By Mark Maxey
There is a widespread need for organizations to modernize their security operations. Why? Because all the common issues we see today in cybersecurity — too few people, too many security tools, too little insight into where attacks are likely to come from and how they will be carried out — can be alleviated by modernizing operations.
Modernizing operations creates the structure to eliminate distractions caused by chasing compliance mandates and the latest “shiny technology objects” so that security organizations can stay focused on the ultimate prize: reducing enterprise risk.
So, how does one get started on modernizing operations? The first thing to understand is that modernization is a function of the heart, not of technology; it’s a cultural change, manifested in an optimal balance of people, process and technology.
Do we have the right people on board?
If so, how are we going to retain them in a market with negative unemployment, high salaries and massive technology companies courting them?
What happens if they walk out the door tomorrow?
How do we maintain our capabilities and ensure that we have the right culture to truly reduce adversary opportunity day in and day out?
Collaboration — not only between internal personnel and across functional areas of the business, but also with partners and other third parties — serves as a force multiplier. It makes operations more effective at detecting, analyzing and remediating threats, while also enabling security operations to align more effectively with overarching business goals.
Are your documented processes a reflection of your real-world capabilities and functioning as a “user manual” for operating your perfectly tuned security machine? If not, it’s time to make “process” an area of greater focus.
When it comes to technology, there are four areas that I believe are critical to effectively modernizing security operations:
Automation and Orchestration — “Throwing more bodies at the problem” is no longer a viable option for organizations (due, in large part, to the aforementioned cybersecurity skills shortage). This is why automation and orchestration are so important. These technologies can:
Greatly increase the capabilities of staff members
Relieve staff of mundane tasks, so they can focus on higher-level issues and promoting integration across various staff functions
Improve quality of life and quality of work
Analytics — Next-generation security analytics use-cases drown out the noise of day-to-day SOC operations and can help shine a light on the dreaded outliers. Analytics begins with a basic understanding of available datasets and common false negatives present in existing technologies in the environment. Done right, analytics can dramatically reduce the amount of time spent chasing down dead leads, while creating opportunities for driving more value out of security infrastructure by making far better use of the data generated by security tools.
Threat Intelligence — There is an enormous amount of threat intelligence available today, both from security tool vendors and other outside sources. Being able to understand and operationalize this intelligence is key to staying current with modern threats.
Advanced Controls — To understand if you have the right security technologies and controls in place to reduce risk, you must:
Evaluate the entire security technology stack
Understand how configurations compare to industry best practices
Test, evaluate and rationalize infrastructure, so you have the right tools in place with the right configurations
Implementing the right controls often costs nothing (future-proofing passwords, for example) and is a much better investment of time and effort than any pursuit of the latest “shiny technology objects” or compliance initiatives.
Too Many Tools, Too Few People
Many organizations today are attempting to fend off sophisticated threat actors with operations that were designed for a previous era, when there were plenty of people to hire and breaches were more of a nuisance than a career-limiting event. Security strategies for this previous era were based on an “outside-in” approach, where external threats and regulations dictated security tool procurement, operations and spend. This is the approach that has led to today’s “too many tools, too few people” operational quagmire.
By modernizing operations, you can transition to an “inside-out” approach to security, where your own business requirements and enterprise risk model dictate security strategy, operations and spend. Using this model, you can effectively combat today’s advanced threats, regardless of how bad the cybersecurity skills shortage gets or how sophisticated attackers become.
And, as an added bonus, measuring the effectiveness of your security program and communicating wins, efficacy and actualization of spend for executives and board members becomes not only possible, but practical — giving security teams a long-awaited seat at the business table.
About Mark Maxey
Mark Maxey is VP, Next Gen Security Operations, Optiv. He is a security practitioner with nearly two decades’ of deep expertise spanning multiple disciplines, including adversary emulation, threat intelligence, cyber operations and analytics.