Stick With The Plan Until It Not Longer Makes Sense

There Are Times When a Given Plan May No Longer be Appropriate or Effective

There Are Times When a Given Plan May No Longer be Appropriate or Effective

In the movie Road House (1989), the character Dalton, played by Patrick Swayze, has a famous line: “I want you to be nice until it's time to not be nice.”  From this line, we can learn an important information security lesson.  More specifically, we can learn when to follow a plan, and when it may be time to reconsider, revise, or discard the plan.

In security, having a plan is important. Security programs that operate strategically are far more effective than those that do not. That being said, there are times when a given plan may no longer be appropriate or effective. Have a plan and stick to it, until it’s not time to stick to the plan anymore.

How can security organizations identify instances where the current plan no longer makes sense?  I offer 10 signs that the time to change the plan has come:

1. Major Event:  From time to time, major events seem to turn the world upside-down.  How can a major event necessitate changing a plan?  The most obvious way to illustrate this is through an example we’re living through right now: COVID-19.  Perhaps your organization did not allow remote work?  Or, perhaps your organization had certain business functions or transactions that required in-person presence to complete?  Or, perhaps you had certain processes and procedures that were not well documented and relied too heavily upon interpersonal interaction?  As you can see, in these instances, and in many others, the current plan won’t work.  Time to draft a new one.

2. Breach:  For many security teams, a significant breach is often the most serious issue they’ll need to deal with. Once the breach response is over, there are often, justifiably so, lots of questions that arise.  How did the breach happen?  What could the organization have done to prevent it?  What wasn’t working properly that exposed the organization to risk?  The list of questions goes on and on.  One thing is for certain though:  if there were plans in place that were not effective, they will need to be changed.

3. Productivity Issues:  I have yet to find a security team that has spare time on its hands.  To say that the average security team is busy and inundated would be an understatement. That being said, with proper management and planning, a busy security team can achieve its goals and exceed expectations. If poor management and planning result in productivity issues that constantly plague the security team, then it’s likely time to change the plan.

4. Efficiency Issues:  A good plan will include many built in efficiencies that save the organization time and money.  If, however, workflow is constantly getting bogged down in certain areas, it’s usually a sign that the security team is suffering from efficiency issues.  If that’s the case, it’s worth the effort to re-assess the plan and identify any areas that have become time sinks.  Priority on improving efficiency can be placed on those areas.

5. SLA Challenges:  There could be a number of reasons why an organization is not meeting its SLAs. Perhaps the SLAs are unreasonable. Or, perhaps there are third-parties or other stakeholders involved that are making meeting the SLAs a challenge.  Or, perhaps there are processes and procedures that need changing.  Whatever the root cause, it’s worth understanding them and then re-assessing the plan.

6. False Positives: Far too many security teams are inundated with false positives. The noise from these false positives not only wastes valuable time, it also buries the true positives that need to be addressed.  If an organization’s detection and response workflow is overrun with noise, it’s likely time to have another look at that detection and response plan, particularly as it relates to developing alert content.

7. False Negatives: False negatives are as bad as false positives. Missing an event or incident due to it going undetected is no picnic, particularly when that issue goes on for quite some time before it is brought to the organization’s attention. If third parties are continually notifying a security team of issues it missed, it’s another sign that it is likely time to review the detection and response plan.

8. Vulnerability Remediation: We all know that unpatched vulnerabilities leave an organization exposed to unnecessary risk. What most of us may not take the time to understand, however, is why the organization may be having issues remediating vulnerabilities on time.  It’s important to investigate and understand why this is the case.  Once the root cause is understood, the plan should be revisited and modified as necessary to address the issues.

9. Findings Remediation: Penetration testing, application risk assessment, and other functions generate a continual supply of findings that need to be remediated. If there is difficulty in remediating these findings, it is important to understand why that is the case.  Once one or more weak links are identified, it’s important to address those issues and adjust the plan.

10. Third-Party Risk: Third-party risk is a topic that has been popular of late, and for good reason. Despite our best efforts to secure our organizations, third-parties with inadequate security postures can expose our organizations to significant risk.  It’s important to understand how to assess, evaluate, and mitigate third-party risk. If you find it challenging to do so, it’s quite likely that you will need to have another look at your plans.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Original Link