The Defensible Enterprise
APR 18, 2012

This overview post kicks off a multi-part series on Defensible Enterprise, Enterprise Visibility and Perspective.

Maybe someday I’ll create a series of posts outlining the absolute failures of our tools, processes or teams but as it stands I’m pretty sure any data breach report or yearly incident summary points our those failures rather effectively. I’ll just summarize my points and say the following: The playing field is constantly morphing both because of the constant people, data, technology changes within our organizations and because our adversaries have the ability to change the rules to benefit them at any point. Yet here we are defending our outdated, stagnant and porous enterprises against adversaries who don’t really even have to think all that hard about how to score. You can look at it as a lost cause or you can put your big boy pants on and say “Bring it on A-Holes”.

One of our goals is to help organizations achieve a state of “defensibility”. Initially when we talk about defensibility we’re really focused on understanding what it is we are protecting, what tools are available to us and how we can maximize our effectiveness in detecting and/or minimizing the impact of a compromise. In short we want define the weapons we have at our disposal to allow us to “adapt and overcome”.

The approach I’ve been focused on incorporates a few key areas that help enable a more defensible enterprise.

Enterprise Visibility

Enterprise Visibility: “All the Data All the Time”

The idea that I try to get across is that certain tools like Log Management/SIEM are good but not nearly enough when you are building a true Enterprise Visibility capability within your organization. I’ll dig into this much deeper in the next post, but in the end you need the ability to “see” everything, Logs (Operating Systems, Application, Network, Security), Forensic Data (Host, Network and Memory) and User information as well as all the “context” residing throughout your enterprise.

Context: “Oh wait – THAT user/system/data was compromised?!?!?!?!”

Vulnerability Scan information and Asset Information are fairly common (and very important) examples but not nearly the end of the resources required to be successful. Having ALL of the information available, immediately, is required. Obviously this information may be key to understanding technical aspects and increasing efficiency but in many cases it is the key to unlocking the actual impact to the organization. Often times the context is the sole piece of information necessary to understand the Risk the organization actually faces.

Speed: “Time to Identification/Remediation”

There are three measurements that matter to me. 1. What is the impact, 3. How fast can we detect and 3. How fast can we respond. Everything else is in the way. Your team needs tools, processes, expertise and authority to analyze and act. Without context and data available you’re spending precious time gathering it so it can be analyzed. Without expertise your wasting time asking others and without the authority to get all of that ahead of time you’re just on the JV team. If the time it takes your adversary to get into your network and extract data is measured in seconds to minutes and your change control window is measured in weeks – who wins?

Flexibility: “Adapt and Overcome”

Change happens…. Eventually. This view must be annihilated if you want to succeed. You may need to dig into data you are uncomfortable with or enter conversations above your pay grade to find what you need. Obstacles are simple delay mechanisms, crush them and if you cannot break them then go around them. Yep I’m telling you it is ok to break the “rules”. If you need to move or adjust your tools to gain better perspective of an active incident – DO IT. Certainly if you can bake that into the process ahead of time it makes it easier, but even if you can’t – make the change, beg for forgiveness and then update the policy afterward. Along the same lines if your security team is solely alert driven you are doomed to fail. Find new ways to conduct analysis with the data you have available or can get. (more on this topic soon). You should be updating your tools, processes, expertise on an hourly, or at least daily basis.

Expertise: “Singer, Songwriter, Choreographer, Lawyer, Doctor, Firefighter, Astronaut, Meter Maid, Special Agent, Fashion Designer and Clown”

We must have expertise in so many areas, Security Analysis, Incident Response, Forensics, Malware Reversing, Threat Intelligence, Security Architecture and in soft skills like Advising, Coaching and Mentoring. Plus you have to do it on a training budget of $1500/yr. Great people want to work on great teams. Invest in your team (time, energy and dollars).

Process: “Standardized yet Flexible”

Our goal is to create a fast, flexible set of processes and information that experts can manage and bring down the time to identify and remediate incidents. We should be able to execute a “game plan” without having to write the play book each time. Everyone involved should know the plan, authority and responsibilities established and trained against. The “norm” in response should not be based on Herculean efforts. That said your plan needs to allow for an audible. A good plan will have everyone’s buy-in and trust.


I believe these stated goals are realistically attainable and at the same time I fully understand that all of these require significant investment across the board. The reality of our situation is pretty simple, our adversaries have changed the game. If you or your executive team don’t like it - “tough sh!t”. Seriously. Unless you don’t mind all of your information exposed, indexed and simply common knowledge by the rest of the world you had better figure out how to start to move past your checklists and trust in outdated methodologies and move towards allowing your people to do their jobs to the best of their ability. The high-level steps identified in this post go a long way towards positioning your team in that direction. It’s a compass not a GPS.

Thanks for reading! Next week I’ll post my “Enterprise Visibility” chart and definitions. A new look on something I’ve been trying to articulate for years. In that post I’ll explore some of the goals necessary to reach a point of Enterprise Visibility in your organization. The “Perspective” post is a simple view into understanding what it is exactly you are able to see and what gaps you still may have. A very simple but illuminating task. Until next time. - Rocky
Shared publiclyView activity