Sunday, August 28, 2011

Common Challenges

When I work with Security Operations Center (SOC)/Incident Reponse (IR) clients that are in the SOC/IR building phase, I often see them encountering similar challenges. More often than not, the clients are frustrated and overwhelmed, as they desperately want to do the right thing. The good news, I reassure them, is that all organizations have the same fundamental challenges. I've worked with quite a few different organizations, and there is always a way through the maze. Clients often find it reassuring to know that they are not the only organization with the challenges they see before them. I am more than happy to help them through the fog. In fact, one client recently told me I should write a book about SOC/IR building. Maybe I will one day....

Give and Take

The cyber security community is a community built almost entirely on trust. This is especially true in the Security Operations Center (SOC)/Incident Response (IR) world. Relationships are built over time through a give and take. In other words, an organization should expect to give to the community before expecting to take from the community. At the very least, an organization should attempt to truly understand the community and its nature before attempting to wedge in. It amazes me how many organizations attempt to take from the community with no history of or intention of giving anything back. The SOC/IR community is a close knit one, and this type of behavior is often perceived as untrustworthy and/or exploitative. Needless to say, these types of organizations aren't very successful in making any headway in the community. Perhaps what amazes me even more is how surprised some of these organizations are by the lack of progress, despite being advised to the contrary. I believe the psychological term for this type of behavior is "cognitive dissonance".

Wednesday, August 10, 2011

Uber Data Source

This afternoon I gave my GFIRST talk entitled "Uber Data Source: Holy Grail or Final Fantasy?". The purpose of the talk was to get people in the audience thinking about the challenges of complex network instrumentation/data collection and data overload confronting many Incident Response Center (IRC)/Security Operations Center (SOC) organizations today. A number of people seemed to agree that the current model of collecting dozens of different formats of data in increasingly larger and larger volumes and varieties can't continue.

The community appears to be receptive to the idea that we need to consider moving towards a consolidated uber data source that allows us to successfully monitor our networks and investigate incidents/events. In addition, there are a number of vendors beginning to move in this direction, which is great to see.

My talk should be posted on the GFIRST conference website ( after the conclusion of the conference. I'd be interested in hearing thoughts and opinions regarding both the talk and the concept of the uber data source in general.

Chess Game

I'm at the GFIRST conference this week and have been bumping into a number of contacts and colleagues. The conference has been great so far. I had an interesting discussion this week with someone who is employeed at a large government agency. We were discussing the pros and cons of federal employment. One of the items we discussed was how some of the best and brightest get frustrated and burn out in the federal sector due to the politics, bureaucracy, etc. He responded by telling me about how he succeeds by approaching the politics and bureaucracy like a giant game of chess, always contemplating his next move and trying to outwit the opponent. I see his point, and I admire his ability to survive and flourish within the "system". But deep down, this troubles me.

The best and the brightest folks, those that we need to have monitoring and securing our most critical government assets aren't interesting in playing chess. They want to be put to work on analytically challenging and motivating tasks. The chess game frustrates them, burns them out, and causes the best and brightest to leave the federal sector. I think this is extremely unfortunate, and I can only hope that one day those at the top of the political pyramid will realize this and change things for the better. Until then, I see this as a major challenge for the federal sector.

In the great game of politics and bureaucracy, it's unfortunately the American people who lose.