Building An Enterprise Information Security Program

In the modern day, it is difficult to turn on the news, pick up a paper, or mill about everyday life without being exposed to the details of the latest hack that has disclosed personal information, tarnished a reputation, or pilfered currency. The threat landscape has lead to organizations looking inward to assess their current state and realize that they may not have the means or processes to deal with a hacking incident. What do we do if we’re being hacked? What if we’re already hacked? How would we know? What would we do? Seeking the answers to these types of questions typically lead to the establishment of a security program that puts in place processes and procedures that guide organizations to make the right decisions in the face of active attackers.


But where to begin? It can be a long, arduous road from knowing you need answers to actually having answers. In order to be successful in the establishment of an enterprise security program, it is necessary to define clear goals. In order for goals to be effective they must have a clear definition and be assigned deadlines. Deadlines must be practical yet challenging so that the success of the program is obtainable and measurable. The goals of a security program should be unique to your organization and reflect challenges specific to you. The outlined goals should lend themselves to the creation of a mission statement that functions as the guiding light of the security program.


After the goals have been articulated, the next step is to obtain official buy in from executive management. Often the buy in is presented in the form of a charter or something similar. It is essential that formal recognition of the security program is granted so that they are effectively empowered to meet their goals. This empowerment optimally places the security program in a branch of an organizational tree that is independent of the rest.


So you’ve set your goals, the executive management has sung your praises… what? It is untenable to attempt to make broad, sweeping changes to the organization effectively. The best approach is to follow the philosophy of crawl, walk, run. As with most things, it is best to try to set yourself up for success with quick wins. Identify and attack some of the low-hanging fruit within the company. An effective security program cannot begin without a thorough understanding of the systems, software, and connections. A good place to begin is defining the system boundary by gathering a detailed inventory of systems, understanding their function, and gathering a high level understanding of the most sensitive systems. This process can be completed with a mix of technologies that scan your systems, and interviewing your constituents to understand what is important to them.


The interview process will serve to provide two functions. Not only do you gather more details about the environment, but it also provides an opportunity to enhance the relationship between the security team and the other organizational groups. Early on it is imperative to evangelize the initiative. The message to the organization should relay the mission and goals. The personnel should also understand that security is not something that is going to be happening to them. It is meant to enhance awareness and increase effectiveness (note: effectiveness may need to be redefined to mean something other than as fast as possible). While conducting evangelization you may find that some of your most staunch supporters and enablers reside within the user base. Leveraging them may prove to be your most valuable resource.


Now that you’ve identified systems and interconnections, gathered an understanding of organizational processes, and weighed the critical assets, policies and procedures can begin to be formulated. This is another area to seek quick wins. Seek to find policies that may already in place and just haven’t been formalized yet. You don’t want to introduce any drastic changes to the community culture right out of the gate. This sort of action will not endear you to the user base. A good place to look would be the Acceptable Use Policy or Account Management. Once you have achieved some easy wins, seek to define policies and procedures that are more mature and are integrated throughout the enterprise. Policies and procedures should be woven throughout the software development lifecycle, operations, desktop support, and physical security. This integration ensures that security is embedded throughout the organization’s culture.


Now you’ve entered the walk portion of the program. Enter automation. It is important to establish strong policy prior to automation because they will shape the requirements for the solutions you put in place. Automation generally encompasses solutions like patch management, vulnerability management, and configuration management. Entire textbooks have been written on each topic but I will touch on a couple of key points for each.


When you were crawling you gathered a comprehensive list of systems. Now that you’re ready to walk you’re able to gather the current patch level of each individual system throughout the enterprise. You should know what’s up to date and what’s lagging. You should be in a place where you should strive to make sure that everything is patched. You are able to prioritize what should be patched immediately and what could wait until a later date. While the goal is to make sure everything is patched all the time, the cold, stark reality is that this is not always possible. Systems that cannot be patched should be documented and tracked.


For vulnerability management the goal should be to find all of the vulnerabilities in the enterprise. This is obtainable but it requires different automated scan types. Authenticated, network, external and passive scanning are all tools that can be deployed to detect vulnerabilities throughout the enterprise. Once a vulnerability is detected the process to remediate as defined in your vulnerability management policy initiates. The vulnerability should be assigned a score based on its criticality. This score dictates the immediacy of remediation or acceptance of the risk.


An effective configuration management program is a sure sign of a mature security program. The road to establishing a streamlined configuration management process can be daunting as you are inundated with terms such as CMDB (configuration management database), configuration items, and artifacts. As with the security program in general, a proper configuration management program begins with starting small and scaling out with success. It can begin with small wins such as establishing change control for a firewall or creating a gold workstation image. Configuration management begins in the walk phase but extends well into the run phase of the security program. 


Once you’ve mastered walking, you are ready to run with the establishment of correlation engines, threat hunting, incident detection and response, and digital forensics. By utilizing continuous monitoring, you will be able to dynamically detect when bad things are happening in your environment, and launch processes that quarantine the attack and allow for further investigation limiting impact as much as possible. This phase has close ties with lawyers, insurance and law enforcement so that they are able to quickly act in the event of a breach. A security program that is running is able to measure how fast and efficiently it’s running and provide quantitative data points that gives feedback on how it can improve.


Whether you’re a team of one or a part of an organization that has substantial resources that can back a full fledged security program with specialized teams, the process of beginning an effective program begins with starting with small, visible wins that garner willing and enthusiastic participation throughout the organization.  Identify low-hanging fruit to be plucked to gain momentum and ride successes until you've met your goals for the program and progressed into a mature enterprise.