Security Experts:

Taking Mature Security Operations to the Masses

All Organizations Deserve a Mature Security Operations Function

In one of my recent SecurityWeek columns, I discussed how the days of mature security operations being restricted to an elite few organizations are over, or at least they should be.  I also noted that the time had come to bring security to the masses, including even those organizations without large enterprise sized budgets.  But how exactly can that be accomplished?  In this piece, I would like to explore that question further.

Let’s take a look at the essential functions required to bring a mature security operations and incident response capability to the masses via a unified security operations platform.  You’ll notice that I used the word “functions”, rather than “technologies”, “products”, or something analogous.  In the era of the cloud, the game is more about delivering functionality and less about delivering specific point products.  Buyers, rightfully so, are looking for strategic solutions to real operational problems, rather than more tactical point products.

Centralized investigative platform: At the core of any security organization is its workflow.  Its efficiency and effectiveness is directly correlated to quality of alerting, prioritization of work queue, speed of investigation, accuracy of analysis, timeliness of response, and seamlessness of case management. 

Intelligence: Properly assessing and prioritizing risk is fundamental to security.  And fundamental to properly assessing and prioritizing risk is understanding the threat landscape.  But just knowing the threat isn’t enough.  Organizations need to be able to take intelligence about threats and vulnerabilities and easily apply it directly to the operational environment.

Visibility, prevention, detection, and response: Prevention, whether on the endpoint or the network, is always preferred, but only sometimes realistic.  Detection and response across the endpoint and network work alongside and augment prevention to help us round out our risk mitigation approach.  It is also worth mentioning the importance of visibility.  If you can’t see it, you can’t detect it.

Malicious code analysis: While not all intrusions involve malicious code, many do.  As such, the ability to understand the malware being used against me and feed that knowledge back into the overall security operations function is extremely important.

Log collection and event correlation: Any security organization’s security ecosystem is going to be complex.  Any realistic security operations platform needs to support collection, investigation, analysis, and correlation across a wide variety of data sources.

Orchestration and automation: I don’t know too many organizations that tell me they have too many people and not enough work.  If a security operations platform does not provide the ability to automate repetitive, time consuming tasks that are prone to human error, it will not facilitate bringing security to the masses.

Email threat prevention: Why do attackers leverage email so prevently as an attack vector?  Because it works.  Until that simple fact changes, organizations need integrated email threat prevention as part of any viable security solution.

Analytics: Sometimes I think that analytics is the most overused and misunderstood buzzword around.  Analytics is more than just machine learning, User and Entity Behavior Analytics (UEBA), or other specific types of approaches.  Analytics is about understanding and modeling attacker behavior, and subsequently leveraging a wide variety of analytical techniques and approaches to identify that behavior.  That is the only way in which the masses can apply and benefit from analytics.

Metrics and reporting: No one loves metrics and reporting, but they are critical to compliance requirements, as well as to communicating the value of a security organization.  No security organization wants metrics and reporting to be the greatest challenge they need to overcome on a given day.

Cloud: Lots of people are talking about cloud these days, but only some of them are thinking about cloud as an opportunity, rather than a liability, for security.  As infrastructure moves to the cloud, it’s important to think about moving security infrastructure there as well.  Both for cost reasons, as well as to provide visibility into cloud environments.  We simply cannot assume that we will regain lost visibility any other way.

At first glance, this security operations platform idea may sound like an overly complex undertaking with lots of expensive moving parts.  But, in reality, it is difficult to reach security maturity without each of these components integrated and working together in support of a robust security operations function.

Of course, for all but the largest of organizations, it is difficult to acquire even some of these capabilities a la carte, let alone leverage them appropriately as part of a holistic risk-based approach to security.  This leads those organizations to look to Security-as-a-Service providers to help them get to where they need to be.  There is wide variation among the different SECaaS providers, and organizations should most definitely push any potential vendors hard on the above points.

In the end, a winning SECaaS will provide the above capabilities in a manner that is:

Affordable: First and foremost, any serious SECaaS provider should bring its customers an end-to-end security operations capability at a price point that suits the midsize and small enterprise market.  Otherwise, they are not really helping to bring security to the masses.

Easy to implement: If it takes 6-12 months and lots of custom work to implement a SECaaS provider’s solution, they’re doing it wrong.  That’s certainly not going to help the masses very much.

Programmatic: The right platform is necessary for a successful security operations function, but it is not the security operations function itself.  That can only come from the right mix of people, process, and technology.  If an organization is not able to leverage the SECaaS platform to run security operations themselves, they should look to a trusted partner to run it for them.  And by this I don’t mean simply checking all the right boxes and producing pretty reports each week -- I mean really understanding the organization, its risk prioritization strategy, and working tirelessly to identify any suspicious or malicious activity putting the organization at risk.

I am not an elitist.  I believe that all organizations deserve a mature security operations function.  The security operations platform and Security-as-a-Service approaches offer tremendous potential to the vast majority of organizations.  As with any buying decision of course, organizations should push their vendors to ensure that they truly understand the actual capabilities of any proposed solution.  Only then will a mature security posture truly come to the masses.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.