The Recipes Of Security

May 2017 - Updated Sept 2020

This is a collection of thoughts about security dating back as far as 2009. Simple things that can get you going and may help focus your efforts as you work with your organization, or on your own.

Security Begins With The People

The first thing we should prepare is ourselves. Each and every person at the organization and team levels need to be ready, trained, and understand the issues faced.

Technology is good, but people comes first. Technology compliments people, but does NOT replace it.

Ask yourself: are you, are we, ready?

Quality Over All

Security is a force multiplier, and as such there is a real need to focus on having the right people, the right processes, and the right tools. A small team of highly capable security professionals is greater than a larger team of less qualified and trained people.

The right people, with the right mindset make a difference.

Red Team It

Prepare for the issues that are coming, yet keep an eye on the problems of today. Let’s consider what we need for the upcoming security challenges, and potential issues bubbling up, preparing for the hard problems. We need to think ahead. However, we also need to keep an eye on the issues happening right now. How we attack the problems of today, will help build a solid base for the issues of tomorrow.

Layers

Security should be built around layers, with each layer being more difficult to penetrate. Make it a point to always try your best to engage a threat at the outermost layer.

Once you have this system laid out, plan for a dynamic proactive deterrence, and strike preemptively first, rather than absorb a preventable blow.

Don’t Trust And Always Verify

Security is about controlling what you can control. The environment, the systems, and the people. Never trust input. Verify every bit of information coming your way, making sure you authenticate the source along the way.

It’s about keeping the layers as tight and intact as you can. Don’t let input get there, and don’t let output roam freely either. Keep your core elements safe inside the innermost layer.

Plan Now, Not Later

It’s too late to start planning once a crisis occurs. It’s a lot harder to survive that crisis without a plan, even if the plan gets thrown away. Plans are useless, but planning is a must!

Even when you are in a safe place, unstressed by a problem, planning can be difficult, but force yourself to do it. Failure to do this, will put you and the team in react mode, and by then, it’s too late.

Plan, develop, and constantly test everything. Discard what doesn’t work, and constantly improve what does.

We Can’t Do It Alone

Security supports a larger objective, one that other teams and organizations support as well. We need their help, you need their help, as much as they need ours.

Less, But Better

Priorities are needed, along with clear communication and simple standard operating procedures that both security and non-security people can understand.

Since we can’t do it alone, most of the time we are being called to work with others, often solving complex issues, everything we do has to remain simple, and the best it can be. Strive for less, but better.

Assume that every person you interact with has limited or no knowledge of security or anything you are saying, so make sure documentation, communications, and everything you do is simple, conservative in content, and explains everything clearly. The more we educate people, the more we can force-multiply by using them as allies.

The goal is to have functional security. Simplify security to serve the needs the easiest way possible. Strive for procedures that are easy to follow and repeatable. Purpose dictates it.

Visibility

Are we aware of every single thing we need to keep secure? Every technology used? Every access point? Every place where monitoring is needed?

Work hard to build visibility in the right places, focusing first on the less obvious places and working your way around the entire organization and its supply chain. Do NOT neglect the supply chain.

Log, log and log some more.

Automate

Security is complex. We are often chasing new problems with old technology, or not focusing the right people on the right problems. In order to plan for what’s next, we need to take care of the old problems first. Automation is your friend.

Automate everything that can be automated. Free the people to attack the harder problems.

Review Your Solutions

Review and review often.

Are all your processes, vendors, and systems needed? Are all the controls still relevant? Do you need new features? New people? A different approach?

Reassess all.

Shrink Your Tech

Having less tools that are simpler and understood by all, is much better than having too many tools and processes we don’t really know. Reduce complexity whenever possible. Remain simple.

Defense And Offense Compliment Each Other

The best defense is offense, and the best offense is studying the defenses. Have the mindset of an attacker, while maintaining a finger on the pulse of what needs to be protected.

Security Truths

Based on the famous SOF Truths:

  1. Humans are more important than Software.
  2. A quality security program is better than any number of security checklists.
  3. Good security professionals cannot be mass produced *.
  4. Competent security teams cannot be created after breaches occur.
  5. Most security teams require other non-security teams assistance.

*Yes, even more so when you are about to say CISSP...