Security Experts:

Creating a High Performance Security Operation

Now is the time to start a journey of security transformation that adapts to changing threats and opportunities, to create a high performing security operation.

Organizations are faced with daunting and very real cyber threats as attackers using sophisticated methods are becoming increasingly commonplace. Not only have the existing defensive security methods, standards and technologies failed to keep pace with the tactics used by the “bad guys,” but security operations often lack the communications and behavior-management skills to influence security attitudes across the extended community of networked staff, customers and suppliers.

IT Security LeadershipAs many as two million new malware programs appeared last year, a number that is likely to increase exponentially this year, yet available remediation tools have been shown to have decreasing effectiveness against the onslaught of increasingly sophisticated attacks. Combine this situation with the poor coordination that seems to prevail among security architects, security operations staff and incident response teams and it is no surprise that coordinated groups of attackers are capable of compromising virtually any target. The offense has put the defense squarely on its heels.

To address the threats, enterprises need to shift the focus of their security operations from a small group of individuals with a set of tactical objectives, to a virtual organization that provides strategic value and has the ability to improve outcomes for the organization, its customers and employees.

There are three primary characteristics that will influence this transformation. The first is using smarter resourcing models that can apply specialized skills, processes and technologies to the problems of security incidents and a complex enterprise infrastructure. The second is extracting greater value from existing investments and selectively using new technology affordably. Finally, the third is making sense of internal and external data and intelligence to learn and act where it matters most.

As a means to this end, organizations should develop a maturity model that will allow them to plot their progress across different factors – including such elements as security policy, tracking and responding to incidents, security monitoring, malware detection & remediation, and intrusion detection – in order to reach an understanding of where they are, where they want to be, and how their capabilities can be transformed to help achieve these goals.

While the particular strategic goals may vary from one organization to another these essentials remain the same:

Managing Security Operations

1. See More. Advanced analytics enable security professionals to see what’s coming over the horizon and optimize courses of action to respond most effectively. As cyber attacks grow more sophisticated and are initiated by ever more motivated adversaries, the pressure mounts on organizations to recognize and respond to attacks on the first day of release – not after the damage is done. Analytics-driven security that uses the science of statistics, data mining and other techniques can help enterprises decipher patterns and behaviors that can deter attackers before they cause irreversible harm. Analytics-based models look beyond standardized rules that ignore the uniqueness or mutability of events, and can be used to integrate vast amounts of information and project future states. Security operations that leverage analytics can deliver enriched and actionable intelligence to decrease errors and improve decision-making; integrated and abstracted information to drive decisions that support both pre and post-incident actions; and privacy-enhancing mechanisms to limit the collection and retention of personally identifiable information.

2. Do More. A security operation can respond more rapidly by integrating process automation with human workflows. Automation, when smartly applied, can help reduce manpower needs. Yet, it remains one of the principal holdouts in the security discipline, a vestige, perhaps, of the security professional’s innate sense that automated responses do more harm than good. While an attack that causes damage would need human intervention to determine collateral damage and limit loss, automation can support steps along the way with technologies to reduce the number of errors made by humans sifting through hundreds, if not thousands of events per hour. Automation can be a critical factor in maintaining operational stability amid new threats that are becoming more frequent and sophisticated, rapid technological change, and ad hoc requests for changes and reconfigurations. Furthermore, it can reduce both the number of steps in the workflow of a response and the “noise” of unimportant events presented to operators, in addition to aligning the different stakeholders in the decision-making process in terms of budget, acquisition, policy, operations and compliance.

3. Surge to Meet Demand. Immediate access to virtual assets provides a security operation with the computing resources, processes and personnel required to allow it to rapidly surge to meet an imminent threat and then shrink back to steady-state levels once the crisis has passed. With virtualization, organizations are not limited to staff available only in their immediate area; meanwhile sourcing of infrastructure and applications on demand offers multiple potential benefits both in terms of cost reduction and the ability to leverage highly skilled resources on a pay-as-you-go model. This elasticity can be applied to hardware, bandwidth requirements and security software. Through virtualization, an organization can rapidly pull together a virtual “cyber range” with in-house security personnel collaborating with a university on reverse-engineering malicious software, simulate a cyber attack, or share critical intelligence with appropriate government agencies.

Organizations today, who never thought they would be targeted, are suddenly finding their intellectual property, key strategies and/or sensitive data at risk, as yesterday’s isolated hackers have been supplanted by coordinated groups. With the stakes higher than ever before, now is the time to get started on a journey of security transformation that adapts to changing threats and opportunities, to create a high performing security operation.

Read More in SecurityWeek's Management & Strategy Section

Dr. Alastair MacWillson is the global managing director of Accenture’s global security practice. Prior to joining Accenture in 2002, Dr. MacWillson was the global leader of the technology consulting practice in PricewaterhouseCoopers. Dr MacWillson has acted as an adviser to a number of governments on technology strategy critical infrastructure protection, cyber security and counter terrorism and has sat on related committees for the US and UK governments, the European Commission and the United Nations. Dr. MacWillson has a B.Sc. in Physics, postgraduate diplomas in Computer Science and Digital Imaging, a Ph.D. in Theoretical Physics, and a D.Phil in Cryptographic Integrity.