Trust that your security investment in people, process, and technology will protect your organization from the next cyberthreat, but verify through the establishment of a tabletop exercise capability as part of your overall security strategy.
This research is designed for:
- Chief Information Officer (CIO)
- Chief Information Security Officer (CISO)
- Security/IT Management
- Threat Intelligence
- Security Operations
- Security Incident Response
- Vulnerability Assessment/Penetration Testing
- Patch Management
This research will help you:
- Prepare before the battle by ensuring organizational preparedness through a comprehensive simulated attack.
- Validate threat plans through the operational readiness testing of core security teams.
- Evaluate collaboration effectiveness between teams addressing the increasing sophistication of cyberthreats.
- Streamline and optimize operational workflow between core security teams.
A tabletop exercise consists of various activities related to the following phases:
- Phase 1: Plan - Evaluate the need for a tabletop exercise
- Phase 2: Design - Determine the topics, scope, objectives, and participant roles and responsibilities.
- Phase 3: Develop - Create briefings, guides, reports, and exercise injects
- Phase 4: Conduct - Host the exercise in a conference or classroom setting.
- Phase 5: Evaluate - Document exercise findings, lessons learned, and next steps.
An effective tabletop exercise can be used to evaluate the following:
- Organizational Preparedness - Expose operational weak points and transition teams from a reactive approach towards a more proactive security program.
- Enhanced threat detection, prevention, analysis, and response - Enhance the collaboration and use of your security investment through the simulated evaluation of your threat collaboration environment.
- Improve threat visibility and information sharing - Promote both internal and external information sharing to enable good decision making.
- Reinforce accountability and responsibility - Establish a clear level of accountability throughout the security program incident response program, and ensure role responsibility for all tasks and processes involved in service delivery.
- Ensure return on security investment - Evaluate core staff on their use of process and technology to defend the organization.
- Identify opportunities for continuous improvement - Provide increased visibility into current performance levels, and accurately identify opportunities for continuous improvement with a holistic measurement program.
- 1. Establish communication processes and channels well in advance of a crisis. Don't wait until a state of panic. Collaborate and share information mutually with other organizations to stay ahead of incoming threats.
- 2. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
- 3. You might experience a negative return on security control investment. As technology in the industry evolves, threat actors will adopt new tools, tactics, and procedures. A tabletop exercise will help ensure teams are leveraging your security investment properly by measuring relevant situational awareness provided during the exercise, ensuring teams are staying on top of the rapidly evolving threat landscape.
- Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data.
- Security incidents are inevitable, but how they are handled is critical.
- The increasing use of sophisticated malware is making it difficult for organizations to identify the true intent behind the attack campaign.
- The incident response is often handled in an ad hoc or ineffective manner.
- Many organizations are developing ad hoc intelligence capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of security technology investments.
- Tracked incidents are often classified into "out-of-the-box" responses that are not necessarily applicable to the organization. With so many classifications, tracking becomes inefficient and indigestible, allowing major incidents to fall through the cracks.
- It is difficult to communicate the value of a threat intelligence program when trying to secure organizational buy-in to gain the appropriate resourcing.
Establish and design a tabletop exercise capability to support and test the efficiency of the core prevention, detection, analysis, and response functions that consist of an organization's threat intelligence, security operations, vulnerability management, and incident response functions. This blueprint will walk through the steps of developing a scalable and systematic tabletop exercise relevant to your organization.