Connect with us

Hi, what are you looking for?


Incident Response

An Important Security Lesson Taken from the Printing Press

It’s Time to Bring the Capability to Achieve a Mature Security Posture Through a Robust Security Operations Function to the Masses

It’s Time to Bring the Capability to Achieve a Mature Security Posture Through a Robust Security Operations Function to the Masses

The printing press was invented around the year 1440 by Johannes Gutenberg.  Before the printing press, books were produced by hand, and thus were extremely expensive.  After the invention of the printing press, it became possible to mass produce books, thus reducing their cost considerably.  In other words, books were no longer something that only an elite few could afford.  The power of the written word could make its way to the common person as well.

What does this have to do with security?  Let’s dive in to find out.

It has always surprised me that given all we know about the negative consequences of poor security, so few organizations achieve the security maturity that they should.  In my experience, there is no function within security where this is felt more acutely than the security operations and incident response function.  That we find ourselves in this situation may not surprise you.  But why, at least in my view, this is the case might indeed surprise you. 

Printing PressBased on my own past operational experience, as well as my continuous interaction with those in operational positions today, I don’t think that lack of awareness is the main issue.  Granted, there will always be people and organizations who just cannot understand the need to mitigate risk by strategically leveraging a variety of different approaches, among them security operations and incident response.  While I do encounter this situation in some cases, I most often encounter a different situation entirely.

There are many people and organizations that understand the need to perform security operations and incident response perfectly well.  They know that they need visibility across their enterprise and cloud environments.  They know that they need to prioritize risks and threats.  They know that they need to write incisive, targeted, high fidelity alerting to identify behaviors matching the very risks and threats they are concerned about.  They know they need to manage, prioritize, and enrich their work queue with the right context at the right time.  They know that they ultimately need to make educated, informed decisions about what type of action may or may not be required in a given instance.  They know that they need response capabilities across their enterprise and cloud environments.

If they know all this, you ask, why don’t they take action where action is required?  Unfortunately, the answer is quite simple.  Money.  Although many organizations with fewer than 10,000 employees face many of the same risks and threats that larger organizations face, they seldom have anywhere near the budget to address those risks and threats.  But why does budget alone present such an obstacle to maturing an organization’s security posture?  Let’s look a bit deeper. 

To better understand why budget can be such a challenge, let’s take a look at even a partial list (in no particular order) of what is required to build a mature security operations and incident response function above and beyond just meeting compliance requirements:

Advertisement. Scroll to continue reading.

● Processes and procedures

● Trained people

● Intelligence

● Visibility on the network

● Visibility on a wide variety of endpoints

● Visibility in the cloud

● Application level visibility

● Security Information and Event Management (SIEM)

● Case management (ticketing)

● High fidelity, low noise alerting

● Supporting evidence/data to enrich alerting

● Investigative and forensics capabilities

● Analytics

● Metrics

● Reporting

● Response capability 

I could go on and on here, but this list isn’t meant to be complete by any means.  Rather, it is meant to illustrate two main points:

● A mature security posture with a robust security operations and incident response function requires both a diverse ecosystem of people, process, and technology, as well as an understanding of how to use that ecosystem properly.

● A mature security posture with a robust security operations and incident response function takes a considerable investment in both time and money that most organizations simply cannot afford. 

Given this, it should come as no surprise that a mature security posture has eluded all but the most elite organizations.  Well, if you ask me, enough is enough.  It’s time that security operations went the way of the printing press.  It’s time to bring the capability to achieve a mature security posture through a robust security operations function to the masses.

What the overwhelming majority of non-elite organizations need is a totally different type of thinking and a totally different type of solution from their security vendors.  The cloud, with its cost advantages, opens up entirely new possibilities here.  Imagine an end-to-end platform enumerating the capabilities listed above — “security operations in a box”, if you will.  All of these capabilities need to be delivered through the low cost mediums of cloud and software virtual images.  But that in and of itself is not enough.  Any worthwhile solution also needs to be attainable for a reasonable monthly fee, with no large upfront equipment costs.

To some readers actively looking for better options, this type of solution may sound like it can only exist in the distant future.  To those readers, I would say that we are not as far away from the security operations version of the printing press as you might think.  The cost of being security operations literate may come down faster than you might expect.  It’s about time.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.