Force Multiplying Security: A Guide

In April of this year, I published Force Multiplying Security, which outlines an approach I started exploring back in 2010. The post was intentionally high-level and resulted in several readers reaching out and asking for a more practical, hands-on guide.

Well, here you go, Force Multiplying Security: A Guide.

TL;DR

Implementing force multiplication in a security organization involves leveraging a clear process and strategy, tools, and resources to enhance the effectiveness and reach of security efforts but without an increase in resources. This can be achieved by focusing on improving efficiency, scaling operations, automating tasks, and maximizing the impact of people and technology.

Force Multiplying Security

Automation

• Automated Threat Detection: Use security automation tools (SIEMs, SOAR platforms) or AI (carefully) to detect and respond to threats faster, reducing the need for constant manual monitoring. Automation can handle routine tasks like alert triage, log analysis, and simple remediation steps.
• Incident Response Playbooks: Develop predefined response plans that can be executed automatically or with minimal human intervention during security incidents, ensuring swift and consistent responses.
• Vulnerability Management: Automate vulnerability scanning, patch management, and remediation processes to rapidly address potential weaknesses. This includes code, infrastructure, and pipelines.
• Automate Attack Surface Scanning: Implement an automated attack surface management program to detect and respond to threats open to the entire world.
• Basic Security Operations: Automate (or self-serve when it is not possible) essential security processes and operations to seamlessly integrate with other teams, enhancing their products, outcomes, and workflows.

Advanced Threat Intelligence

• Threat Intelligence Platforms: Use threat intelligence feeds (open-source, commercial, or self-coded) to provide timely, actionable intelligence that helps prioritize defensive actions. Intelligence sharing can significantly increase your ability to predict and respond to emerging threats.
• Collaboration with External Partners: Join Information Sharing and Analysis Centers (ISAC) or other threat-sharing networks to multiply the intelligence available to your team, gaining insights from other organizations or industries facing similar threats.

Security Tools Integration

• Unified Security Platforms: Integrate various security tools (endpoint protection, intrusion detection systems, network security) to create a simpler security infrastructure. This improves visibility, coordination, and incident response times across systems and all parts of the business.
• Endpoint Detection and Response (EDR): Implement EDR solutions that provide real-time visibility and control over endpoints, enabling faster detection and response.
• Security Information and Event Management (SIEM): Use SIEM platforms to aggregate and analyze logs from various sources. This helps identify patterns, correlate events, and detect sophisticated threats faster. Automate analysis whenever possible.

Scalable and Resilient Infrastructure

• Cloud Security: Adopt cloud-specific security tools that can automatically adjust to protect cloud infrastructure and data, reducing the need for manual intervention.
• Decentralized Security: Use distributed security models (like zero-trust) to secure systems across different locations without requiring massive resources in a central location.
• Redundant and Automated Backup Systems: Implement robust backup solutions that automatically secure critical data, ensuring recovery in case of a breach.

Incident Response Team

• Incident Response Automation: Develop automated workflows for common incidents (e.g. malware infections, phishing attacks), allowing the response team to focus on more complex or high-priority cases.
• Scalable Teams: Build incident response teams with clearly defined roles that can quickly scale in the event of a significant attack. This will involve predefined escalation procedures and the use of external partners and members of other teams/organizations when necessary.

Managed Services and Outsourcing Talent

• Managed Services: Leverage Security Managed Services to handle specific aspects of your security operations, such as continuous monitoring, threat hunting, or incident response. This allows your internal team to focus on strategic tasks.
• Consultants: When appropriate, and only if needed, bring in external experts for specialized tasks (e.g. penetration testing, advanced threat hunting) to augment internal capabilities.

Training

• Cross-training Employees: Provide training to staff members across various teams and roles to ensure they understand and can contribute to the security efforts. A well-rounded “team or teams” is more capable of identifying and mitigating threats quickly.
• Red Team vs. Blue Team Exercises: Regularly engage in external red team exercises to test your defenses and blue team response, which helps improve both offensive and defensive security capabilities.
• Continuous Learning: Encourage employees, across all teams, to take security courses and attend conferences to improve their skills and help stay ahead of evolving threats.

Risk Management

• Risk-Based Approach: Focus efforts on high-risk areas that would have the greatest impact on your organization, ensuring resources are allocated effectively. Don't overlook low-probability, high-consequence risks. While rare, when they do occur, they can escalate into a crisis swiftly. Be prepared and have a plan.
• “Cybersecurity” Maturity Models: Adopt a security maturity model (e.g. NIST Cybersecurity Framework) to assess and improve the organization’s security situation and capabilities over time.

Security Culture

• Employee Awareness Training: Implement regular, mandatory security awareness training to help reduce human-made vulnerabilities, social engineering / phishing success, and insider threats, and enhance the overall security posture of the company.
• Security Champions: Identify and train security champions across departments (especially across engineering teams) who can act as force multipliers by promoting security best practices within their teams.

Feedback Loop

• Post-Incident Reviews: After each significant incident, conduct a thorough debriefing and after-action review (AAR) to learn from mistakes and successes. This helps the organization adjust its approach and implement improvements.
• Metrics and KPIs: Track key performance indicators (KPIs) such as time to detect, time to respond, and number of incidents detected to measure the effectiveness of the current security efforts. Use these insights to optimize processes and identify areas for improvement.

Use of Artificial Intelligence For Security (not really comfortable with this, but I've seen good results)

• Behavioral Analysis: AI can analyze patterns of behavior and detect anomalies that indicate security threats, enabling faster detection and response times.
• Predictive Analytics: Leverage predictive analytics to anticipate potential security incidents before they occur based on historical data, threat intelligence, and trends.

To Close The Guide

Force multiplying security begins with optimizing the use of technology, processes, and the people to achieve a much greater impact without a proportional increase in resources. By automating routine tasks, leveraging advanced threat intelligence, integrating security tools, and fostering a culture of security, an organization can multiply its defensive capabilities and stay ahead of evolving threats.

Putting Into Practice These Multipliers

If you have a limited budget, how would you prioritize the application of these force multipliers? What order would you follow? The answer can vary, but here are a few examples of what we could focus on. Thanks Izar Tarandach for the idea of applying the strategy in this way.

For each "industry", here's the prioritized order. Keep in mind that not all force-multiplying strategies may be necessary or feasible.

Software Companies

1. Security Culture
2. Training
3. Security Tools Integration
4. Scalable and Resilient Infrastructure
5. Incident Response Team
6. Automation
7. Risk Management
8. Feedback Loop
9. Use of Artificial Intelligence For Security
10. Managed Services and Outsourcing Talent
11. Advanced Threat Intelligence

Service Providers

1. Security Culture
2. Training
3. Scalable and Resilient Infrastructure
4. Advanced Threat Intelligence
5. Incident Response Team
6. Risk Management
7. Automation
8. Use of Artificial Intelligence For Security
9. Security Tools Integration
10. Feedback Loop
11. Managed Services and Outsourcing Talent

Regulated Industries

1. Training
2. Scalable and Resilient Infrastructure
3. Incident Response Team
4. Advanced Threat Intelligence
5. Risk Management
6. Feedback Loop
7. Security Culture

Government Agencies

1. Security Culture
2. Risk Management
3. Incident Response Team
4. Training
5. Advanced Threat Intelligence
6. Automation
7. Security Tools Integration
8. Feedback Loop

It would be an interesting exercise to apply this approach to more industries and organizations, and see if any patterns emerge that suggest certain multipliers are inherently more important.