If your organization cuts budget and resources and expects you to perform superhuman efforts to make ends meet. start planning an exit. Nobody deserves this treatment
You may be told or say that you are the last line of defense between your organization and an attacker, but your health and mental health comes first. Advocate for yourself and don't be afraid to say no
Your options are to curl up in a ball and hide - or rise and meet the challenge. You are going to have failures and troubled times. Don't burn out. If you're on the blue team, your job is important
Many people you see in the field have been through tough times. This is not our first downturn in tech - many of the downturns in tech happened before cybersecurity was even its own discipline
Informal CTI sharing does rhyme a lot with unauthorized information disclosure, so be mindful of what you choose to share
It costs zero dollars to spin up a [didn't catch the name of this] server, share it with 5 friends and then go. You can take your phishing indicators (ASM, types of pretext, malware samples) and push them there
These are informal relationships. There should be no expectation of an immediate response. You should reciprocate! You have access to data and even a "I'm not seeing anything" is useful. Informal CTI sharing groups are where I get my best threat intel
Build "phone a friend" relationships. Some of us may remember when Oracle Cloud may or may not have come under fire. Asking in informal sharing groups about what logs they were looking at helped to have a huge field of view despite only a few clients of my own
Are your analysts looking up URLs and attachments on VirusTotal? Those are API calls. Are your analysts looking for any other emails from the same sender as your suspected phish? That's an API call
Every automation I've designed follows the 80-20 rule. I get 80 percent of the work done with only 20 percent of the effort. Tackle small components of the overall task. Where do you spend the majority of the time on your tickets?
Fail fast in the process. If you try something and it doesn't work, take detailed notes on what you did and why it didn't work. Block out an estimate of time, bail out if you exceed double that estimate
I focus on small, easy to develop automations. I automate tiny pieces of the workflow that buy me back time, I don't try to build a fully automated system. Think of it as semi-automated
There's grunt work you don't want to do but that's valuable for gaining an understanding of how everything fits together in security, ex. validating firewall rules
Instead of FTEs, consider hiring interns. Pay them, obviously. You may not be able to convert them to FTEs due to your budget pressures, but you are doing interns a favor by giving them valuable experience
Say something along the lines of "I have this budget, I want to see if I can partner with you on this part of my security strategy." It really is a partnership, a two way street of feedback and continuous development
New products may be hungry for your logo power! You may be able to replace one of your existing vendors for a tiny fraction of the cost you're currently paying
Azure ARM templates already have security baked in, if you want. Pay as you go services are great for budget consolidation/cuts. Using platform-native tools for security deployments may be able to move the cost into ops budgets
You can reuse certain tools in unconventional ways in order to get better coverage. Sysmon can do file integrity monitoring for specific files and you can track whether these changes are valid changes in your environment
How many people know that you can capture copies of deleted files using SysMon? Like binary copies? This is an amazing capability for the low low price of free. Commercial EDR will give you a hash, but Sysmon will give you the file itself
Sysmon is the Clippy of Windows Event Logs. If your EDR budget is cut, try out Sysmon in order to get decent telemetry. Olaf Hartong has Sysmon configurations available on their GitHub
Wazuh gathers the data for you, but it does not do any blocking and it does not have the built in rules you'd get with a commercial EDR. You can deploy it immediately for the low low price of "free" in terms of licensing
If you get threat Intel about an IP address and want to look back a few months to find it, it's trivial to do in Security Onion. It has a built in ELK stack to ingest log sources from just about anywhere. Wazuh has an endpoint agent for mini-EDR (not comparable to commercial)
You start getting visibility and telemetry with Security Onion. It isn't going to block anything. I'm okay with that! I can have a multiple month running log of traffic with SO. You can skip config and just let it run and it will help you in an investigation
I'm a big fan of Security Onion. Your firewall logs are not sufficient for incident investigations, and it turns out SO is free! You don't need fancy hardware or appliances in order to feed SO, it works fine on legacy hardware
You are way better off picking the things you /can/ do well and affirming that you /cannot/ do certain things, ex. some kind of perfect "data loss prevention" program or technology
Don't write a charter that consumes all of your resourced hours. 80 to 85 percent allocation is good, you need that wiggle room to handle unexpected things
The point of a security program charter is to honestly evaluate what you can and cannot do with the resources you have. You are better off having adult conversations about what you /cannot/ do with your security program ahead of time, well ahead of any incidents
The whole point of this is to remove sunk cost bias from your assessment. Pet projects do not get a pass in this process, if you've been working on it for 9 months and it's inches from being done, you have to be willing to cut it if needed
Nobody ever wants to be in the position to make cuts to their program, but in order to do so you need to start with a zero-base review. Inventory and assign a cost to everything in your security program including human capital. Don't chase accuracy, ballpark figures are okay
A while back I used to get emails from the steel industry when I was an "influencer", it turns out that somebody's AI looking through social media posts had identified me as a top influencer in... wait for it... "log management". Well, these aren't the logs you're looking for...
