When an organization decides to build, mature, or improve its
security operations function, that decision will give rise to a building or
maturing process. That process will
involve many important questions and a long list of tasks to complete. The questions and tasks are a means to an end
– the outcome of the process is what we’re ultimately interested in. In my experience, some organizations end the
process with a mature capability, while other organizations struggle to achieve
maturity. Why is this? I’d like to take a look at some potential
reasons in this post. At a high level,
security operations should be approached more like a business function and less
like a laboratory exercise.
Self-Awareness: Acknowledging that capabilities need to improve
is often half the battle. Self-awareness
comes with a dose of humility that allows us to learn from others that have
come before us. There are a lot of
lessons learned that can be leveraged, but the listener needs to be receptive
to the input. There is no shame in acknowledging
the need to improve. Quite the contrary
-- it is to be applauded.
Vision: In my experience, when it comes time to build
or mature the security operations program, it is a natural tendency for an
organization to immediately begin deploying technologies. It’s important to remember that a clear and
concise leadership vision is an essential pre-requisite to any action. Before we can begin building capabilities, we
need to understand towards what goal we are building. Ultimately, a successful security operations
program involves carefully leveraging people, process, and technology toward a
focused vision.
People: Once a vision has been articulated, it
needs talented people to carry it out.
People form the foundation of a security operations program, and the
right people are critical to its success.
It’s important to take adequate time to recruit and retain the
appropriate staff. It may be the case
that an organization needs to bring in a trusted partner for the staffing process,
and that is okay. I have seen instances
where poor staffing choices have been made, and they work against the vision,
no matter how grand it is.
Process: Like any business function, a good process
is critical to a successful security operations program. The process should be written at multiple
levels, and it should serve to guide the organization’s human resources as they
go about their daily tasks. At the
strategic level, the process should address goals, priorities, and high-level
workflow. At the operational and
tactical levels, more depth and context should be included to provide specific
instruction around categories of incidents and/or families of analysis,
investigation, and response actions.
Aside from guiding the team, a detailed process also demonstrates to executives,
partners, customers, and other stakeholders that the organization takes a
formal approach to security.
Technology: Obviously, technology is the third
component of the people, process, and technology triad. Technology should enable and empower people
to execute the process and make the vision a reality, rather than work against
that endeavor. When purchasing
technology, it’s important to identify technology that addresses operational
needs – namely, gaps in the execution of the process that technology can help address. Before technology is acquired, it should be
matched to an operational need and integrated into the operational
workflow. I’ve seen many instances where
numerous different technologies were procured without thinking strategically
about where the different pieces fit operationally, and the results made
creating a streamlined and efficient workflow difficult.
Workflow: In most cases, resources are scarce in a
security operations environment, and in particular, human resources are usually
the scarcest. Because of this, it’s
important to develop alerting content designed to identify strategic risks to
the organization. This content should
generate fewer alerts of higher quality and fidelity that are more actionable. Quality is far more important than quantity
here, and the signal-to-noise ratio should be high enough to facilitate timely
detection. All alerts should be sent to
a unified work queue that analysts can be focused on, and each alert should be
reviewed, vetted, analyzed, investigated, and responded to appropriately. In my experience, there is no point in
generating 100,000 alerts each day if you can realistically only handle several
hundred of them properly on a given day.
The risk of missing an intrusion or breach because it was lost in the
noise is simply too high.
Communication: During execution of the incident response
process, and during the course of daily security operations as well,
communication is key. Aside from metrics
and other important information that need to be regularly communicated to
leadership, communication serves another important purpose as well. Relationships with upstream providers, peer organizations, professional associations, partners, customers, legal, privacy, and other stakeholders are incredibly
important. Having those relationships in
place ahead of time can help ensure that when crunch time comes, the
appropriate channels exist to disseminate, receive, and act upon information in
a timely manner.
Information Sharing: The knowledge of 100 organizations will
always be greater than just one. Sharing
information allows us to broaden our perspective and view the challenges of
security operations through a much larger lens.
Techniques, methodologies, and Indicators of Compromise (IOCs) are all
great information that can be shared between organizations. Those who give the most generally receive the
most, and building street cred for your organization is important. Sometimes, being remembered can mean the
difference between getting timely intelligence and not getting that
intelligence.
Building or maturing a security operations program is a
serious endeavor and a time-consuming undertaking. Because of this, it warrants a strategic
business approach. Taking this approach
may require additional resources initially, but in the end, the forethought
will be reflected in the quality of the program it produces. With the sophistication of the modern
attacker and the constantly evolving threat landscape, don’t we owe it to
ourselves to approach security operations like we would any other important
business function?