Wednesday, January 24, 2018

Cybersecurity threats come at a rapid pace these days—or so it seems. That leaves security professionals with very little room for error and the need to eliminate uncertainty in the process.

Here’s where protocol becomes your best friend; a clear progression of steps to take in the face of an immediate threat. Better yet, Fuel volunteer Paul Carter asks, can that protocol be standardized across organizations? He believes so and, in response, developed the DDIVE Model –which stands for Detect, Design, Implement, Validate, Establish. A security-focused response to incidents that will ensure viable options are considered, implemented and documented, DDIVE is designed to be adaptable and repeatable.

Detect: Focused on identifying a security gap or vulnerability, this is the stage where organizations should continuously search for vulnerabilities or ways to improve their security posture.

Design: Once the vulnerability has been identified, the next step is to develop a solution to implement in response. The research that goes into this stage can take a great deal of time, so it’s important to double check this design before taking action. In other words, “measure twice, cut once.”

Implement: Now it’s time to put the solution in place. If possible, this should first occur in a testing environment, if you have one.

Validate: This important stage verifies that the solution was effective. You should test that the vulnerability is now fixed.

Establish: Record your work.  If no one documents the process, you are left at a disadvantage. Carter says, this stage serves as a “reference just in case this particular issue comes up again as well as a tool that will help future personnel come up to speed about where the organization is in terms of security posture.”

While the DDIVE framework may seem intuitive, having this type of framework in place helps ensure that everyone is on the same page and thinking through things step-by-step. All too often we hear stories about organizations that waited for an incident to expose a network weakness or that failed to document a change or solution only to spend valuable time and money recreating a fix. The DDIVE model is designed to create an information base that ensures security operations are handled in an orderly fashion and documented for future use and training.

What’s the outcome once the model is in place? According to Carter, it will help organizations “maintain a security focus as well as continue to develop their knowledge and bolster their security database.”  

And the first step, he suggests, is to develop a model to test within your own organization. Using the framework suggested by Carter can be a good starting point.

Further Reading

Check out these Fuel blogs for further reading:

• 3 Strategies for Faster Threat Detection and Response

• The Importance of Network Visibility in a Growing Threat Landscape

• Dive Back In to the Best Practices Booklet with These Popular Tips