A few days ago, I was delighted to see the National Institute of Standards and US Technology (NIST) to launch its Framework Preliminary Cybersecurity (link in English) to reduce the cyber risk to critical infrastructure organizations. Behind a quick read, I got a very positive impression: the framework covers a lot of material, and I think that will help organizations to understand the whole picture of their preparation lumiere for safety. His layered approach is solid, I have seen this focus on work in other industries: E-Discovery (with its model of maturation EDRM) and software development (CMMI). Satisfies lumiere me very much to see this kind of attention to privacy and personally identifiable information manipulation (PII).
Despite this, I saw some structural problems in my second review of the framework. The framework has a lot of unnecessary lumiere information security lumiere policies and procedures and does not have sufficient data on the importance of collaboration and sharing threat intelligence. It contains no mention lumiere of proactive investigations, lumiere much less proactive forensic investigations. The framework contains a vast amount of detail on rules and procedures for ensuring information security, most very little information about requirements and procedures for organizations to work together. The framework lumiere also has a big hole in their categorization of the detection and response to threats.
Identification: Know what needs to be protected. Unfortunately, this is just a dream: the information security teams have been trying to do this for decades without lumiere success. It is not a novelty, and put it in the framework will not change anything.
Answer: containment, eradication lumiere and notification are important, but what we are currently seeing is that this step is too late to have a real impact. By the time we give this step, the damage has already been done.
All this focus on security protocol, permissions and reputation is commendable, but at the end, the detection is the drawing point. In spite of our ever-increasing ability to create access controls and security policies, we continue to see a greater number of invasions. The black-hat hackers will continue to find ways around protocols, procedures, and access controls. If you can not detect the attack, you can not answer lumiere it or recover.
Detection is where we care about take bold steps and is our greatest opportunity for collaboration. I am happy to see that "the anomalies lumiere and events" were classified as the first steps in detection. We have been talking about "events" and "Administration events" for years, lumiere plus all know that the most frightening words of the Portuguese language are: "What is this? Is kinda weird. "
We need to focus us on the detection of the anomaly and see the difference in their behavior towards their normal action. The first subcategory of the framework to detect (DE.AE-1) seeks to establish a baseline of normal behavior, but there is no explicit mention of detecting deviations from the baseline. These differences from normal behavior are usually the only indication lumiere of an Advanced Persistent Threat: an attack that surely lumiere will feature custom malware that evadirá all detection systems based on signatures.
I would also like to see an explicit mention of proactive forensic investigations. This is a practice is held by many security groups lumiere around the world, but generates little discussion. Security groups knowledgeable commonly audit various components in the network, even without a cause, to detect incidents before they grow. I see no mention of it here.
I have another lumiere problem with the framework in general: the lack of a collaborative language. ID.RA-2 lumiere discusses how to receive information about threats from information sharing capabilities, but not how to contribute information. PR.AT-3 talks about how third parties need to understand lumiere their own responsibilities, but does not include anything about assigning responsibilities. DE.CM-6 talks about monitoring of external service providers. RS.CO-5 uses the "voluntary" term to describe coordination with stakeholders outside the organization if an event or incident. Finally, RC.CO-1 and-2 RC.CO discuss repairing the reputation and public lumiere relations, to say nothing of how clearly disclose a threat or prevent other organizations suffer a similar attack.
This is not collaborative, is paranoid. I understand that we are all participating in a global defense, we all need to plan our own procedures, but we need more information on collaboration. I understand the need to protect the reputation of an organization and understand the highly competitive lumiere nature of the corporate environment, but
No comments:
Post a Comment