Defense Chain

Defense_Chain___Kill_Spiral_pptx.png

Plan

Before you can begin to protect your network, you first must figure out some key things, like what exactly you wish to protect, and what you're trying to protect it from. In the Plan phase, you do things like:

  1. identifying your assets
  2. creating your security and incident response policies
  3. decide what types of protective controls you will need
    • firewalls
    • endpoint protection
    • network proxies
    • etc.
  4. plan how to deploy the protective controls
  5. plan how to monitor the entire system (because prevention always fails)

The planning phase is probably the most important piece of the Defense Chain, because everything else depends on it.

Build

During this phase, you:

  1. assemble teams
  2. learn skills
  3. create or acquire the technical tools

It's vitally important that you build teams and skills before you try to build the technical parts of the solutions. Not everyone needs to be an expert, though you certainly need a few of those to guide you, but everyone involved needs to have enough of a background to know what they're doing and why they're doing it.

It's also worth pointing out that the "Build" phase isn't something you just do one time and then forget about it. Rather, you should be constantly growing your teams' skills and experience. You also need to have someone looking over your controls to be sure they are operating efficiently, and to update and improve them as needed.

Monitor

This phase is probably where you spend the majority of your time. It's where you:

Detect

The detect phase is where you:

Respond

Once you have found evil, you need to exercise those incident response plans you developed in the Plan phase. Investigate, contain and remediate!

Report

The Report phase is about:

  1. gathering information about your successes and failures
  2. analyzing it to make recommendations for improvement
  3. communicating this to the right people

Typically, reporting is a followup to an incident response, but you would also do this for other reasons (e.g., to review a red team engagement or an auditors' findings).

Improve

After the successes, failures and recommendations have been documented and reported, you need to make sure you act on them. You need to constantly improve your skills, tools and procedures.

So many organizations skip this step, and although it might make less work in the short term, it makes more work in the long term as they play keep-up with threats that have advanced beyond the organization's ability to protect themselves.[1]


Relevant Note(s): Cyber Kill Chain


  1. http://detect-respond.blogspot.com/2014/10/the-defense-chain.html ↩︎