2021 Detection and Response Planning, Part 1: Rapid7’s Jeffrey Gardner Breaks Down How CISOs Should Approach Security Planning for the New Year

In this four-part series, we’ll explore key considerations and strategies for 2021 detection and response planning, and ways InsightIDR, Managed Detection and Response Services (MDR), and InsightConnect can help drive increased efficiency and future-proof your SOC going into the new year.

Despite a year of “new normals,” one thing that most teams can still count on this fall is annual security planning. In fact, many teams are ramping up their security planning early this year as they revisit changes introduced in the wake of the COVID-19 pandemic. In addition to supporting growing remote workforces, many SOCs are facing increased budget scrutiny and pressure to demonstrate ROI as they go into 2021.

To kick off this series, we sat down with Jeffrey Gardner, former Information Security Officer at a healthcare company, and recently appointed Practice Advisor for our Detection and Response portfolio here at Rapid7. These are highlights from our conversation and Jeffrey’s tips and advice for security planning this year.

Q: For new CISOs or security leaders out there who might be approaching security planning for the first time, how should they start?

Jeffrey: Security planning isn’t a static thing—it needs to be tailored to the company, where you are at, and where you want to go. Team leaders should be reflective and retrospective of the previous year and where SecOps are across the maturity lifecycle. There are three maturity categories that teams can fall in:

1. Reactive: Many new or small teams may be focused on being reactive to start—putting out fires, recognizing threats or risks quickly, and trying to stop them as quickly as possible.
2. Proactive: At the next rung up, you start to have a handle on detection and maybe start shifting into some more advanced mechanisms: some hunting, some deception methodologies, more automation, etc.
3. Contributors: These are organizations that have started to master the reactive and proactive areas of security and can now start actively giving back. Think of companies that are actively contributing to threat intel feeds, analyzing malware, or sharing insights in the community. These are often very mature teams and often, they’ve gotten here because they are attractive targets for attacks. They are often the canaries in the coal mine—they get hit with things first, so they are able to sound the alarm for everyone else.

It’s a spectrum, but understanding where your team and operations are at gives you a baseline to begin planning.

Q: Obviously, a lot of companies would aspire to be a “Contributor,” but most are going to be in the “Reactive” or “Proactive” stage. Once teams have that understanding, what comes next?

Jeffrey: If you’re a new leader, building out a team, or just want to level up, these are the areas I would recommend starting with:

1. Inventories and Assessments: First, especially if you’re new to the team, you want to start with some basic inventories and assessments to get alignment on what devices and information you have, what processes are in place today, what you need to protect, and what it’s worth. If you are going into planning and anticipate needing to ask for more budget, understanding the monetary value of the things you’re trying to protect is critical. If what you’re protecting is less than what you’re proposing to spend on security, that’s a hard justification to make. Doing these inventory activities and running some tests will all help give you an understanding of where you’re at, so you can best articulate how you want to grow.
2. Team: The next thing I’d recommend looking at is the team. Do you have a team? Are you trying to build a team? Building a team doesn’t happen overnight. It can take months to fill positions, then more time to onboard and ramp up new team members. I typically plan on hiring taking three months and onboarding taking anywhere from six to 12 months from there. So, for many teams, they should look at leveraging some managed services to help supplement your team and fill gaps.
3. Defining Priorities: With an understanding of where you’re at and what the team looks like, you’re ready to start getting into defining priorities. Based on what your organization does and the risk that you have, where do you need to go? And this will be unique to each company, their maturity, and their environment. For example, cloud-heavy organizations will want to put more money into protecting the cloud. If your team is on-premises, you have different things you want to protect. And then, of course, some organizations will be hybrid or anywhere in between. For a lot of organizations that are looking at tools, having your data in one place is important, so understanding what you need to protect and whether the tools you have can monitor all of these different areas of your environment is important.
4. Documenting Responsibilities: Next, I would get into assigning responsibility to things. Who’s responsible for all of the different pieces of your SecOps program (e.g., incident response, physical security, backup and recovery, communications)? This needs to be documented and captured so that everyone has clarity into who owns what. Maintaining Compliance. Finally, regulatory responsibilities are always important to look at. Chances are, if you are doing the previous four steps well, you’re likely in good shape for regulatory requirements, but you need to understand what compliance and control objectives are in place and what you have—or need to have—to cover them.

Q: What advice would you share for teams that are trying to make the case for more resources or budget next year?

Jeffrey: Unfortunately, a lot of teams have a hard time convincing executives or their board about the necessary investment in security. It can be challenging to quantify cyber-risk into something real for them. There are a lot of good frameworks out there, but again, if you’ve gone through the inventory and assessment exercises, that will definitely help. I’ve leveraged different frameworks in the past to help quantify risk and translate that to the budget-holder; one I really like is FAIR Institute’s risk framework. At the end of the day, what you want to be able to say to budget-holders is that we plan to purchase this thing, but this will help us protect X and Y, which is worth $Z to our organization. Trying to put a number or at least an estimate on these things will help make it real.

Q: This year has introduced new security challenges for teams, particularly with spikes in remote working. What are some new planning considerations this year?

Jeffrey: The ability to remotely interact with and triage systems is becoming incredibly important, especially now. Let’s look at containment as an example: If you don’t have the ability to lock down a user or workstation remotely, that’s going to be a problem. You can’t just walk across the hall and grab someone’s machine, or pull the plug on your network cable. The ability to do this response remotely is critical—pull registry keys, investigate ports, query the assets for the information you need. These are things we talk about in InsightIDR a lot, and having them all right there is so important.

SaaS tools continue to be more attractive and this is part of it, too. If your team is in different places, you need to be able to see the same data, the same view, and the same response from their homes.

Single sign-on is also something you should prioritize this year, if you haven’t already. This is always a best practice, but especially as teams are working at home and organizations are adopting more web applications. If you need to contain a user, single sign-on is the best way to make sure that user is cut out from everything quickly.  

And, of course, looking for more ways to optimize and drive efficiency is always important, but especially this year. Many teams are more resource-constrained than ever. Having efficient processes and tools and automating as much as you can will relieve a lot of pain and give time back. It’s also going to help you demonstrate ROI when you get around to planning next year.

We hope these tips are helpful as you ramp up on planning! Please stay tuned for the rest of this series for more advice and ideas to make your security program a success going into the new year.