Some time ago, I met with an organization that had asked to speak with me because of my experience in the security operations realm. After a few minutes, it became apparent that the organization had many of the same challenges I often see in organizations that have immature security operations functions.
These challenges include, but are not limited to, incomplete logging, lack of visibility into network traffic and endpoints, no communicated leadership vision, no formal process, alert fatigue, low signal-to-noise-ratio, no unified work queue of events, incomplete staffing, inadequate training, and other challenges. That didn’t surprise me in the least, as these are common challenges. What did surprise me was the direction in which the organization wanted to take the conversation.
The organization began asking me about machine learning and other sophisticated data mining techniques, insisting “we already have data, but we need to know what to do with that data”. Long term, yes, absolutely — “digging” or “hunting” (through a variety of techniques, whether manual or automated) is an important part of a mature security operations function. But lacking a mature security operations function, does it make sense to jump ahead to machine learning without first visiting the foundational components of security operations? I don’t think so, and I’ll explain why.
I’ve noticed over the course of my career that people sometimes want to boil the ocean. In other words, rather than proceed step by step through the process of building and maturing a security operations function, they want to move immediately into very advanced topics. This is more than just impractical and nearly impossible — it can actually harm an organization by impeding the necessary step-by-step progression that ultimately leads to a mature security operations function.
In my experience, there is a hierarchy of needs — almost like Maslow’s hierarchy of needs, but for security operations. Before looking to address higher order needs, foundational needs need to be met. That hierarchy looks something like this:
Awareness: The first step to a mature security operations function is the understanding that you need one. You would probably be surprised at the number of organizations I’ve met with that think they have a mature security program but have never heard of the concept of security operations. It’s shocking.
Vision: Leadership vision and the communication of that vision are an essential foundation for a successful security operations function. A mature security operations function cannot be reached without a strategic direction.
Process: A formal incident response process from the strategic level down to the tactical level is critical. This instructs and informs the security team, and serves to show executives, partners, customers, and other stakeholders that the organization takes a formal approach to security.
Instrumentation: Proper network and endpoint instrumentation provides us the data and visibility we need to understand what’s going on within our organization. It’s important to include newer endpoints such as smartphones, tablets, and thin clients as well, as they present big visibility challenges to most modern organizations.
Content: Content development (the process by which a reliable, high fidelity work queue with a high signal-to-noise ratio is created) allows us to leverage our network and endpoint data to produce reliable, high fidelity, actionable alerting.
Unified Work Queue: Sending our actionable alerts to a unified work queue allows us to focus our security operations resources and provide an orderly workflow in an often-chaotic environment.
Staffing: Talented people are needed alongside process and technology to make a successful security operations program.
Training: The team needs to be trained not only on the technology, but also the process, as well as the strategic vision and philosophy of the organization.
Operations: Smooth operations require adequate staffing, good communication, proper shift handover, and a large amount of coordination.
Intelligence: The knowledge of 100 organizations will always be greater than the knowledge of just one. As such, integrating actionable intelligence is an important need that arises when the organization has almost reached maturity.
Information Sharing: Organizations with mature security operations functions will often share intelligence, techniques, and process with one another. Achieving this level is a tremendous accomplishment and usually comes after a significant amount of time has been invested in maturing the security operations function.
This hierarchy is high level and only scratches the surface, but you can see that a mature security operations function doesn’t build itself. It’s important to note the interdependence of each of the steps, and how each step can only efficiently be realized after the preceding step has been completed. Each of these steps is its own complex undertaking, and I’ve written in additional depth on many of these topics in the past.
If an organization works its way up the hierarchy of needs, I would argue that at that point, the incorporation of sophisticated data mining techniques would be warranted as a next step in maturity. Before that point though, I’m not sure it is productive to discuss or pursue that angle.
Data mining will produce results that need to be investigated further, which requires a strong foundation and a complete hierarchy of needs. Before the security operations function is mature, it’s not clear to me that the organization would know how to make sense of the output from data mining techniques. Put another way, investing resources in data mining before the security operations function is mature puts the organization at great risk. Why? Because there are many risks and priorities that take precedence and require more immediate attention that will remain unaddressed. Instead, I recommend a step-by-step progression through the hierarchy of needs to mature the security operations function before moving on to more advanced topics.
Boiling the ocean has never done anyone any good in my experience. First things first.
