Page 48 - Cyber Defense eMagazine forJune 2021
P. 48

Rise of the Information Assurance team

            Information assurance teams focus on the products that your organization depends on.  They can work
            with your incident response team to see the trends specific to your industry and your organization.  Senior
            software security researchers will provide the intuition needed to know where the vulnerabilities are likely
            to be present, so the efforts are focused on the components which are most likely to have the biggest
            hidden risk.  The team should also include at least one person with threat modeling experience, who is
            able to quickly determine which components pose the biggest risk to your institution.


            Having a diverse skill set is critical to the success of information assurance teams.  Their mission should
            be to uncover and mitigate these hidden risks.  They need the freedom to operate in a way that makes
            the best use of their time.  This likely includes integrating them with the procurement process so they can
            attempt to make sure things don't get worse.  It means relying on their expert judgement to determine
            what systems they should look at, establish the order in which those systems should be investigated, and
            when it is time to stop looking at a single piece of a system and move on to the next one.


            If you are thinking that this sounds a lot like Google's Project Zero, you're right.  The difference is that the
            project zero team is focused on products that are important to them, which likely only partially overlaps
            with the things that are important to you.  Having a team that is working for you solves this problem.


            A team like this takes time to build, and it is expensive, which means it's not an option for everyone.  If
            it's not an option in your organization, you must ask yourself how you're going to solve the problem.
            Some options would be to:
               ●  outsource this work to an external team
               ●  depend on isolation, exploit mitigations, and network defenses
               ●  leverage cyber insurance
               ●  simply accept the risk

            It's important to always acknowledge the last option: accepting risk.  Risk acceptance is always an option,
            and it's important that it be a choice, not something that was arrived at due to inaction.


            Even if you have an information assurance team at your disposal, it does not mean that other efforts are
            no  longer  necessary.    Partnering  with  external  security  research  teams,  audits,  penetration  testing,
            network isolation, sandboxing and exploit mitigations are all still valuable tools to have in your toolbelt.
            Understanding the shortcomings of each tool is the key to validate that they are being layered in a way
            that keeps your organization protected.













            Cyber Defense eMagazine – June 2021 Edition                                                                                                                                                                                                48
            Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.
   43   44   45   46   47   48   49   50   51   52   53