James Carder, CSO & VP, LogRhythm Labs, LogRhythm
“Core security operations include network detection and
response, endpoint detection and response, and correlation
of data from all the technologies in the security stack.”
- Before building out your security stack, understand where you are and where you have to go. Perform a capabilities inventory and a needs assessment, and then build a strategy matrix that plots key elements of your environment against a framework.
- As you consider technology solutions, automation is becoming the foundation of rapid event detection and response. This requires data visibility across the environment, including endpoints, event correlation, and analytics.
Once you identify and validate an event, automation plays a role in responding quickly to limit its effects.
Before you can make decisions about building out your security stack, you must understand where you are and where you have to go. This involves performing a capabilities inventory and needs assessment. The needs assessment includes factors specific to the business, such as gaps in your current security capabilities, acceptable levels of risk, and any relevant regulatory and compliance requirements.
Based on this assessment, you can build a strategy matrix that plots key elements of your environment against a framework. For example, you can use the broad security categories of the National Institute of Standards and Technology (NIST) framework—identify, protect, detect, respond, and recover—as pillars in your matrix and then plot key areas of your security program against these. These key areas might include such things as threats, vulnerabilities, assets, governance, and compliance. Then you can use this matrix to drive the discussion around where you are and where you need to be.
For some things, it might be a discussion about security maturity to determine what the right next step is to reach a maturity objective. Or the need to change something might be driven by a particular threat, vulnerability, or weakness in your security program. Compliance could be a driver, where you know you’re strong on identity proofing but you have weaknesses in documenting authorization. The point is, this matrix or strategy map becomes the basis for deciding what you need to do next.
This is an excerpt from 7 Experts on Optimizing Your Security Stack. This series was generously sponsored by Carbon Black.