In our fifth TechXperience, Manuel Montealegre, Head of CybersecurityThe NIST Framework was the keynote speaker, and he explained the framework of action to be followed in cybersecurity matters and went into detail on the most relevant aspects to be taken into account when carrying it out.
Who is Manuel Montealegre?
I am Manuel MontealegreI am 49 years old. While working as a young man I studied computer engineering. In one of my jobs, during my stay in England, I had the possibility to study a master's degree in IT management at the beginning of the year 2000.
I have more than 25 years of experience in the IT field, linked to cybersecurity in the last eight or nine years. My profile has been developed in companies related to ICT project management, with services and projects... And from there, more and more, oriented to pre-sales and business development in companies. ?pure player? from cybersecurity.
NIST Framework: Identify, Protect, Detect, Respond, Recover
The NIST Framework is a North American standard based on the framework 800 where the different phases of cybersecurity, services and equipment are included to cover the entire cycle. This is complicated to have in its entirety, since the first four phases are normally included.
Identify: advisory services. CID and CITAD
In the identification part, we must identify what our assets are and carry out a risk analysis to know the level of cybersecurity we have. As well as the strategies, plans and policies that we are going to follow.
But how do we carry out this identification? By means of the ISO 27001, ISO 22301 standards, the National Security Scheme, the General Data Protection Regulation at European level and, derived from all this, through the figure of the Data Protection Delegate.
In this area, education and awareness must be taken into account. The weakest link is usually the user, through whom most attacks take place. Therefore, if we want to have a mature information security system, users must have a clear awareness of their role. They must be aware that they have a fundamental role to play in cyber security.
2. Protect: Security infrastructure
Today, within the NIST Framework, the perimeter is becoming more permeable and more diffuse. The most important thing to understand is that we must have very important policies that maintain this security. How?
First, we need to consider what happens when a person is away. Use a VPN for remote access and protect the network in a powerful way with ?firewalls? and IPS/IDS. Ensuring security in the ?end point? with anti-spam or anti-virus systems that protect against malware by means of a hash or a signature in an anti-virus database.
Other protection aspects include:
- Identity is the ability to connect from anywhere having clear credentials to authenticate that connection and give permissions to access information.
- Application security: The next generation firewall layer 7, WAFs... that do that part of application security.
- Data security: The DLP concept, to do precisely that protection, that prevention of information leakage that in the end produces breaches and the data protection officers are the ones who suffer from it.
- Industrial infrastructure: Not only on the IT side but on the OT and IoT side, it is very important.
- Zero Trust: Very important. Zero confidence. We need to provide a restrictive permissions policy. Permission authorisation must evolve to progressively update access to information.
- Cloud: In this part, the most important managers of processing of cloud services are Azure, Google and AWS that have all kinds of IaaS, SaaS tools and infrastructures that also complicate the perimeter, and you have to protect it. They are no longer just in On-premise but now they are also in the cloud and that means more inconvenience for us CISOSs.
- Secure deployment and configuration (hardening): We cannot leave everything open. We must have a correct and adequate configuration implementation of the company's security policies.
3. Detection and response
Protecting is important within the framework of a NIST Framework, but knowing how to detect a threat is even more important. There are a number of services such as the SOC services, the Security Operations Centre services in model ?as a service? or as in the customer SOC itself, or SOC Customer, which, through a SIEM tool (log correlators) will give us information from all the sources that we are collecting, so that we can see what the possible source of threat is and how that threat is being produced.
What facilitates the threat intelligence part of it (the threat intelligence for detection)? It can involve the insertion of IOC's or IOA's, which are indicators of compromise and attack that we obtain through sources (Intelligence Feeds) to be able to insert a series of rules, IP's, malicious domains, etc. so that, if we insert it in our SIEM, when one of these rules is triggered, we will be able to detect what is happening.
- Vulnerability management (scanning): A vulnerability scan is performed and the client is informed in an audit of the status and prioritisation level. To mitigate and respond.
- DFIR: is the response to critical incidents. The threat is confirmed, there is an attack and information is lost.
- Threat Hunting: The part that helps the SOC people to be in continuous evolution of use cases concerning the weaknesses we may have in our detection rules to improve them based on hypotheses we raise of new attacks.
- Deception: A service to trap attackers in order to protect our data and divert them to other information that may even be contaminated.
- EDRaaS: Advanced service of the traditional antivirus. There is a dedicated intelligence-based response team that has the capacity for containment until a response is achieved.
- Compliance: inform the institutions concerned when there is a security breach.
4. Test, adapt and prevent
This is where hackers come into play, the blue teamThe red team and the purple team. This section helps companies to protect their most critical information by preventing possible attacks through the reports made by the pentesting. On the other hand, vulnerability management is used to find weaknesses, exploit them and see their consequences; to know what our resilience is, and end up with a mitigation report.