Vice President and Country Manager – Canada
Optiv Security
Any dispassionate view of today’s security landscape will inevitably lead to a single conclusion: there is a widespread need for organizations to modernize their security operations. All of the common issues we see today in cybersecurity — too few people, too many security tools, too little insight into where attacks are likely to come from and how they will be carried out — can be greatly ameliorated by modernizing operations.
Modernizing operations creates the structure to eliminate distractions caused by chasing compliance mandates and the latest “shiny technology objects,” so security organizations can stay focused on the ultimate prize: reducing enterprise risk.
So, how does one get started on modernizing operations? The first thing to understand that modernization is a function of the heart, not of technology — it’s a cultural change, manifested in an optimal balance of people, process and technology. And, it should be organized atop what I call the Seven Pillars of Security Operations Modernization:
- Pillar I: Culture and People — The cyber security skills shortage makes this pillar critical to any security organization. Security leaders need to ask themselves: “Do we have the right people and what happens if they walk out the door tomorrow? If so, how are we going to retain them in a market with negative unemployment, high salaries and massive technology companies courting them? How do we maintain our capabilities and ensure we have the right culture to truly reduce adversary opportunity day-in and day-out?” Answering these questions is critical for setting the “people” foundation for a strong security program.
- Pillar II: Automation and Orchestration — The greatest value of automation is as a capability amplifier; an “Iron Man suit” that greatly increases the capabilities of staff members. Automation and orchestration can also provide opportunities for relieving staff of mundane tasks so they can focus on higher-level issues, and promoting integration across various staff functions. “Throwing more bodies at the problem” is no longer an option, which makes automation and orchestration an absolute requirement for modern operations. Ultimately, automation and orchestration provide improved quality of life and quality of work, while enabling the foundation of machine learning, when implemented properly.
- Pillar III: Analytics — Next-generation security analytics use cases drown the noise of day-to-day SOC operations and can help to shine a light on the dreaded outliers. Analytics begin with a basic understanding of available datasets and common false negatives present in existing technologies in the environment and, ultimately, they dramatically reduce the amount of time spent chasing down dead leads, while creating opportunities for driving more value out of security infrastructure by making far better use of the data generated by security tools.
- Pillar IV: Collaboration and Process — Collaboration, not only between internal personnel and across functional areas of the business, but also with partners and other third parties, serves as a force multiplier that makes operations more effective at detecting, analyzing and remediating threats, while also enabling security operations to align more effectively with overarching business goals. Are your documented processes a reflection of your real-world capabilities and functioning as a “user manual” for operating your perfectly tuned security machine?
- Pillar V: Threat Intelligence — There is an enormous amount of threat intelligence available today, both from security tool vendors and other outside sources. Being able to understand and operationalize this intelligence is key to staying current with modern threats.
- Pillar VI: Advanced Controls — Do you have the right security technologies and controls in place to reduce risk? The only way to understand this is to evaluate the entire security technology stack, understand how configurations compare to industry best practices, and then to test, evaluate and rationalize infrastructure so you have the right tools in place with the right configurations. Implementing the right controls often costs nothing – moving away from a legacy 8-character password schemes to more robust, future-proof passwords being a prime example — and is a much better investment of time and effort than any pursuit of the latest “shiny technology objects” or compliance initiatives.
- Pillar VII: Metrics — Measuring the effectiveness of a security program and real-world ROI is a notoriously difficult undertaking. The best security program is often transparent to the business and while communicating wins, efficacy and actualization of spend is a challenge, it is possible and practical.
History shows us that modern attackers always defeat antiquated defenders. And yet, many organizations today are making this exact mistake: attempting to fend off sophisticated threat actors with operations that were designed for a previous era, when there were plenty of people to hire and breaches were more of a nuisance than a career-limiting event. Security strategy for this previous era was based on an “outside-in” approach, where external threats and regulations dictated security tool procurement, operations and spend. This is the approach that has led to today’s “too many tools, too few people” operational quagmire.
By modernizing operations, you can transition to an “inside-out” approach to security, where your own business requirements and enterprise risk model dictate security strategy, operations and spend. By adopting this approach, and the Seven Pillars of Security Operations Modernization, you will go a long way toward hardening your environment and causing the attackers to look elsewhere for victims.