Starting a security program can be challenging for some organizations, especially running a mature program across a large business. Resourcing, lack of organization, and not having a clear remediation strategy are key aspects to the failure of some programs, which can all result in severe breaches of businesses. I’ll walk through seven steps that will help ensure your program is a success and also give a quick overview of how Outpost24’s Managed Services can support your efforts.

1. Plan for success

There are many key areas to focus on when starting your security program journey, here are some of the things you should start with when planning your program:

Set your business goals

Ensure your business have set reachable goals for the security program, these should help drive decisions in the later parts of your program.

Governance and strategy

Leadership and accountability

Ensure you have leadership and accountability defined within your security program framework, obtaining executive sponsorship of this initiative will help drive success from the top down.

Ensure policies and standards are in place

You must define policies to follow as part of your security program, as this will ensure actions are judged against them. Try to align to industry standards such as CIS, ISO 27001 or NIST 2 (additional standards will be dictated at times on the industry you reside within).

Some key areas for governance come into play when defining remediation SLAs and your approach to accepting of reported vulnerabilities, whilst ensuring there is a suitable approval chain.

Define an attainable patching strategy

Ensure you patch your systems regularly, at least once a month, use automated solutions for patching to centralise the process and simplify system management. Ensure all software goes through acceptance criteria before being deployed to the business, making sure that patching processes are in place to ensure they remain patched.

It’s best to avoid allowing employees free reign to install software unless you have measures in place to monitor that they are keeping it up to date.

Good data in

Plan for how you want your data to come out of your program to report to your colleagues and management on the status and next remedial steps for

Asset inventory

Make sure you have clear scoping, start from your perimeter and work your way into the organization. Use your CMDB if you have one or look for the unknown through leveraging Attack Surface Management tools, such as Outpost24’s External Attack Surface Management (EASM) solution.

Contextual information and classifying assets

Adding business context to your data is the key to making it useful. This will reduce the time needed to understand your assets in more than one vertical to ensure the right stakeholders are involved in your day-to-day operations and remedial activities. It’s key to understand the severity of an asset to your business as this will enable the correct assessment of risk when reviewing reporting vulnerabilities and defending potential attack vectors.

2. Make the most of your data

Planning for good data out by ensuring good data goes into your program will allow for more accurate and meaningful reporting, which in turn should aid remediation efforts within the business.

Define meaningful KPIs and SLAs

Make sure your reporting tracks your business goals, and ensure your SLAs are attainable by your business, track KPIs such as mean time to remediate (MTTR), and compare your business units fairly by establishing an average risk score such as risk ratio (total vulnerabilities per asset). Your reporting should provide meaningful, actionable and clear information to provide a holistic view of your security program at a glance.

Prioritise your work clearly

Leveraging CVSS is still a common element of vulnerability management used widely across businesses today. However, a likelihood of exploitation approach has been more popular of late, ensuring the business is protecting their most valuable resource: time.

There are many scoring mechanisms out there today, whether that be CVSS, MITRE ATT&CK framework, Outpost24’ Farsight solution, or CISA KEV to name a few. All have their strengths in scoring the exploitation likelihood, impact and priority of an issue.

Enhance your data and decisions with Threat Intelligence

It’s not only useful understand the severity of a vulnerability, but also good to know how popular it is across the industry, how likely is it to be exploited and what industries and threat actors are exploiting it. This is where the Outpost24 Threat Intelligence platform comes in, allowing customers to view their CVEs across various verticals and looking deeper into who is interested in these CVEs.

3. Integrations are your friends

Removing the disconnect from your security program and operational teams is key to a successful program. You should try to consolidate your tools where possible to also provide a holistic view of your program.

Integrate with business processes

We all know that everyone dreads another tool to support their day-to-day activities, such as integrating with ITSM solutions (Jira, ServiceNow), or into your log aggregation tools (Splunk). Alternatively, you can get a little creative and use webhooks to integrate with just about anything that supports them. The world is your oyster!

Streamline scoping information

Scoping is crucial to ensuring you have the right visibility of your estate and reduces the risk of providing the business a false sense of security. The main issue for most businesses is keeping it up to date!

In my time at Outpost24 I have heard many times from customers ‘tell me what I don’t know.’ After the launch of our EASM platform, I was able to open customers’ eyes to what they didn’t know was out there with their names on it. The best part was, it was so simple to configure! And now with our recent CSC integration, the ability to pull information from a domain registrar to the EASM solution has made the seamlessness and management of the solution effortless for customers.

