The Vigilance function in cybersecurity teams

We usually talk more about protect, detect and respond, and less about vigilance. Vigilance is an important function that can provide a lot of value to any company. It is essential for risk evaluation, and can feed the rest of the processes of the cybersecurity team.

The mission of the Vigilance function is to capture information about events that happen outside the company, and that are relevant for its security. These events may affect the company directly or not, but what they have in common is that they can help the company to improve its security processes in the short or long term.

As I said at the beginning, the Vigilance process helps risk assessment to better evaluate risks. For example, by knowing how the systems that the company uses are being hacked, the probability of an attack can be better assessed, and priorities adjusted. There are hundreds of vulnerabilities, but only some are actively exploited because an exploit exists or is trivial to develop. If the Vigilance process identifies that a vulnerability is actively exploited, that fact can be an input for the vulnerability patching process to prioritize to patch a vulnerability that was not a priority before.

The Vigilance process generates information that can be an input for the secure development team. For example, it is important to know that cloud services with free or trial plans are usually exploited to mine cryptocurrencies. If the architecture team knows this because the Vigilance process has informed them, they can use this information to influence engineering teams to design and implement better defenses against this threat. This information can also be an input for the detect team to design specific alarms to detect this kind of activity.

The Vigilance process should focus on high value information, if not, it is easy that it is converted to a process that just delivers news which no one reads. The information gathered and distributed to other parts of the organization has to be actionable and with an objective.

The process to make the information provided by the Vigilance process is iterative: the Vigilance process forwards information, and the receptors provide feedback about the usefulness of the information. With that feedback loop the Vigilance process discovers which information is useful and the rest of the organization receive better data.

The Vigilance process cannot be automated completely. There are solutions that can gather some information for you, but it is difficult to completely automate other kinds of information. For example, it is useful to know when another company, similar to ours, has been hacked and how. This information can be used to raise awareness within the company, learn how and why our industry is a target, and identify indicators of compromise that we can use internally to check for potential intrusions or attacks against us.

A good inventory of assets or CMDB is a great tool for the Vigilance team. With it, it is much easier to filter the information that can be useful. However, in case of doubt, it is better to forward the information to the relevant team for them to discard the information if it is not useful.

If you have the resources necessary, I would say that at least one person should be 100% assigned to this process. More, depending on the size of your cybersecurity team, budget and resources. Independently of the size of the Vigilance team, all the cybersecurity team, and the whole company, if possible, should participate in the process by communication any potentially relevant information to a specific and well known channel as an specific email address.

In conclusion, if you don’t have the Vigilance function in your company, you should consider it as it can provide much valuable information that can help the cybersecurity team to be more efficient and provide more value where and when it is really needed.

Leave a Reply

Your email address will not be published.