7 steps to have an efficient remediation in cybersecurity

~ Téodor Chabin

Most of big organizations around the world have advanced detection systems but still struggle to fix years old cybersecurity corporate issues. In this article you will find 7 tips to fix these problems.

The Problem

password is still the 2nd most used password

As a cybersecurity expert you are fighting to fix really old problems. I remember this CISO for an insurance company who has got the money to deploy a SOC, which is pretty and exciting. How disappointed he was, fighting against what looked like basic cybersecurity issues.

For example he was still struggling with devops teams who were still using weak password on production website which were also patched occasionally…

In fact, as cybersecurity experts, we are now experienced to quickly find the problems in corporation which are often the same. What is more challenging is to convince the entire organization to fix it, even if we are in charge of the remediation part.

The Solution

Here, you will find 7 steps you should follow to insure your remediation is efficient, from basic ones to most complicated solutions

Step 1 : convince with the golden circle

It is always hard to convince not cybersecurity experts to act. Nowadays, most of IT people believe cyber security is important, but are far from “this issue has to be fixed in emergency”. It is easy to believe this is because the person is not able to understand or do not have the right skills. But I have learnt that the problem is more we are not able to convince.

Convincing people is another job, it is more linked to marketing. The best case scenario might be to hire a marketing person to do that. But the probably that will happen is really low. So what you could do is learn yourself basic skills you need for that, or at least understand how that works.

And for this, I can advice you to use the golden circle to build your cybersecurity communication WHY, HOW, WHAT. Have a look at this video

Step 2 : have a formal risk analysis

It looks obvious to start with it. But I have seen in many big corporations trying to remediate cyber security issues what ever the context. In fact patching a webserver is important, but priorities must be established regarding the criticality of the webserver. And that is true for everything thing. A list of critical assets should be established.

And this should be done thanks to a formal risk analisys. It means using some doing an official document which will be used.

Step 3 : change of timeline

When I have talked with teams, they are always making plans for the coming months and planning meetings in the coming weeks. The fact is cyber security is important and urgent. So we should act in another timeline.

I have worked in the Silicon Valley, and I was shocked. All meetings I had there were planned for the same day or the day after. It was really hard to just get visibility later than the current week. I had the experience to try to reach a VP of Qualcomm, he told me : “Sorry, I will be able to talk to you in 4 days only, does this still work for you ?”. So I changed the way I used to work and try to plan mainly in the coming hours and days.

Back in Europe, I still do this, and I am surprised, this works. We can’t expect people to react quickly in front of us, if e don’t do the same. So think in hours, propose a meeting for today and tomorrow, try to see what can be achieved in days. This won’t work for everything, but changing your mindset will help to get more and quicker from people in front of you.

Step 4 : move to an agile mode

Have sheets and planning fixing 100 Percent of the issues within 18 months might be pertinent. But the fact is people will wait for the last days to start to act. Which looks obvious, we are working with priorities, so a 18 months can clearly wait for most people, and that is normal.

In the software industry, teams have developed in an agile mode for years. They have a backlog of tasks to accomplish, and every period named as Sprint, they have to deliver their tasks. This period is often 2 weeks. In that context the manager or called scrum master defines what are the new priorities for the coming sprint, regarding business needs.

The idea is to apply that methodology in the remediation context. In fact remediation has a lot of tasks and new tasks every week. Priority even can change quickly regarding new threats and business needs.

Step 5 : go collaborative

I have met many remediation manager spending a lot of time to reach, trying to get answers from other. It is really painfully to run all day after the others. In the meantime there is often a management that do not understand why it takes so much time to just reach people. And guess what remediation managers often just use phone and email, as we did in the 90s.

For the last year, be collaborative be tools spread across companies. The most famous ones are Microsoft teams, Slack, Google Teams. The main concept is to have channels of discussion on specific subjects. This helps to have a quick history on all discussion, track activity of every one, and forget email.

In fact, today is not about trying to see if there is a value to go to that kind of tool. In fact all the market is deploying that kind of tool where it proved it success. It is not about early adopters nowadays but clearly spreading in all organizations.

Step 6 : track and report in an efficient way

I have met many remediation managers still using Excel and doing reporting in the old way. There are even people who are still using macro. You might probably remember, as engineers, we loved to build macros for all our sheets. That was nice. But world has evolved, and new reporting tools happened on the market with much better user experience that out old way macros. In fact sheets are a good way to make a lot of mistakes. Yeah just copy paste can result in errors.

These days there are many tools. And in the agile movement, the easiest should be to use the ones used by Dev teams. Most of the time , these tools are already used by the organizations, so getting them can be very quick. And if you are struggling to find it, just look for the innovation department. They will be so happy to help the cyber security team embrace that kind of tools

Step 7 : use SOC and CTI

I have been working on the remediation part and SOC part for years, and the facts is, both teams share a lot of common problem

  • having a full list of the IT infrastructure and business function is complex
  • having the right priority for remediation is challenging
  • fixing the problems is the hardest part

Most of SOC teams are creating or asking to get a full database with all the business functions and infrastructures, and then have contacts to reach in front of the assets. This will help finding the right person in the organisation.

In the meantime, most SOC have or are in the process of implementing CTI, for Threat Intelligence. Thanks to that SOC teams can have a better understanding of what are the current threats that can really affect the organization. As remediation manager, you often miss risk analysis. Using CTI will help finally go over that problem and help you have the right priority on the remediation.

Published by Téodor Chabin

One thought on “7 steps to have an efficient remediation in cybersecurity

  1. Pingback: 7 steps to have an efficient remediation in cybersecurity | Cybercriminalité

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s