Anatomy of a Security Super Bowl Dynasty, Part 3: Special Teams and Coaching

Anatomy of a Security Super Bowl Dynasty, Part 3: Special Teams and Coaching

Imperva Directors of Technology in the Office of the CTO, Brian Anderson and Craig Burlingame, recently conducted an informal education session titled, Creating a Security Super Bowl Dynasty. In this presentation, they illustrated the ways American football teams create consistent, sustainable success as an analogy for the way security professionals can gain insight for creating a consistent, sustainable application and data security posture.

Overall, the successful execution of application and data security, like a championship-caliber football team, doesn’t depend on excellence in any single area. Rather, an organization must achieve success in all phases – defense, offense, special teams and coaching. In part one, we discussed defense. In part two, we focused on the “offensive side of the ball”. In this last installment, we’ll explain how lessons learned from superior special teams and coaching in football can be utilized to help an organization create best practices that establish a championship security posture.

Special teams: the right people in the right place watching the right activity

Special teams are composed of players who do a very specific job well. In security, this means having the right people deployed in the right part of your process to ensure success. Trying to fool your security system with “trick plays” is oftentimes a signature move for cyber attackers. They may affect an increase in DDoS traffic or something else designed to lead you to pay attention to “noise” while they execute a more targeted attack through an insider/compromised user, for example. They may also use the time created by the diversion to discover a vulnerability that they can exploit later. Championship security teams need always to be on guard for this type of attack scenario.

Internal teams whose job it is to focus on regulation compliance need to go beyond doing “just enough” to be in compliance and focus on a real security mindset. If you look at the largest data breaches in the recent past, you’ll find that virtually all of the affected organizations passed compliance audits. Getting beyond compliance is key to creating a championship security posture.

It is important that your special teams in security not give up “yardage” unnecessarily. Make sure your specialists are configuring your firewalls and database activity monitoring processes properly so they are not giving your opponents (attackers) anything easy to work with. Also, having the proper controls in place to effectively monitor and respond to a malicious or compromised internal user is an important function of special teams in security. Do not assume that all security threats are external. Having the capacity to alert, isolate and mitigate threats coming from inside the organization is equally important. A championship-level security team will have the capacity to automate these processes. If you do identify a vulnerability or a way into the application – through an external or internal actor – your team can train the system to automatically add a new firewall rule in response.

Build your weaknesses until they become your strong points

Automation is key to turning security weaknesses into strengths because it saves considerable time and enables players to focus on real security strategy rather than bogging down in details and developing alert fatigue. A championship security team can protect hundreds of applications and monitor the several thousand databases that support them with a very lean team of four or five people globally. This is not possible without automation. When a championship security team deploys something new, they ensure all the associated configurations and necessary provisioning are automated end-to-end. The feed of all the monitoring solutions they have in place enables them to dig deeper into specific activity and offers the insight required for team members to create new rules that protect the applications and the data. This in turn makes the systems smarter and cuts down on manual efforts. It is an ongoing cycle.

Coaching security teams: make the whole greater than the sum of the parts

No single player can do everything. Coaches need to ensure that the skill sets represented on the team enable it to function as a cohesive, productive unit. To create a championship team, everybody must “do their job” and come together to consistently protect the organization’s assets and data. The coach’s challenge is to find the right talent and create the right culture. Technology is changing all the time and every organization is trying to solve the same problems. How can you invest in your people and create a workplace culture that drives a championship mentality? Give your team the coaching and tools they need to put them in position to succeed. Pay attention to details and create a great game plan. Coaches need to be intimately familiar with all the threats that are out there. They must do the necessary research and partner with security vendors to stay current on new threats and challenges. They must understand the lifecycle management of incidents to facilitate fast mitigation and resolution. Coaches need to have a strategy to deal with even atypical incidents, like zero day and supply chain attacks. Starting with the coaches, figuring out how things happen and learning from mistakes and oversights needs to be an ongoing process for everyone on the team. If you can check off these boxes you can consistently win the game before it starts.