Connect with us

Hi, what are you looking for?


Management & Strategy

Taking Mature Security Operations to the Masses

All Organizations Deserve a Mature Security Operations Function

All Organizations Deserve a Mature Security Operations Function

In one of my recent SecurityWeek columns, I discussed how the days of mature security operations being restricted to an elite few organizations are over, or at least they should be.  I also noted that the time had come to bring security to the masses, including even those organizations without large enterprise sized budgets.  But how exactly can that be accomplished?  In this piece, I would like to explore that question further.

Let’s take a look at the essential functions required to bring a mature security operations and incident response capability to the masses via a unified security operations platform.  You’ll notice that I used the word “functions”, rather than “technologies”, “products”, or something analogous.  In the era of the cloud, the game is more about delivering functionality and less about delivering specific point products.  Buyers, rightfully so, are looking for strategic solutions to real operational problems, rather than more tactical point products.

Centralized investigative platform: At the core of any security organization is its workflow.  Its efficiency and effectiveness is directly correlated to quality of alerting, prioritization of work queue, speed of investigation, accuracy of analysis, timeliness of response, and seamlessness of case management. 

Intelligence: Properly assessing and prioritizing risk is fundamental to security.  And fundamental to properly assessing and prioritizing risk is understanding the threat landscape.  But just knowing the threat isn’t enough.  Organizations need to be able to take intelligence about threats and vulnerabilities and easily apply it directly to the operational environment.

Visibility, prevention, detection, and response: Prevention, whether on the endpoint or the network, is always preferred, but only sometimes realistic.  Detection and response across the endpoint and network work alongside and augment prevention to help us round out our risk mitigation approach.  It is also worth mentioning the importance of visibility.  If you can’t see it, you can’t detect it.

Malicious code analysis: While not all intrusions involve malicious code, many do.  As such, the ability to understand the malware being used against me and feed that knowledge back into the overall security operations function is extremely important.

Advertisement. Scroll to continue reading.

Log collection and event correlation: Any security organization’s security ecosystem is going to be complex.  Any realistic security operations platform needs to support collection, investigation, analysis, and correlation across a wide variety of data sources.

Orchestration and automation: I don’t know too many organizations that tell me they have too many people and not enough work.  If a security operations platform does not provide the ability to automate repetitive, time consuming tasks that are prone to human error, it will not facilitate bringing security to the masses.

Email threat prevention: Why do attackers leverage email so prevently as an attack vector?  Because it works.  Until that simple fact changes, organizations need integrated email threat prevention as part of any viable security solution.

Analytics: Sometimes I think that analytics is the most overused and misunderstood buzzword around.  Analytics is more than just machine learning, User and Entity Behavior Analytics (UEBA), or other specific types of approaches.  Analytics is about understanding and modeling attacker behavior, and subsequently leveraging a wide variety of analytical techniques and approaches to identify that behavior.  That is the only way in which the masses can apply and benefit from analytics.

Metrics and reporting: No one loves metrics and reporting, but they are critical to compliance requirements, as well as to communicating the value of a security organization.  No security organization wants metrics and reporting to be the greatest challenge they need to overcome on a given day.

Cloud: Lots of people are talking about cloud these days, but only some of them are thinking about cloud as an opportunity, rather than a liability, for security.  As infrastructure moves to the cloud, it’s important to think about moving security infrastructure there as well.  Both for cost reasons, as well as to provide visibility into cloud environments.  We simply cannot assume that we will regain lost visibility any other way.

At first glance, this security operations platform idea may sound like an overly complex undertaking with lots of expensive moving parts.  But, in reality, it is difficult to reach security maturity without each of these components integrated and working together in support of a robust security operations function.

Of course, for all but the largest of organizations, it is difficult to acquire even some of these capabilities a la carte, let alone leverage them appropriately as part of a holistic risk-based approach to security.  This leads those organizations to look to Security-as-a-Service providers to help them get to where they need to be.  There is wide variation among the different SECaaS providers, and organizations should most definitely push any potential vendors hard on the above points.

In the end, a winning SECaaS will provide the above capabilities in a manner that is:

Affordable: First and foremost, any serious SECaaS provider should bring its customers an end-to-end security operations capability at a price point that suits the midsize and small enterprise market.  Otherwise, they are not really helping to bring security to the masses.

Easy to implement: If it takes 6-12 months and lots of custom work to implement a SECaaS provider’s solution, they’re doing it wrong.  That’s certainly not going to help the masses very much.

Programmatic: The right platform is necessary for a successful security operations function, but it is not the security operations function itself.  That can only come from the right mix of people, process, and technology.  If an organization is not able to leverage the SECaaS platform to run security operations themselves, they should look to a trusted partner to run it for them.  And by this I don’t mean simply checking all the right boxes and producing pretty reports each week — I mean really understanding the organization, its risk prioritization strategy, and working tirelessly to identify any suspicious or malicious activity putting the organization at risk.

I am not an elitist.  I believe that all organ
izations deserve a mature security operations function.  The security operations platform and Security-as-a-Service approaches offer tremendous potential to the vast majority of organizations.  As with any buying decision of course, organizations should push their vendors to ensure that they truly understand the actual capabilities of any proposed solution.  Only then will a mature security posture truly come to the masses.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.