Risk management is the process of identifying, assessing and controlling threats to an organization. It is also a way to increase the security maturity of an organization. Risk management allows you to think about security more strategically and answer the questions that come from your company board, such as:
- How many times was the organization attacked?
- Is there a threat to our company?
- How well-protected are corporate secrets and data?
Security Tools for Your Risk Management Toolbox
The information to support the answers to these questions comes from data extracted from different security tools and sources. Justifying the necessary resources to deploy these tools within your organization includes the financial cost and requires appointing sufficient staff, foreseeing maintenance costs and setting the correct priorities. Most importantly, it requires you to choose the right security tools for the job.
Risk management doesn’t always need to be complex or expensive. The security tools described below, which are open source-based or otherwise freely available, can help you navigate the various steps of a risk management process.
Preparation is an important key to dealing with security risks. This not only includes awareness and training for your staff, but also gaining an understanding of your environment and knowing what’s out there in your infrastructure. You can leverage free resources from agencies such as the European Union Agency for Network and Information Security (ENISA) and Europol, as well as materials from the national cybersecurity awareness initiatives in the U.S. and Europe.
Choosing the proper security training for your staff can be challenging and expensive, but you can get ahead just by attending community-driven training sessions and conferences.
Identify Your Assets
You cannot protect an asset if you don’t know it’s out there. A configuration management database (CMDB) can be used to keep track of your assets. Some open source solutions include:
Because a CMDB project can quickly grow into an unmanageable monster, it’s important to limit the scope when starting with a CMDB. Once you have a profound understanding of how it can affect your security posture, extend and enrich its data.
Many organizations still have different understandings of what a CMDB really is, which poses a risk to the success of implementation. Before you start a CMDB project, make sure everyone in your organization has a common understanding of what it is going to do and what use cases it will serve.
Taking a step back and looking at standard tooling can help you answer some of these questions. In most cases, a lot of the assets are network-connected, allowing you to use network discovery tools to figure out what’s out there. Tools such as Zabbix and Nagios allow you to discover the hosts connected to your network. A more lightweight option is to use the host discovery features of Nmap or arp-scan. Nmap uses a combination of Internet Control Message Protocol (ICMP) and Transmission Control Protocol (TCP) requests to scan for hosts, but it can only see hosts that are not filtered by a firewall.
Establishing a list of network hosts is a start. Security professionals should take the following steps to figure out what is running on these hosts:
- Use one central tool, such as OCS Inventory NG, an asset management and deployment solution.
- Use built-in tooling such as systeminfo or standard packages such as the Windows Management Instrumentation Command-line (WMIC), psinfo and the other information gathering tools from Sysinternals.
- Use PowerShell and compile your own scripts.
- Use the reconnaissance capabilities available in penetration testing frameworks built on PowerShell. The first thing intruders do after establishing a foothold in your infrastructure is map your assets. Why not use their tooling to your advantage? Note that these frameworks might require you to get approval from your management. The Powersploit framework with the PowerView module is a good starting point.
Regardless of which solution you prefer, automation is the key to success. It’s crucial to use automation to keep your asset directory updated.
Monitor Your Environment
The tools used to identify your assets can also be used to monitor their resources — in fact, that’s what both Zabbix and Nagios are designed to do. For security professionals, however, monitoring means more than simply keeping an eye on available system resources. You need the logs to correlate information from individual events and sources. Correlation most often means that you have to bring the logs together into one system.
- For Windows systems, you can use Windows Event Forwarding to forward logs to one central logger.
- Assets capable of forwarding syslog messages can send their logs to one central logger such as Rsyslog. Rsyslog, in turn, can deliver the logs to the ELK stack. You can then use Elasticsearch to analyze your log data and correlate the events.
We already used Nmap for identifying and inventorying our assets, but we can also use it to track vulnerabilities. Nmap comes with a scripting language and a ton of default scripts that allow you to check for vulnerabilities on network-exposed services. It also has different output options, including XML, that can make your life easier when it concerns automation. For example, you can use Nmap to list all the vulnerabilities on the local host with the command “nmap -Pn –script vuln localhost.”
A more integrated approach to vulnerability tracking is OpenVAS, a framework of services and tools that offer a comprehensive and powerful vulnerability scanning and management solution. The power of OpenVAS comes from the information in the vulnerability feed or network vulnerability tests (NVTs).
Stay Abreast of Threat Information
Next to being aware of the various vulnerabilities in your environment, you should also stay informed about the external threats that your organization faces. Although threat actors are most often out of your control, you should remain aware of what is going on in the threat landscape. Get involved in threat sharing groups and exchange information with your peers using a threat intelligence platform.
One of the best such solutions is the open source MISP threat intelligence platform. MISP is a community-driven project used by over 2,500 organizations with a focus on automation. It has been extended by the community and now includes support for:
- VMRay; and
- IBM X-Force.
Eventually, bad things will happen and you will have to deal with a security incident. This involves, among other things, collecting incident information and keeping track of what is going on.
TheHive Project is a scalable, open source security incident response platform designed to make life easier for security operations centers (SOCs) and security practitioners dealing with data breaches. TheHive allows you to analyze an observable derived from an investigation with external services such as:
- Google Safe Browsing;
- MaxMind; and
- Open Threat Exchange.
One big advantage of TheHive is that it also integrates with MISP. This means you can immediately verify information received from your threat intelligence feeds with indicators derived from a security incident investigation. Additionally, you can enrich the threat data by confirming a sighting of an indicator present in the platform and ruling out possible false positives or irrelevant data.
Where TheHive allows you do the analysis, Fast Incident Response (FIR) is an incident management platform that allows for easy creation, tracking and reporting of cybersecurity incidents. If you work on multiple security incidents at a time or have different people working on one incident, then an incident management platform such as FIR is a must.
Keeping track of your security objectives concerning governance and risk management can also be accomplished with a number of open or community-based tools. Eramba is one such application that helps professionals analyze, manage and report security governance. Similarly, SimpleRisk makes risk management accessible to all security practitioners.