Security Optimization Journey Blueprint

Phase 2: Threat-Informed Operations

Each phase of your program’s evolution builds on the establishment and maturation of the previous phase. Phase 2 focuses on the introduction of more proactive threat-driven capabilities, developing granular performance data, and driving improvements in your organization’s security and technology governance processes. There are three components: threat emulation for security optimization; threat-informed technology operations to improve software security and architectural security; and project software security development lifecycle (SSDL) and modeling.

Expected Outcomes: You have transitioned your operations program from reactive incident response to proactive hunting. You have a data-driven, objective change management process to reduce risk. Automation enables your business to evolve towards a SecDevOps model. You gain a consistent, automated approach to project security oversight and control.

Threat Emulation

Threat Hunting. AttackIQ’s Security Optimization Platform can enable the Security Operations Center to anticipate, prepare, and hunt for threats. In this scenario, your cyberthreat intelligence team would present a new threat behavior that MITRE ATT&CK has just released, or which AttackIQ or your team has created. It could be a new vulnerability or a new tactic, and the SOC could then conduct a purple team exercise to test its capabilities to see how it would perform against the new threat.

Post-Incident Response Remediation. After your team conducts an incident response, they can take what they learned from the incident and use the Security Optimization Platform to turn what they learned into an event in another part of the network to make sure that the fixes work across the organization. Once you learn from one incident in one part of the organization, you can deploy tests against other parts of the network. In this way, you get a tailored post-incident purple team, constantly learning from incidents to harden the enterprise.

Threat-Informed Technology Operations

Change Management Risk Assessment. When your technology team initiates a change, that change often involves the security posture and requires the operations team to conduct a risk assessment of the change management process. In this case, the threat informed defender (on the blue or red team) can use AttackIQ’s Security Optimization Platform to validate changes to make sure they work as intended and that the security controls are in place.

Continuous Integration/Continuous Delivery (CI/CD). In a software release process, you define the set of security controls that need to be included in the update, and can then build a test through AttackIQ’s platform to ensure that the security update works by running a static code analysis against the program. AttackIQ scans the code before it is released, enforcing a key protection, a credential pass, or any other security control specified in the code. Once this process is complete, you can create ways to test that the security works as intended through an automated test harness. This solution nests well in the DevOps team, who can do this work together transparently through a purple team security unit.

Software Development Lifecycle Security Validation. With the AttackIQ Security Optimization Platform you can define and validate security requirements for third-party technology technology projects that you need to bring into your organization. For example, law firms may need to know whether a new Document Management System meets your firm’s security, regulatory, and compliance requirements, and you could use the platform to test it. You can also use the data you generate from the assessments to nudge your market of vendors to improve their security testing in the evolving regulatory landscape, incentivizing them to improve their security posture.