SECURITY BRUTALISM

Security Brutalism Runbook

V1.0

This runbook provides a high-level, simplified guide for security teams and executives to begin implementing a security brutalism approach.

This serves as a starting point and should be tailored to the individual organization's needs and context. It's important to continuously reassess along the way to identify and adjust anything that isn't effective. The key is to consistently prioritize fundamental security, working on the basics, striving for clarity, and focusing on what demonstrably reduces risk.

Framework for Deployment

  1. Risk-Driven Prioritization: Identify and rank the most critical assets and the threats they face. This will dictate the initial focus on core controls. Build a graph showing how these risks influence or impact one another. Connect the dots.
  2. Security Stack Rationalization: Review the current security tools and eliminate redundancies or overly complex solutions that don't directly address top risks.
  3. Policy Simplification and Communication: Rewrite security policies to be concise, clear, and easily understandable. Ensure widespread dissemination and training.
  4. Automation of Core Controls: Implement automation wherever possible to enforce fundamental security measures consistently (e.g., patch management, secure configuration management).
  5. Transparency Initiatives: Establish clear channels for communicating security risks, incidents, and the rationale behind security decisions to all stakeholders.
  6. Continuous Assessment and Adaptation: Regularly evaluate the effectiveness of core controls and adapt the strategy based on evolving threats and organizational needs.


Keep this in mind while you work through the runbook: Establish baselines. Look for anomalies. Have a plan.


Phase 1: Assessment and Prioritization

Timeframe: 2-4 weeks (will take longer for large, complex organizations *)

  1. Identify Critical Assets: List the organization's most valuable data, systems, and processes.
  2. Conduct Basic Threat Modeling: Run basic threat modeling on key assets to find possible risks.
  3. Core Control Mapping: Map existing security controls to the identified risks. Identify gaps in fundamental areas like access control, patching, incident response, and network segmentation.
  4. Prioritize Gaps: Based on risk and ease of implementation, prioritize the gaps in core controls that need immediate attention.

* To see an example of how Phase 1 could be adapted and implemented within a large and complex organization, check this methodology.

Phase 2: Simplification and Standardization

Timeframe: 1-3 weeks (could take longer for large, complex organizations)

  1. Policy Review: Review existing security policies for clarity, soimplicity, conciseness, and enforceability. Rewrite or simplify as needed.
  2. Technology Assessment: Evaluate the current security technology stack. Identify redundant, overly complex, or underutilized tools.
  3. Standardize Core Technologies: Aim to standardize on a smaller set of well-understood and effective security technologies for core functions (e.g., endpoint security, vulnerability scanners, monitoring and detection).
  4. Document Core Procedures: Document clear and simple procedures for implementing, focusing on automation when possible, and maintaining core security controls.

Phase 3: Implementation and Automation

Timeframe: 4-10 weeks (could take longer for large, complex organizations)

  1. Implement Prioritized Core Controls: Begin implementing the prioritized core security controls identified in Phase 1.
  2. Automate Enforcement: Identify opportunities to automate the enforcement of core security controls (e.g., automated patching, identity management assessments).
  3. Develop Clear Communication Channels: Establish clear channels for communicating security policies, risks, and incident information across the organization.
  4. Basic Security Awareness Training: Implement basic security awareness training focused on the "why" behind core security practices. Make sure you provide pragmatic information about risk and what could go wrong.

Phase 4: Transparency and Continuous Improvement

Timeframe: Ongoing

  1. Communicate Security Posture: Regularly communicate the organization's security posture and key risks in a clear and understandable manner to stakeholders.
  2. Incident Communication Plan: Develop a clear and transparent plan for communicating security incidents.
  3. Regular Review of Core Controls: Continuously monitor the effectiveness of implemented core controls and adapt as needed based on threat landscape and organizational changes.
  4. Feedback Mechanisms: Establish mechanisms for gathering feedback on the clarity and effectiveness of security policies and procedures.