The structure of today’s enterprise organization security operations must evolve to compete with the growing threat landscape and sophistication of adversaries.
Most modern enterprises have invested heavily in technology and people focused on reacting to the array of daily attempts by various actors to breach an organization’s perimeter. The vast majority of security operations centers are built around technologies dependent upon known indicators. These technologies focus on consuming and correlating various data sources against these indicators to raise attention to the staff manning these centers. It has become a highly consumer-driven operation in which operators react to the attention of security focused systems with a specific or defined course of action. This environment leads to a mode of operation based on a high degree of reaction leaving proactive actions to the various vendors whose technologies support the enterprise’s security posture.
One way for organizations to begin this evolution is to start investing in security operations staff focused more on proactively gaining intelligence of threats, behaviors and risk that are not prone to being detected by traditional means, or could be detected ahead of the threat identified by these traditional means. This evolution requires organizations to begin properly staffing threat intelligence analysts. Many forward-leaning organizations, specifically in the financial and government sectors have already begun integrating this function and role into their organizations, but far too many have not evolved.
Incorporating such personnel allows an organization to become much more proactive in assessing its risk. This involves looking beyond the perimeter to changes in Internet infrastructure, performing constant assessment of perimeter security controls as represented outside of the organization and identifying potential risks that third party vendors, suppliers and partners may introduce. This requires not being solely reliant on technology aggregating results but rather actively hunting for threats to an organization’s peers, changes in Internet exposed topology and resources and communications that may be telling of a compromise or loss of data.
These analysts augment the current security operations center by creating intelligence-based findings that expose valuable context to seemingly benign transactions from within their organization as well as outside the perimeter. They become responsible for tracking threats impacting other organizations and peers and proactively provide information back into the security operations center to take countermeasures ahead of the threat, should the threat or actors turn their focus to the organization.
Instead of waiting for a system to raise a red flag for attention, these individuals are actively pursing potential avenues of compromise and making the overall security operations center better prepared. It’s not simply ingesting a threat intelligence feed from a specific vendor, but the concept of taking in and understanding as many sources possible (open and proprietary) to stay ahead of this ever-evolving threat landscape.
Call to Action for Security Operations Teams
• Invest in people, technology, and policy towards more proactive methods of identifying and understanding threat behavior and countering threats
• Build a cyber threat intelligence function into the organizations security operations roles
• Enable analysts to gather intelligence and hunt for clues that exist outside or beyond the enterprise perimeter leading to detecting threats ahead of traditional means
• Consider the entire cyber ecosystem to include threats that may be leveraging third-party networks (vendor, supplier, and partners)
• Establish security countermeasures as an integral part of the organization’s security operations and active defense