Threat Intelligence research, conducted by Michael Clark. The paper now is called “How to Use Threat Intelligence for Security Monitoring and Incident Response”. It has a more specific scope and is more prescriptive in its guidance, providing a nice framework for those planning to start using TI on their detection and response processes:

The other one is a refresh on our paper about SOAR – Security Orchestration, Automation and Response, conducted by Eric Ahlm. It provides an overview of SOAR and how to assess your readiness for this technology according to your use cases:

I hope you enjoy the new papers.  I’m also working on an update to my security monitoring use cases paper, it will hit the streets soon. Meanwhile, feel free to provide feedback about the papers above here.

The post New Research on Threat Intelligence and SOAR appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2JzgjAV
via IFTTT

Wednesday, January 29, 2020

From my Gartner Blog - Updated Paper on Penetration Testing and Red Teams

I finally managed to publish the update to my paper on pentesting, “Using Penetration Testing and Red Teams to Assess and Improve Security”. It has some small tweaks from the previous version, including some additional guidance around Breach and Attack Simulation tools role.

Questions about how to define the scope of penetration tests are very common in my conversations with clients. I always tell them it should be driven primarily by their objective for running the test. Surprisingly, many have problems articulating why they are doing it.

The discussion about comparing pentests with other forms of assessments is there too, although we also published a paper focused on the multiple test methods some time ago.

A few good pieces from the document:

“Research the characteristics and applicability of penetration tests and other types of security assessments before selecting the most appropriate one for the organization. Select a vulnerability assessment if the goal is to find easily identifiable vulnerabilities.”

“Definitions for security assessments vary according to the source, with a big influence from marketing strategies and the buzzword of the day. Some vendors will define their red team service in a way that may be identified as a pentest in this research, while vulnerability assessment providers will often advertise their services as a penetration test. Due to the lack of consensus, organizations hiring a service provider to perform one of the tests described below should ensure their definition matches the one used by the vendor”

“Pentests are often requested by organizations to identify all vulnerabilities affecting a certain environment, with the intent to produce a list of “problems to be fixed.” This is a dangerous mistake because pentesters aren’t searching for a complete list of visible vulnerabilities.”

Next on the queue is the monitoring use cases paper. That’s my favorite paper and excited to refresh it again. You’ll see it here soon!

The post Updated Paper on Penetration Testing and Red Teams appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2Gx5wWq
via IFTTT

Friday, October 25, 2019

From my Gartner Blog - The New Vulnerability Management Guidance Framework

After a huge delay I can finally announce that the new version of our Vulnerability Management Guidance Framework is out! Although it is a refresh of a document that has gone through many updates (even before my Gartner time), this one has some very nice new stuff to mention. First, we refreshed our VM cycle and it’s closer to the reality of most organizations now:

This versions includes a revamped prioritization section, as well as some additional content on vulnerability assessment options. In the past we left most of the VA content for another document, but now it’s back to the VM guidance.

Some interesting pieces of this version:

  • One of the most common ways to fail at VM is by simply sending a report with thousands of vulnerabilities to the operations team to fix. Successful VM programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.
  • Organizations adopting DevOps practices must adopt an approach integrated to continuous integration/continuous delivery (CI/CD) cycles and addressing issues at preproduction stages.
  • Include the identification of underlying issues as one of the main objectives of the VM process. Although it is still important to find and address individual vulnerabilities, VM should also provide insight into areas that need to be improved in the organization’s security posture.
  • [On VA scanning frequency] The ultimate frequency goal should reflect the value of providing refreshed vulnerability data to consumer processes, such as patching and security monitoring. If those processes will not benefit from more frequent scans, there is really no point in trying to achieve a higher frequency.
  • Mitigation can often be the first line of defense, especially if it can be implemented quickly. However, mitigated vulnerabilities are not gone. They still need to be fixed eventually.
  • All exceptions must have an expiration date. Do not allow indefinite exceptions.

In general, it’s a far clearer document and easy to read now. Thanks Anna Belak for your magical wordsmithing powers!

We are always looking for detailed feedback on our papers. Feel free to drop some comments here if you read the doc.

The post The New Vulnerability Management Guidance Framework appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2JlGOKL
via IFTTT

Tuesday, October 15, 2019

From my Gartner Blog - Our New Research on Incident Response Has Been Published

We finally managed to publish our great new (in fact, refreshed) document on preparing for incident response, “How to Implement a Computer Security Incident Response Program”.

This is the first document of my colleague Michael Clark, who did a terrific job of modernizing some stuff from a long time ago.

Some interesting pieces from this guidance document:

 

Organizations that practice their incident response program find gaps and areas for improvement. Certain exercises also make the computer security incident response team (CSIRT) more comfortable and better equipped when an incident occurs.

Include all the locations and services where your assets and data reside in the plan. This includes SaaS and company-controlled cloud assets. Many high-profile breaches involve elements outside the organization’s perimeter

Detections that must be addressed are inevitable. Organizations are often forced into a response mode by attackers and third-party breach notifications.

As usual, we are always looking for detailed feedback on our papers. Feel free to drop some comments here if you read the doc.

The post Our New Research on Incident Response Has Been Published appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2IRhDza
via IFTTT

Monday, June 17, 2019

From my Gartner Blog - Presenting at the Gartner Security and Risk Management Summit DC 2019

This is literally a last minute blog post about my sessions at this year’s Gartner Security and Risk Management Summit. This time I have three sessions:

Tuesday 18, 2:30PM – Debate: Changing Societal Perception of Cybersecurity: This is a very fun debate with my colleague Paul Proctor, where we discuss the need to change society’s perception of security. Paul is trying his best, but I don’t think he can win this one 🙂

Wednesday 19, 5:15PM – Creating Security Monitoring Use Cases With the MITRE ATT&CK Framework: The MITRE AT&CK framework has quickly become a popular tool for many security operations practices. This session illustrates how it can be used to address some of the most common challenges of security operations centers: How to create security monitoring use cases? How do we know if we are looking for right things? What should be the starting list of use cases on our SIEM deployment?

Thursday 20, 10:45AM – Further Evolution of Modern SOC: Automation, Delegation, Analytics: This presentation provides a structured approach to plan, establish and efficiently operate a modern SOC. Gartner clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure. Among other things, it will cover questions such as: Do I need a SOC and can I afford it? Where can I rely on automation and where do I need to outsource or delegate? Can SOAR tools really automate my SOC?

This is one of the most fun weeks of the year for us Gartner analysts. For you attending the event and the sessions above, please let me know if you like them, what could the different and how we can improve.

The post Presenting at the Gartner Security and Risk Management Summit DC 2019 appeared first on Augusto Barros.



from Augusto Barros https://gtnr.it/2Im4DSs
via IFTTT