Problems

Which cybersecurity problems are addressed by BRSE? 

Summary by BRSE Functions

1. Management: 16 issues with 4 critical and 6 serious

2. Defense: 16 issues with 1 critical and 6 serious

3. Posture (former RAP): 10 issues with 3 critical and 2 serious

4. Protect: 8 issues with 2 critical and 2 serious.

Some Conclusions

88% of all problems related to breach.

60% of all problems related to preparation for breach response.

70% of all management related problem can be solved with the correct approach (like BRSE).

Security Engineering aka Protect holds only 16% of all challenges.

Raw List

1. Breach types aren't predefined

2. Breach Response does not have priority - it's the other way around.

3. SOC refuses to take ownership of breach response

4. Breach response types aren't predefined

5. Preparation to beach response does not have priority

6. Cybersecurity in its modern state runs on terminology which does not consistently describe the reality. - > Mismatched objectives -> Poor performance

7. Cooperation between cybersecurity roles and functions is very weak which leads to response team lacking context knowledge during breach -> delays the breach disruption to unbearable times -> breach spreads too broad -> cost of the damages from the breach becomes too high -> collateral damage from response is also high.

8. the most sophisticated breach types are faced by the least trained security analyst and then escalation hierarchy as per ITIL -> missed breaches - > delays -> poor performance

9. Requirements to the end state for the breach response are unclear -> objectives not achieved

10. Lack of formalized client | IT Estate onboarding methodology which is based on relevant breach types, associated TTPs, in-depth IT Estate discovery.

11. Lack of preparedness for response through anticipation modeling and testing which is "compensated" by reliance on the "investigation" DURING the breach. -> time loss when needed most -> higher cost of the breach

12. Lack of preparedness for the response to the breach in its entirety: how pivoting and lateral movement map into the current network design. - > missed persistence implants and miscalculated blast radius

13. Lack of standard response procedures based on TTPs

14. Lack of predeployed tools specifically for manual disruptive breach response 

15. Lack of pre-established and approved communication tools for security ops and IT Ops to work together in real time as a team.

16. Lack of proper and tested access for manual breach disruption by SOC analysts for pre-approved responses

17. Lack of formalized process for establishing breach blast radius based on the attack tree of the breach and lack of preparation and modeling

18. Lack of formalized process for tracking down implants which ensure persistence

19. No established relationship and tested recovery from the breach by IT Ops | SRE | DevOps

20. Lack of the Blue | Green deployment model for the production, which leads to uncertainty during recovery. Instead of patching prod - updating blue env and switching over

21. Lack of architecture focus on the splitting data and code which accelerates response and recovery

22. Lack of Infrastructure as Code which removes direct privileged access by IT Ops

23. Response team is not fully enabled thus is not prepared to the reachable levels which contributes to poor performance during the actual breach. Analysts burnout due to lack of authorization and preparedness for the "Real thing".

24. Response is not tested and readiness is not measured

25. Collateral damage during the response is neither optimized nor managed

26. Obsession with default rules. Detection coverage mostly mismatches the relevant TTPs

27. Weak "client| IT Estate" onboarding focused on "log sources" instead o relevant breach types and TTPs and creating holistic model of the environment for the breach type modeling and preparing for detection and response

28. Threat Hunting is used as one-time side gigs instead of being focused on detection engineering, especially during during onboarding and later on in order to keep everything up to date.

29. Overreliance on built-in correlations. Detection is not designed against its breach steps in the context of the entire breach and defense-in-depth as per OSFI B-13.

30. Large portions of IT Estate and telemetry types are excluded completely from the detection tools as unfeasible sources which were never considered like application, access and endpoint (AV/EDR) telemetry -> detection blind spots -> late detection -> incomplete attack chain visibility -> delayed response and missed persistence implants.

31. Detection does not take into account types of detection: direct| indirect.

32. Detection is not linked to the response through standard response procedures: response should dictate not only the case of alert about the particular TTP being used, but to try to spot the smallest target for the response to strike out. MINIMIZING COLLATERAL DAMAGE OF THE RESPONSE through precise (either with direct detection or by using reverse tracking in case of indirect - N+1 layer or intermediary media between the layers of the defense in depth during pivoting or lateral movement) detection as well.

33. Analysts burnout by wasting most of their time "handling| managing" false positives brought up by default alerts

34. Detection is not tested and its coverage is not measured

35. Relevant TTPs are often not selected

36. Breach is not defined correctly

37. Taxonomy of severity of the situation can't present reality adequately

38. No doctrine to ensure consistent QoS for cybersecurity, PPT isn't enough

39. Excessive log collection leads to overloading production environment which leads to capital cost increase to accommodate security monitoring

40. Vulnerability and  threat management programs are too broad and disconnected from relevant TTPs

41. Hardening programs are too generic and disconnected with relevant TTPs

42. Reporting is focused on busyness and doesn't provide clarity

43. Overcomplicated asset prioritization methodology which are based on risk-based ALE calculations instead of straight-forward crown jewel prioritization matrix.

44. Contextual information about the environment is lacking when needed and it's needed for narrowing the list of relevant TTPs

45.  Security solutions are deployed without proper integration into unified response to relevant TTPs

46. Security solution - coverage shrinking due to lack of run and maintain & operate function (engineering deployed and walked away)

47. Security solutions have low and unmeasurable RoI due to lack of RATIONALE provided by clear and direct hierarchy of objectives (denial and disruption of relevant TTPs) -> overlapping portfolio -> excessive costs

48. No formal initiative to achieve 80/20 ratio between auto-response and manual response for relevant TTPs leveraging hardening and security solutions as part of the holistic breach response approach as a key objective of cybersecurity -> low-hanging fruit type TTPs response to which could've been automated are overwhelming security analysts in charge of manual response - > burn out -> lack of time to prepare properly

49. No breach modeling done holistically as per their kill| attack chains

50. Cybersecurity resources are spread thin with irrelevant tasks like ensuring CIA Triad, compliance, availability-HA, recovery etc.