so I built a service for customers to help in this space but I think it's always good to re-visit and also use differnt mediums for education/comms. so inspired by @HackingDave 's posts a second ago I'm going to try and write a high level blog on this!
I'm gonna thread this (soz dave u can mute this)
ok lets make this interactive rather than me just posting screenshots of a word document... so we parachute in.. cyber pew pews are all around as.. we are in the unknown.. where do we start? well when i was dropped off in an uknown location in wales once i reckon that might help!
but dan how is u being dropped off in the middle of nowhere useful to leading the cybers? well ... the first thing was that we need to work out where we are...
well let's use our friend visio to help us! (or draw io but lazy me) we know who we are and we know we are standing that's good :) let's try and discover a bit more!
so tweeps, what do we do first? network assessment? MFA deployment, throw in a SIEM? come on more tools are gonna help us right? they must the guy from ****trace said they could solve everything through AI
well let's see! we look around and shocking we aren't alone. there's some other people with us! yay frens! i wonder how many of us there are here? and what does everyone do?
so maybe we should talk to our people! great idea dan! let's go and find out a bit more about the business and what it does, what its mission vision goals and objectives are! to the CEO and ELT we go!!!
it still feel lonely here but now we are talking to our CEO/ELT and they start to explain more about the business, the challenges etc. let's schedule meetings with some of these key stakeholders!
oh wow cool we've got other people here.. good to work out the business landscape, we've got business understanding and stakeholder management to work on! great.
so not only do we want to talk to people we also are going to want to hoover up some goodies! get those org charts, read those annual reporst! learn all the things so that you have some vague idea about the orgs makeup and how it does business, also don't forget the $$$
ok so we've started to expand our knowlege for after all we must undertand the business we are in and the landscape that makes that up. We can't do this in a waterfall and there's schedules to think about but we've made a start! we have also hopefully started to make some allies!
ok time to put the kettle back on! Don't worry we haven't forgotten our comrades in arms! the IT team!
wow ok so now we are talking! literally we are now gonna talk to all the people, we'll start with our IT management team and again we're gonna do stakeholder management, identify all the things! but we are aslo going to sit with all the people and learn some about them!
awesome so now we see a fairly traditional shape IT org (ops, apps and projects) we again we arrange meetings, get coffee and we also want to baseline our people so get those job descriptions from HR and get the historical performance review forms. you will need these!
So again more people stuff! please please please don't think this bit isn't imporant! it's the most fucking important part!
just going to circle back - we've now had some more access/intel from the business so we've got a bigger list! great more nightime reading for us!
great so we've gone from being in the dark to starting to get a handle on the business architecture and the department (from a ppl pov). don't forget to grab those risk registers etc. from the biz and also check legal/regulatory requirements as well!
so we now want to start thinking about service architecture and supply chains etc. so let's get the supplier registers etc. so let's get more intel (we've been given more docs from IT now as well!)
time for another tea (kermit travels on my journeys to keep me sane :)
now ur probably thinking. whre's the cybers and security stuff? i haven't forgotten don't u worry but i'm also showing what a CIO view is coz alot of orgs don't have a secuirity team so this view should help more people!
now ur probably wondering how i'm doing this so fast! me too, i'm doing this all from my memory! in reality i've got shit loads of books, documents i've written, checklists and other tools that I use! but i wanna share so we're going freestyle and i may have done this b4 ;)
so again this is just using skillz of the soft nature so far, we just want to hoover up our understanding of the current state. so we talk, we get arficats we get reports we get system dashboards etc. don't worry we are gonna pew pew soon! hoover up all teh things!
now i am going to put the kettle on with kermy quickly! remember i know this isn't complete! but its high level and hopefully gives you an idea of the process I go through!
kettle on! fire any questions/comments/suggestions if u want :) ❤️
ok back! so we've been having lots of meetings, we've been collecint data and absorbing koweldge. now therer's some more formal activities we are going to want to explore!
also lets talk about time, we've spoken to logs of people collected alot of intel and we need to read understand and contextualise. so if you think this is done in a week you need to get real! Gartner sells CIO first 100 days type stuff for a reason! this stuff takes time!
now remember we need to undertsand the landscape from a range of perspectives! we can't protect what we don't know - hence why i'm going on about IT stuff alot!
so we need to get a handle on the technology and security landscape. in reality this diagram is way too simple! but i;m threading i'm not writing a book :)
so from our initial work we've got a view on the world but we know its not complete or very detailed. Guess what's really important to know?
yeeeeess you got it the details! so we are going to want to run some MORE discovery services! now we are going to get a bit more of a security slant on ;)
ok so lets talk security of our technology! now again i'm dropping this stuff fast so i know there are gaps, but again trying to show the high level quick fire view!
so now let's run some of the services. we are gonna want to get some technical discovery going on, we want to validate our asset management and current in flight processes are giving us a good view. we also want to check our securiy policies, processes etc. but most importantly
we want to check our processes, practises and capabilities are compolete, identify gaps but really we want to know is our security system effective! so we run a range of activities including a maturity assesment, but also techical audits/discovery etc.
now we want to get a good view on the world and we want that to be fairly complete. this gets hard to thread now coz we need to want to be gaining insights both tactical and strategic so this is why we run a range of activities! we wanna catch that low hanging fruit!
so this is why we mix up strategy, architecture and tactical activities. So on the tech front we might do an active directory audit, we might run some vuln scans, again all this is feeding back into our view. but also we can make tactical changes
so the net result of this is a lot of data from a lot of viewpoints to give us a view on the organisation. With this we can create heatmaps, create a risk register, produce a security programme, identify tactical and strategic objectives etc
The net result of this is we have a baseline view of the current state, we can align to the business, we can leverage existing capabilities and we can put together a roadmap for change. all this starts with talking to people.
now i'm struggling with the medium here and the fact this is a complex process. if it wasn't complicated no one would get pwn3d. this all relies on having an accurate view on the world. there's a reason the frameworks start with identify.
so i'm going to pause this for the night, hopefully my quick fire powerpoint creations etc. give a small insight to this. when we abstract out you see something like this:
its too detailed to show everything and i tailor this all to suit the scenario but overall the high level approach takes this shape. It's just like a first 100 days affair, again it depends upon the focus/requirements.
but key things, identify, use frameworks, baseline where u r, don't just focus on policy and process - people are invaluable. remeber this takes time. get the low hanging fruit. don't rush to decisions unless u really have to.
anyway hope that was of some use to peeps. this process takes 1 month - 3-4 depending upon the org and a million other variables so my thread doens't do this justice.
that was fun! haha way hard to do on twitter but am happy with giving it ago :)
Also its worth checking out this thread I did a while ago! https://twitter.com/UK_Daniel_Card/status/1229321066448859136?s=20
You can follow @UK_Daniel_Card.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more