CIOs, CISOs, SecOps, and IT teams of many organizations are often asked about their specific defensive capabilities. “How well would we handle Locky Ransomware or EternalBlue?”
Most are unable to reliably and objectively provide data-driven answers. Evaluating your own security maturity can help you understand your current capabilities and drive towards a more mature security program, providing your organization with further capabilities.
In this blog post, I’ll review a simplified set of maturity levels that can help you evaluate your security program and discuss how AttackIQ can enable your organization to grow more mature at each level.
Classic Maturity Models
Maturity models can provide guidance in evaluating the capabilities of your security program and there are a number of well-known maturity models accepted in the industry e.g CMM, HP SOMM, Hunting Maturity Model, Detection Maturity Model, C2M2, ES-C2M2, ONG-C2M2, Booz Allen Cyber Operations Maturity, Microsoft Critical Infrastructure Protection: Concepts and Continuum Framework, Community Cyber Security Maturity Model, some models are very broad and generic, some are very narrow and focused. The right model varies based on the specific situation and many of these models can be adapted to fit your needs.
In the last five years, AttackIQ has worked with organizations at every level of their security maturity and we have found using a security validation platform enables an organization to improve the security maturity of their own program moving from ad-hoc to compliance-driven to ultimately a continuously optimized data-driven strategy.
Building a great security program requires continuous improvement, and the best way to improve a security program is to measure it. Maturity models provide the ability to evaluate your defensive capabilities (people, processes, technologies, and tools), and as your organization becomes more refined, your security operations will be more prepared and your infrastructure will be more resilient to the threats against your business continuity.
Most maturity models have levels 1-5, leaving enough flexibility for the model to be descriptive rather than prescriptive, allowing it to be customizable by most organizations. Below is a description of each level, described generically, combining elements from multiple maturity models. In addition, I have added how AttackIQ through security validation can mature your organizational processes:
|Level 1 (Initial)||This is the starting point for the use of new or undocumented processes.||Processes are chaotic, ad-hoc, reactionary, little to no routine or repeatability when fighting fires, no metrics.|
How AttackIQ helps you mature from Level 1 to Level 2:
At this stage, most organizations have tended to focus on simple detection like perimeter protection, anti-malware, and patch management. Some organizations at this stage also choose to build a vulnerability management program. The problem typically becomes that overwhelming, unclear order to fix vulnerabilities without the prioritization and understanding of the assessment of impact. AttackIQ can help, by focusing resources to mitigate the risks associated with the vulnerabilities that present the largest potential impacts and risk to your organization and further positions the security program towards continuous security validation (CSV).
|Level 2 (Repeatable)||Processes are documented sufficiently such that repeating the same steps may be attempted.||There are some processes that are repeated but the processes are not formally documented or defined.|
How AttackIQ helps you mature from Level 2 to Level 3:
AttackIQ provides an organization the ability to take an inventory of all security capabilities, test the assumption of each technology an/or process in a manual or automated fashion, and evidence of correct and incorrect assumptions.
|Level 4 (Managed and Measured)||Processes are quantitatively managed in accordance with agreed-upon metrics.||Previous processes are not only documented and repeatable, but managed, monitored, and measured.|
How AttackIQ helps you mature from Level 4 to Level 5:
AttackIQ continuously monitors and measures current capabilities, identifying any gaps and providing data-driven metrics for decision makers and operators to optimize your holistic security program.
|Level 5 (Leading and Optimizing)||Process management includes deliberate process optimization and improvement.||Your team is proactive, measuring the effectiveness of the current program, identifying gaps, and using data-driven methodologies to constantly reduce risk.|
When your security is in its infancy, it can’t be expected to be able to answer questions related to real-world threats and if you’re prepared because you have not yet put the proper instrumentation in place to measure and validate your security controls. AttackIQ can help you mature at every level to improve your overall holistic security program so that you can feel confident to defend your security decisions and investments and be able to answer key questions as to the capability of your security program and its ability to defend against the latest greatest relevant threats.
Additional thank you to AttackIQ team members who helped provide input: Bob Failla and Tin Tam.