As defenders we need to wear multiple hats at all times. The NIST Cybersecurity Framework defines these hats in 5 core functions: Identify, Protect, Detect, Respond, and Recover.
Here is a 4:34 min video for an overview of the NIST CSF:
If you don't like to orient yourself with the help of a framework, here are some links to other explanations of the defender's role:
Although you will never actually work in the below workflow, it makes sense from a theoretical perspective and lets us put everything into buckets
In a Nutshell: Know what you need to protect!
To be able to protect your networks, systems, and identities, you need to know them. And while that is easy in a small business or home network, it becomes a huge task in an enterprise network. Depending on the size of the network(s) you are supposed to protect, you will need a spreadsheet, or a fully fledged asset management tool. But before we go down that path, let's talk about the why - Here are some reasons for why you need to know your assets:
There are 3 disciplines in the Identify function:
In a Nutshell: Minimize Attack Surface!
Protection should be applied to Networks, Systems, and Identities.
In the network layer of IT infrastructures the following protective technologies are available:
Systems can be protected in Active and Passive ways. Active Protections include things like Anti-Virus solutions. Passive Protections are usually based on System Hardening practices. Here are some system protection techniques:
Identities are user accounts in your central user directory (i.e. Active Directory) or local user accounts on your systems. User accounts can be normal user accounts or privileged user accounts. Privileged user accounts should be protected better because they often have wide-reaching permissions on many systems. Within the realm of IDentity Protection there are two main topics that are worth building programs around:
In a Nutshell: Be the first to know that something malicious is happening in your environment!
There is this old quote: There are only two types of companies: The ones that have been hacked and the ones that don't know that they have been hacked. (However, now in 2021 literally everyone has been hacked.)
Detection of suspicious and malicious activity on your networks & systems and with your identities & data will give you the opportunity to do something about it before it results in huge headaches. The two biggest technology areas within detection are network security monitoring (capture network traffic and analyze it) and security log monitoring (collect all security logs and analyze them).
With the arrival of broad encryption of network traffic this discipline has changed dramatically in the last couple of years. Due to the applied cryptography to most network connections it becomes increasingly harder to analyze the payload of network packets. For this reason this technology field is currently changing towards analyzing the meta data of network traffic. Meta data of network traffic includes what types of connections have been made between which systems and how much data was exchanged.
The Security Log Monitoring field splits into three disciplines - The production of Logs, the Collection of Logs, and the Analysis of Logs.
There are many different types of security logs - Here are some examples:
In most cases the default settings of the Log Sources are insufficient, so they need to be configured in some way to be useful and strike the right balance of eating up system performance and providing relevant signal to the cybersecurity team.
The collection of security logs is usually done with a Security Incident & Event Monitoring (SIEM) tool. SIEMs need a lot of storage for storing all the collected logs. Log Retention is what you use to define how much log data you keep around for how long, which will help you limiting costs. Most setups use a retention period between 30 days and 1y, with 90 days being the most practical.
Once Logs are being collected, the events within the logs need to be analyzed. Due to volume this task cannot really be done manually, technology is needed. There are two different types of Log Analyzers:
Static Alert Rules are traditionally a feature of SIEMs. Machine Learning models are the core function of UEBAs (User & Entity Behavior Analytics). The process adapting Alert Rules to your IT environment is called Writing Detections.
In a Nutshell: Kick em out!
In a Nutshell: Rebuild what has been brought down and learn from what happened!