CISA Shields-Up: Quick Teardown

Contents

Overview
Quick Teardown
Guidance for All Organizations
Recommendations for Corporate Leaders and CISO's
Summary and What's Next

Overview

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) issued a "SHIELDS UP" advisory. In this blog, we will do a quick tear down outlining how to implement controls for important asset categories including productivity endpoints (Windows and MacOS laptops) and cloud infrastructure (Linux, Containers and Cloud Service Providers).

Quick Teardown

The intent of this quick teardown is to scope and assess how to map the Shields-up guidance to key controls and how to measure the effectiveness of these controls and summarize it for the corporate leaders and CISO’s.

We propose a segmented approach for proactive, reactive and protective controls to align with the guidance for all orgs and a summarization for corporate leaders and CISO’s.

Guidance for All Orgs:

Reduce the likelihood of a damaging cyber intrusion

We propose proactive audit controls such as CIS-based audting, telemetry-based visibility with tools such as osquery along side asset inventory and vulnerability detection.

Take steps to quickly detect a potential intrusion

Advanced reactive runtime detection tools play a key part of reactive security controls. This is where one has to consider looking beyond vendor provided security controls.

The nature of these threats is beyond the traditional research-driven prescriptive solutions offered by security vendors. It is likely that new toolkits and malicious software is being developed and released, which is not known to the vendor community yet for analysis and detection.

Advanced Yara-based scanning plus MITRE-based behavioral models can lay a sound foundation towards detecting new and hitherto unknown malicious behavior.

Ensure that the organization is prepared to respond if an intrusion occurs

Protective and contextual detection controls play an important role for investigating intrusions. Having a rich telemetry-based contextual security data lake is useful for threat investigation, forensics, compliance and audit. Access to historical visibility in a structured data lake plays a significant role towards supporting this guidance.

A telemetry rich, data lake-based model helps to have the right context and training for investigation and hunting and remediation.

Maximize the organization’s resilience to a destructive cyber incident

Invest in a security data lake for history, invest in purple teaming for collaborative testing to detect flaws upon restoration from backup.

Recommendations for Corporate Leaders and CISO’s:

• Invest in an analytics-powered CISO dashboard to gauge effectiveness of proactive, reactive and protective security measurements to assess your posture. 
• Lower reporting thresholds so that your executive team is more aware of potential incidents and has adequate response time
• Test your response plans and ensure senior management is prepared to execute

Summary and What’s Next

• Proactive controls help towards improving cyber hygiene and improve posture.
• Reactive control based on YARA is an important consideration for detecting new threats
• Protective controls geared towards remediation and response help improve the resiliency posture
• CISO Dashboards provide common place to interpret and visualize the current posture

In subsequent posts, we will provide a deeper dive on how-to implement controls to align with key parts of the advisory.