Defense Chain

Plan

Before you can begin to protect your network, you first must figure out some key things, like what exactly you wish to protect, and what you're trying to protect it from. In the Plan phase, you do things like:

identifying your assets
creating your security and incident response policies
decide what types of protective controls you will need
- firewalls
- endpoint protection
- network proxies
- etc.
plan how to deploy the protective controls
plan how to monitor the entire system (because prevention always fails)

The planning phase is probably the most important piece of the Defense Chain, because everything else depends on it.

Build

During this phase, you:

assemble teams
learn skills
create or acquire the technical tools

It's vitally important that you build teams and skills before you try to build the technical parts of the solutions. Not everyone needs to be an expert, though you certainly need a few of those to guide you, but everyone involved needs to have enough of a background to know what they're doing and why they're doing it.

It's also worth pointing out that the "Build" phase isn't something you just do one time and then forget about it. Rather, you should be constantly growing your teams' skills and experience. You also need to have someone looking over your controls to be sure they are operating efficiently, and to update and improve them as needed.

Monitor

This phase is probably where you spend the majority of your time. It's where you:

actually operate the technical solutions
perform periodic reviews
drills to exercise your policies and incident response plans

Detect

The detect phase is where you:

check the output of your systems
validate the alerts
proactively hunting through the data

Respond

Once you have found evil, you need to exercise those incident response plans you developed in the Plan phase. Investigate, contain and remediate!

Report

The Report phase is about:

gathering information about your successes and failures
analyzing it to make recommendations for improvement
communicating this to the right people

Typically, reporting is a followup to an incident response, but you would also do this for other reasons (e.g., to review a red team engagement or an auditors' findings).

Improve

After the successes, failures and recommendations have been documented and reported, you need to make sure you act on them. You need to constantly improve your skills, tools and procedures.

So many organizations skip this step, and although it might make less work in the short term, it makes more work in the long term as they play keep-up with threats that have advanced beyond the organization's ability to protect themselves.^[1]

Relevant Note(s): Cyber Kill Chain

http://detect-respond.blogspot.com/2014/10/the-defense-chain.html ↩︎