CyberFusion Center (CFC) Build, Design, Run | Attack Surface Reduction (ASR) Lead – Fortune 120

Upon assessing the client’s cyber capabilities, it was determined that their various cybersecurity programs were ineffective due to a lack of cohesion. As a solution, our firm recommended establishing a CyberFusion Center (CFC) which is Booz Allen Hamilton’s proprietary approach at establishing several cybersecurity functions within an organization and enhancing each function’s operations through data-sharing between the functions. As part of the resiliency effort, my responsibility was to design, build, and run the Attack Surface Reduction (ASR) function, which encompasses vulnerability management and asset visibility on both the external and internal networks.

Roles and Responsibilities:

  • Building and Designing the ASR Function – The ASR function was a new function in the client’s environment and as such, building and designing the function required that I create a program plan for both the current and future state of the function’s development. Current and future state design work required: 
    • Defining roles and responsibilities within the ASR function 
    • Identifying the existing staff members within the organization that will staff the new ASR function 
    • Establishing information flow and coordination between the ASR function and the other CFC functions (ex. Co-ordination with the Cyberthreat Intelligence (CTI) team to receive and take action on emerging vulnerabilities) 
    • Integrating the organization’s existing Vulnerability Management (VM) program into ASR operations 
    • Defining milestones and goals for program progression and expansion

  • Computer Security Incident Response Team (CSIRT) Execution – As the ASR Lead, I was responsible for identifying emerging vulnerabilities that were critical in nature (ex. 0-Days, Microsoft “Patch Tuesday”, etc.), determining their impact to the organization based on asset footprint, creating a remediation plan for addressing patching/mitigation, and ongoing co-ordination with the various teams in the organizations to ensure proper mitigations were applied to the affected assets.
    • Ex. Windows ZeroLogon: Identifying all domain controllers in the environment, which team(s) owned said domain controllers, creating a mandate to patch/mitigate within 5 days, daily meetings to track remediation progress and discuss any issue(s) in applying said mitigations, and creating a final report to the Director of Cybersecurity and CISO to confirm mitigations were applied and thus, risk to the organization has been reduced. 

  • Pentesting/Validation of Security Controls – I worked in co-ordination with the TDO team to validate the effectiveness of the existing security controls and their configuration(s) by attempting to bypass tool detection using various pentest methods. As bypass methods were detected, this information was fed back into the TDO function which worked with the security tool owner(s) to improve detection logic and in some instances, speak with the vendor Technical Account Manager (TAM) to further discuss the tool’s limitations.

  • Security Control Gap Analysis – As gaps and misconfigurations in security tool coverage and visibility are identified in the organization, these observations were documented and business cases were created for additional tool onboarding and/or security tool tuning to enhance ASR function and capability.

  • Asset Management Database (CMDB) Discovery – As assets were discovered on the network that were not properly tagged/profiled in the asset management database (ServiceNow), the ASR team reached out to the appropriate asset owners and/or created cases to assign assets to new owners to ensure a point of contact could be established should the asset require remediation.

  • Endpoint Hardening – Overseeing the deployment of additional tools in the environment such as Microsoft Defender and engaging with security engineering to alter Group Policy Objects (GPOs) to further secure the endpoints and servers in the environment.

  • 3rd Party Security Monitoring Program – Ownership and management of 3rd party security monitoring tools such as Shodan, BitSight, SecurityScorecard, and RiskRecon. As these 3rd party monitoring tools discovered security vulnerabilities/misconfigurations with the external infrastructure, the ASR team was responsible for taking ownership of the identified issues, prioritizing their remediation, and assigning remediation tasks to asset owners. A run book was created to define the scope and purpose of the 3rd Party Security Monitoring program to ensure new and existing resources in the organization were familiar with the process flow. 
Related Projects
Splunk MITRE ATT&CK Dashboard and Security Control Analysis | Lead Cybersecurity Engineer and Developer – Fortune 50
Threat Modeling and Adversarial Emulation | Threat Modeling Lead – Fortune 80
NotPetya Readiness Assessment | Lead Cybersecurity Engineer – Fortune 140