We’ve created our security maturity model to be helpful to those starting a security program from scratch. It may also be helpful to those managing an existing one, but it’s primary purpose is to inform customers of what tools to use to achieve desired goals within their security program.
The security maturity model starts off with ex-post facto resources, useful in recovering from attack and preparing for further maturity.
Level 1:
- Asset Inventory
- Centralized Logging
- Backups
- Regulatory Compliance
Creating an asset inventory allows you to fully grasp the landscape. You’re asking yourself “What is my attack surface?” and creating a priority list of what services are most important to protect.
Centralized logging allows you or an incident response team to query for events that occurred within the environment, providing insight into an attacker’s methodology and allowing you to understand the severity of a breach.
Backups are a must, and be sure to test them regularly. Having backups of your environment allows you to restore services and resume business in a timely manner after a breach.
A regulatory compliance program allows you to understand what standards and practices your business should be following, informing your later architectural and design decisions.
Level 2
- Incident Response
- Endpoint Detection and Response
- Security Information and Event Management
- Security Orchestration, Automation, and Response
- Detection Engineering
- Architecture and Infrastructure Security
Your incident response program needs to be a hands-on-keyboard endeavor. This is the set of humans who will be finding and responding to incidents occurring on your network.
Endpoint Detection and Response (EDR) provides some preliminary analysis and insight into the devices your organization manages. This helps with responding to an attack in a timely manner and minimizing an attacker’s dwell time on your network.
The next step for your centralized logging platform is Security Information and Event Management (SIEM). A SIEM analyzes the logs collected by your logging platform and can be used to correlate events with an attacker’s actions.
Security Orchestration, Automation, and Response (SOAR) works closely with the SIEM. It is a piece of infrastructure that provides a platform for kicking off automations based on the SIEM’s or your engineer’s findings. The SIEM analyzes and the SOAR takes action.
Detection engineering is a process of understanding attacks that have occurred or are likely to occur and creating alerts within the SIEM to discover them, allowing for a rapid response from tooling or personnel.
Your Architecture and Infrastructure Security program should inform your organization on matters like choosing, configuring, and deploying infrastructure for its use with the security of those systems in mind.
Level 3
- Application Security
- Development Standards
- Logged and Tracked Risk Management
- Threat Modeling
- Threat Intelligence
Your Application Security program should be engineers and tooling who can analyze bespoke code produced by your organization, discover security issues within that code, and work with developers to remediate those findings.
Your Application Security engineers should also create development standards, documents and policies that inform developers on what tools and libraries they should be using and how to use them in a way that maintains organizational security. Think Architecture and Infrastructure Security at the application level.
As findings are discovered and provided to other parts of the organization, it’s important to keep track of when a known vulnerability is decided to be an acceptable risk, having stakeholders sign off on that risk. It’s a database of who’s liable for the potentiality of a vulnerability being exploited and the fallout of that happening.
Threat modeling is using hypothetical yet likely scenarios to inform you of weak spots in your environment and even the overarching motivation of attackers.
Threat intelligence maintaining a list of credible news sources in the world of cybersecurity that will inform you of new vulnerabilities being discovered, various breaches that may have occurred, and actions of specific threat actors. This will inform you of preventative measures to take in securing your own organization.