Tactical Input
Today, security operations do not suffer from a "Big Data" problem but rather a "Big Data Analysis" problem. Let's face it, there are multiple ways to store and process large amounts of data without any real emphasis on gaining insight into the information collected. Added to that is the daunting idea of an infinite list of systems from which one could collect logs. It is easy to get lost in the perils of data saturation
There is no clear definition of tactical security input, but it could be related to tactical threat intelligence or tactical edge. Tactical threat intelligence is information regarding the indicators of compromise and tactics, techniques, and procedures used by threat actors. Tactical edge is the platforms, sites, and personnel operating at lethal risk in a battle space or crisis environment. Tactical security input could be the information or feedback provided by these sources to improve the security posture and decision making of an organization or a mission.
The tactical input should be as specific as possible and provide the classification on the likelihood of an attack for the specific resource as well as providing the contributing factors to the attack. This requires analysis of the specific resources and their threats and risks. By having the tactical input you can base your prioritization on what part of the solution that should be mitigated/resolved/removed first.
The million dollar question is: How much data do I need to make a decision?
Do I need to be 100% sure on that I got coverage for my opinion and my standpoint. Actually not!
In the book "How to Measure Anything: Finding the Value of Intangibles in Business" (it also has a companion book focusing on cybersecurity, but I do recommend that you read the first book with Cybersecurity glasses on) it comes down to measure enough to make a decision. Let me give an example: You have a domain controller that is published LDAP directly to internet. What are the probability that someone will find the Administrator Password and attack you?
With todays tools, you will be attacked immediately. We don´t need 100% coverage for our opinion, to make a decision.
Tactical security input refers to the information and data that is used to support the development and implementation of tactical security plans and decisions. This can include information such as security risk assessments, security incident reports, security audit results, and threat intelligence. Tactical security input is typically used by decision-makers to evaluate the potential risks and vulnerabilities associated with the organization's systems and assets, and to develop and implement plans to mitigate these risks and protect against security threats. The goal of tactical security input is to provide relevant and timely information that can support effective decision-making and the successful execution of tactical security plans
One example of an approach to have this threat driven analysis is from Lockheed martin:
From Microsoft, there are several solution that will provide Tactical input for decision making from a tactical perspective:
One of the overarching solution is Microsoft Defender Vulnerability Management:
Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time.
Threat: Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations show the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
Breach likelihood: Your organization's security posture and resilience against threats.
Business value: Your organization's assets, critical processes, and intellectual properties.
The recommendations are part of what builds up the Microsoft Secure Score (Microsoft Secure Score is the tactical approach for providing guidance on what is best to remediate from a tactical perspective) Microsoft Secure Score | Microsoft Docs
There are additional information based on additional reporting features that is available as a tactical tool, such as Microsoft Defender for Cloud (reaching out for several cloud solution, Pre-cloud, Azure, AWS and GCP)
As the security posture consists of several different perspectives, there are additional ways to get tactical input. An example is the Microsoft Defender for Identity´s security posture assessment:
And the Lateral Movement Path functionality in MDI
From a pure cloud perspective the, tool to use for detecting too high permission, Entra Permission management can be used to dig out which accounts that has too high permissions
For cloud based solution, the App governance page can be use to understand what apps are having too high privileges (in reference for OAuth-enabled apps in the tenant that use the Microsoft Graph API, together with relevant app metadata and usage data.)
In addition with these out of the box features, there are several projects that can be used to provide tactical input; one of the Microsoft Sentinel Visual Auditing Security Workbook. The Visual Auditing Security Workbook is a solution for providing tactical information on how the Active Directory is being used. One example is the user authentication tab, showing which user is authenticating where and over which protocol
Recommended by LinkedIn
AD ACL Scanner, by Robin Granberg is a great tool to handle over delegations in Active Directory, producing information on who has permission on which object in the Active Directory.
Enterprise Auditing Reporting Service (EARS) is a tool by Kip Gumenberg that can be delivered to Microsoft Customers with a Unified Contract. The tool collects the ACLs of objects in the enterprise. This is put together in PowerBI reports to quantify the reach of different accounts and hence show the information security risks connected with the account.
For more information regarding the Enterprise Reporting Service see the datasheet regarding the service: https://datasheet.azureedge.net/offerings-datasheets/7952/EN.pdf
CCO dashboards
The Continuous Cloud Optimization Insights (CCO Insights) project is a set of Power BI Desktop Reports that enables monitoring, operation and infrastructure teams to quickly gain insights about their existing Azure Platform footprint, resources and code contribution characteristics on Azure DevOps and GitHub.
The infrastructure dashboard will provide a good overview on what resources that are used and in which way.
To provide an overview on what apps that are being used in the enterprise based on the perspectives from Defender for Endpoint and the firewall logs on what is being used in the enterprise
In addition to the actual usage of Apps around the enterprise, it is possible to get Tactical features from Secure Score for SaaS applications
One of the critical task working with Tactical Security is to handle risks versus the resources you have available for vulnerable devices. To help out with quantify the risk and the number of affected devices, we have the Vulnerable devices report.
A part of the tactical security is to ensure that there are ways to improve security. A way to do this is to implement new code that contains less vulnerabilities, hence the inherent risk is lowered. This will work until the solution reaches end of support. From a tactical perspective, the End-of-support management is something that needs to exist in a long term planning. We have the Microsoft Defender Vulnerability Management End-of-support reporting capabilities that can help out with these challenges and can quantify the issue.
As mentioned above, there are plentiful of tools that can provide Tactical input to quantify the level of issues and also provide guidance on the priority.
Backlink
Forwardlink
