Offense Wins Games…Defense Wins Championships: Tips to Build Your Security Strategy. Part Two – Game Day!

By James Christiansen, Jason Clark ·

During the first part of this series we explained that in order to be a Super Bowl champion, you need to study the offense and be prepared with a flexible defense. In years past, we had incident response scenarios that we relied upon to prepare for breaches. Today, there is no “playbook” for the defense. The old school book on security doesn't work anymore.  

Now it’s game day for your team. They have gathered in the locker room for pre-game meetings, rituals and pep-talks by fellow coaches and team captains. The time has come for them to execute on the game plan that has been laid-out, practiced and approved by team management. The adrenaline is pumping … scenarios of how the game will play out running through the heads of the coaches, players and fans. Will the preparation be enough? 

When the time comes to implement the people, process and technologies set forth and approved for your business-aligned security program, preparation will not be enough; game-time decisions, team agility, following the rules, zone protection and remaining calm, cool and collected are all a must. The following tips will help you towards implementation of a successful program regardless of what trick-plays come your way.

Part 2 - Game Day!

Pre-game Warm-ups 
Make sure you reiterate the game plan to your defensive staff and team at your pre-game meeting. Restate the team’s targets to make sure they understand the plan to protect against the opponent’s attacks, where the attacks are likely to come from, and they can stop the attacks. Go through additional training with your second- and third-string players in case of injury. Review the defensive formations ensuring your players see the full team picture, but also understand their individual responsibility and its importance to your team’s success. 

Recognize the Rules
Football is a game of inches; sloppy fouls can really cost you. Government and industry regulations change frequently and impact each security program. These regulations must be taken into consideration, although they should not be the end-all-be-all for your security program decisions. Following government and industry regulations can keep you out of hot water, and provide value when you need to go to your leadership for added budget (if it is sold as a required control to be in compliance). Remember that compliance to regulations doesn’t mean security. Concentrate on winning the game with a strong security program focused on the risks; don’t be overly obsessed with calling plays based on regulations or you could lose the game.

Protect the End Zone 
Your opponent is after one thing, your end zone. You must protect it at all costs. In your game plan, you made sure your team understood that you needed to “batten down the hatches” to keep the enemy from scoring. Make sure you have done a good job identifying your company’s  crown jewels. Where is the important information? How sensitive are our systems to an outage? Guard your end zone through network segmentation, keeping systems patched, and using endpoint protection to ensure you have your players lining up the right places for the best defense.  

Keep an Eye on the Game
The coaches are in the skybox to keep a broad perspective of the game. They use instant replay, pictures of the offensive plays, and injury reports to stay on top of the game while in progress. They adjust their defenses. Make sure you adopt a similar strategy and use  available tools to  give you visibility into your systems. With the average breach exceeding 230 days before detection, you need to keep a wide view on the playing field. Always be alert for the trick play (e.g. a DDoS attack to mask exfiltration of your data).  Use your advanced analytics, forensic capabilities, data leakage alerts, firewall alerts and the jumbotron of security - your security information and event management (SIEM).  

Agility is Key
As the game progresses and new information becomes available, you should  adapt your play calling. Be sure to make adjustments or updates to your controls in real time. If your threat intelligence indicates a change or new vulnerability, you will need to create new rules and feed those rules to your deep coverage zone defense, a.k.a your intrusion detection systems and security incident event management systems. You can call an audible when needed, use it! 

Prepare for a Comeback
Games don’t always go your way. Remain calm if you are down on the scoreboard or the officials make a questionable call. Stay confident – you cannot execute a comeback in a panic. Even with the best preparation, things can and will go wrong. If you find yourself behind on the score, you should have a strong incident response plan to execute. This plan must include a process for identifying the nature of the incident, containing the identified problem, remediation, and using proper post-incident communication channels to ensure understanding and create a strategy to move forward. A recovery plan is key if you intend on making that comeback. 

In the last part of this blog series, we will explore the post game analysis of lessons learned from reviewing mistakes, and refining your game plan based on retroactive knowledge and the potential plays your foes are planning next.