Page 48 - Cyber Defense eMagazine forJune 2021
P. 48
Rise of the Information Assurance team
Information assurance teams focus on the products that your organization depends on. They can work
with your incident response team to see the trends specific to your industry and your organization. Senior
software security researchers will provide the intuition needed to know where the vulnerabilities are likely
to be present, so the efforts are focused on the components which are most likely to have the biggest
hidden risk. The team should also include at least one person with threat modeling experience, who is
able to quickly determine which components pose the biggest risk to your institution.
Having a diverse skill set is critical to the success of information assurance teams. Their mission should
be to uncover and mitigate these hidden risks. They need the freedom to operate in a way that makes
the best use of their time. This likely includes integrating them with the procurement process so they can
attempt to make sure things don't get worse. It means relying on their expert judgement to determine
what systems they should look at, establish the order in which those systems should be investigated, and
when it is time to stop looking at a single piece of a system and move on to the next one.
If you are thinking that this sounds a lot like Google's Project Zero, you're right. The difference is that the
project zero team is focused on products that are important to them, which likely only partially overlaps
with the things that are important to you. Having a team that is working for you solves this problem.
A team like this takes time to build, and it is expensive, which means it's not an option for everyone. If
it's not an option in your organization, you must ask yourself how you're going to solve the problem.
Some options would be to:
● outsource this work to an external team
● depend on isolation, exploit mitigations, and network defenses
● leverage cyber insurance
● simply accept the risk
It's important to always acknowledge the last option: accepting risk. Risk acceptance is always an option,
and it's important that it be a choice, not something that was arrived at due to inaction.
Even if you have an information assurance team at your disposal, it does not mean that other efforts are
no longer necessary. Partnering with external security research teams, audits, penetration testing,
network isolation, sandboxing and exploit mitigations are all still valuable tools to have in your toolbelt.
Understanding the shortcomings of each tool is the key to validate that they are being layered in a way
that keeps your organization protected.
Cyber Defense eMagazine – June 2021 Edition 48
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.