4. Don’t neglect security awareness training

You can put as many locks on your front door to protect your house, but it takes just one person to leave the door open to let someone in. This is why it’s crucial to ensure security awareness training is performed across the business to bring visibility of how simple day to day activities and objects can be a huge risk to the business. Focusing on the end user will help harden your security controls even more!

5. Put your program to the test

There’s nothing wrong with a little test once in a while, this is why simulated phishing attacks and physical penetration tests are still used in the industry today. By performing some of these tests within the business, it ensures that the business has the assurance and validation that their controls are working, whilst also making sure executives are aware of what is needed to stay safe.

Be ready for Audits

Make sure you keep track of your scanning activities, some audits will require evidence of this, or even the reports generated from your program. Some standards such as PCI DSS require evidence that you are performing internal scanning along with your PCI attestation assessments.

6. Make time to reflect

Reflecting on your security program regularly is a good thing, as it’s never going to be perfect first time. Periods of reflection and review ensure your program remains relevant for today’s industry but also the needs of the business. This is where collaboration is key across departments to ensure business goals and strategy set aligned with the program you’re running.

How can Outpost24’s Managed Services help?

If you need to reduce the burden of running your security program and would benefit from Outpost24’s expert advice, then our Managed Services are just for you. With their years of experience and knowledge across the Outpost24 tools, you can rest assured that you will be in safe hands!

At Outpost24 we offer various service types across our RBVM, ASM, AppSec, CloudSec, Compliance (PCI, CIS, etc) and DRP products, whilst providing customers with meaningful reporting that fits their needs we support our customers in the following ways:

Maintenance services

Don’t want to maintain another solution? We have you covered. From scope management to solution onboarding – the maintenance services allow customers to offload the running of the security program tools onto our Managed Services Team. Allowing them more time to focus on the more important remediation work.

Triaging services

For our EASM service, customers can receive support in triaging the output of their domain discoveries and ensuring they are alerted to anything that looks out of place. For our advanced service customers, they will even receive recommendations on what level of testing they should receive to ensure their assets are monitored and can be kept to a secure standard.

Reporting services

From receiving reports from the Outpost24 SaaS solution, to having in-depth reports created for your needs, the services team offer an array of reporting levels to fit your security program.

Expert analysis reports

Customer can receive reports that provide a deeper view, delving into key KPIs whilst also providing observations and recommendations via an executive summary from our experts. For those that only require a deeper dive and less of the executive summary, our detailed report will provide exactly what you’re looking for.

Dashboarding

Visualise your data in a PowerBi dashboard tailored for you published into your PowerBi workspace. This enables you to drill into your data in ways you may not within the SaaS solution, providing better flexibility with data and visuals built for you.

Forum sessions

Time with the experts is always precious, so customers can have focussed sessions on their remediation actions and ensuring those responsible are held accountable for fixing issues. This is also a great time to ask questions on detection and even some tips for remediation.

Alerting services

A new CVE is in the wild and Outpost24 have detection for it, your CISO is asking for updates, and you already have the alert in your inbox stating your scope has been checked and you are in the clear. Nirvana, right? With Alerting Services, the Managed Services Team will ensure they are alerting customers when they see data points that they should be made aware of, this includes areas outside of CVEs as well, including elements such as scanning infrastructure downtime and issues with scans.

Build a service that meets your needs

With our service components, we don’t limit customers to a monthly cycle, they can build a service that meets their needs and budget, ensuring flexibility during engagements and allowing for customers to get what they want, and not what their provider thinks they need. If you’re unsure, we’ll listen to your goals and objectives to provide recommendations for a project-led program with recurring touch points to ensure continuous improvements are happening.

Professional services

Want a kick start to your security program journey? With Outpost24’s Professional Services you have the ability to have the experts support your deployment and onboarding with our Expert Deployment offering. Or if you want some advice on your current setup, or even want some remote/On-Site training, Expert Consultancy Days are offered to ensure you get all you need to stay on track

Outpost24 also offer the ability to run a Cyber Security Assessment across some of its product offerings which enables you to get our expert’s eyes on your data and receive the observations and recommendations over a 4-week period.

Interested to see how Outpost24 Managed Services could help your specific organization? Get in touch for a free quote.