Tuesday, February 11, 2014

The Scarcest Resource

As with any profession, security operations is subject to constraints and limitations. Traditionally, there have been several factors that have posed challenges to enterprise security operations. These include:
  • Data
  • Processing Power
  • Storage
  • Technology
  • Process
  • Analysts
Let's examine these constraints one by one.

Data: In the early days of security operations, it was difficult for enterprises to collect the data necessary for security operations, incident response, and network forensics for a variety of reasons. As we all know, this is no longer the case. In fact, we find ourselves in quite the opposite situation nowadays. The velocity, volume, and variety of data collected in the enterprise's data repository of choice are all higher than ever.

Processing Power: Two decades ago, we had to worry about having too many firewall rules or too many mail filters because of processing power. Per Moore's law, which states that processing power doubles approximately every two years, today's processors are about 1024 times more powerful than those of two decades ago. The shackles of processing power limitations have been lifted.

Storage: Although storage can be made much more plentiful than was possible years ago, it is still relatively expensive. As such, it is a resource to be used wisely. Lots of storage is a necessity for data retention, but using it wisely (giving preference to data of higher value) can lower cost for the same retention or increase retention for the same cost.

Technology: Whereas years ago, security professionals needed to cobble together network forensics tools with duct tape, chewing gum, and band-aids, it is now possible to purchase commercial tools for many security operations and incident response needs. Does technology address every need that an organization might have? No. Is today's technology perfect? Of course not. But, it is far better than it used to be.

Process: It was once the case that incident response was a new field where it was difficult to find guidance and formalized processes. This is no longer the case. The incident handling life cycle and incident response process are both formalized, and many enterprises have a rigorous and formal incident response process to follow both during the course of normal security operations and during a breach response.

Analysts: Unfortunately, the number of analysts working within an organization's security operations and incident response function has not kept pace with the growing demands of the function. There are several reasons why this is the case, but the difficulty in finding qualified professionals and persistent budget limitations are two of the biggest reasons.

If we look across people, process, and technology, it seems that people -- the analysts -- are the scarcest resource. This should come as no surprise to those of us working day to day in the security operations and incident response field. Given the scarcity of our human resources, don't we owe it to ourselves and our organizations to choose process and technology that streamline workflow, reduce inefficiencies, and optimize the analyst's cycles?

No comments:

Post a Comment