teissTalk: Stress-testing your security playbooks

On 5 May, teissTalk host Geoff White was joined by Vicki Gavin, Head of Information Security & Compliance, Kaplan International; Matt Hardy, Chief Information Security Officer, OMNIO; Zechariah Leke Akinpelu, Chief Information Security Officer, Unity Bank Plc; and Shakel Ahmed, Senior Sales Engineer, Pentera.

Views on news

In 2021, 20,000 CVEs (Common Vulnerabilities and Exposures) were recorded in the MITRE vulnerabilities database. However, only less than one in ten vulnerabilities need to be patched to keep the network safe. The difficulty lies in identifying which one it is. This is where the next generation of Vulnerability Prioritisation Technology (VPT) comes into play to filter out false positives. VPTs combine the best features of vulnerability management and Risk Based Vulnerability Management Tools complementing them with asset criticality context, environmental context, etc. What we get, as a result, ABVM (Attack Based Vulnerability Management), is a game changer - optimizing scarce patching resources to plug only those holes that threaten to cause breaches and solving chronic vulnerability patching overload. The capability is already certainly there to build more context around information to assist prioritisation. However, it may be problematic to base future decisions on past performance.  Tools such as Orca can scan for vulnerabilities to specific threats such as Log4J and identify the first tranche of vulnerabilities that need to get patched or remediated. But vulnerability management is designed to deal with weaknesses that you’re aware of. When it comes to zero-day attacks, what you’re after is anomalies.

On playbooks

Playbooks typically have two different aspects. One is more like a manual with instructions regarding how to share information with the organisation and how they should act. The other is highly automated, where your security platform will give you guidance regarding what to do when, for example, an attack by a nation state has been detected.  What comes out of the automated system is what the security team needs to respond to. Considering the wide variety of cyber attacks that can happen within only a couple of days, the question arises how many playbooks a business should or could have to accommodate all of them. (Obviously, there are also some commonalities, though.) However, when an incident does happen, there’s little time to take out the playbook and read the relevant instructions to figure out what to do. There are certainly processes that you need to adhere to during an incident such as how you’re going to notify the business and involve them in decision making, or how you keep the organisation updated (say, without the internet).  The key to incident response is speed. The playbook should be about training your users and the business and help them understand what is critical and what is not, as well as about how to spur the organisation into action when an incident takes place. Attackers usually don’t go after a single vulnerability, but it usually takes – what security experts call –  a perfect storm, a combination of vulnerabilities, for attackers to get through a back door and eventually get access to the crown jewels.