Back in 2015 I wrote an article, right here in SecurityWeek, about process parity. It was a riff off the old adage “garbage in, garbage out”. It seems that the article from nearly 5 years ago continues to age well, but rather than be excited about that, I’m a little disappointed. Allow me to explain.
If you know me, or have worked with me at all, you’ll know I’m a process nerd. I get it, that’s not necessarily ‘cool’ in cyber security, but it’s what my brain gravitates to. Remember that slide that everyone had at one point in their presentations (guilty…) that said “People, Process, Technology”? I still have it, if only to remind people that we’re still not getting process right.
Technology has advanced tremendously. Nobody is going to dispute that. But we’ve not got entire market segments that are tools built to – wait for it – integrate and operationalize other tools. I feel like that’s a failure somewhere along the line if you’ve designed tech that doesn’t work well with other tech. Maybe it’s just me.
People still don’t scale, and now we’re short on talent to hire. Listen, even if you could hire an infinite number of security professionals, they don’t solve the problem we actually have. The problem we are increasingly seeing in cyber security is the space between systems. If you’ve got 10 different screens where alerts are being generated and screaming at you – there isn’t a meaningful way to make sense of those screens without integrated technology. Humans simply can’t do the job, and process optimization is literally the only way you’ll find the real baddie in all that noise.
So now we’re back to process. Process, or in some cases it’s cousin “integration”, is a necessary thing you can’t survive without. In a world where data is measured in PETAbytes, you have zero hopes of finding the needle in a stack of hay 10 miles high.
So it’s mid-2020, and we’re still talking about process parity where the expectations of output and the reality of input are wildly mismatched. Let’s talk through a specific example or two…
In a recent conversation with a new customer’s security team we started talking security requirements. The customer’s team indicated they were dissatisfied with their technology, because “it wasn’t producing results”. My ears always perk up when someone blames the tech for lack of results, so off we went. The reality was some consultant told them to “log everything” and then feed it into a SIEM and that SIEM would find all the badness. So the tech wasn’t doing its job, or so the customer believed, and they were looking for alternatives.
Well, my first questions were around what they were logging, how often it was reviewed, and how optimized for to the “things they were trying to find” their logging was. As you can imagine I received a bunch of blank stares, even over a Teams meeting. It’s crazy to me how many people still see their SIEM as some magic box that takes lead and turns it into gold. That’s not how any of this works.
So after the discussion of log input into their system, I started asking questions on data enrichment, triage process, workflow, and automated response. More blank stares. I could see that technology likely wasn’t the problem here.
Another example deals with vulnerability scanning and management. To summarize that one, it’s not productive to scan repeatedly and wave your arms when the post-scan process involves spreadsheets, email, and hopes. Process is required, and if you want results it’s strong, refined, and optimized process that’s required.
So security is still suffering from an elephant in the doggy door. We’re shoving ugly things into systems and expecting magic out the other side. We’re expecting that data turns into automated action with no human interaction – that’s just not realistic. I’ve said it before, I have seen the movie of how that world looks, and I don’t like how it ends.
Let’s get real, we need process optimization. Today more than when I wrote that article back in 2015. I think we continue to be sold magic boxes (albeit now they’re virtual) and snake oil that’s going to solve our people problem. We’re told we don’t need to focus on process is we only buy this latest widget. I promise you, if you’re not allocating time to develop strong operational process – integrations and workflows – you’re never going to solve the problem you’re trying to solve.