Security Operations Centers (SOC) provide businesses with the ability to see what’s going on in order to respond accordingly. SOC teams rely on the ability to learn skills and processes on-the-fly to meet expectations from stakeholders across the business and combat an ever-evolving persistent cyber threat. One of the critical contributors to any SOC’s success is skill availability. While technical experts and vendors have done great work building cybersecurity solutions, a SOC is nothing without the right people.
The majority of SOCs today struggle to justify their value to the business. Cybersecurity represents a vague and fairly intangible field of work that cannot be quantified through profit margins and in the absence of compromise or breach businesses are prone to undervaluing a SOC’s criticality to the business. This business reality coupled with the inherent challenge associated with safeguarding businesses physical and logical assets makes running a SOC an incredibly daunting task. And so it should come as no surprise that the most challenging and critical roles for a SOC to staff are its leaders.
SOC leadership (director, manager, shift leads, senior analysts, etc.) must be able to understand the larger cybersecurity picture, translate security into the language of the business, and hold some degree of deep technical knowledge matured over a long cybersecurity career. The wrong leadership in a SOC can lead to over-promising, under-delivering which effectively defeats a SOC from within especially if they have yet to develop a track record of success. Throughout my career, I have witnessed SOC leadership either succeed or fail based on how they navigate through three very common pitfalls found within a SOC.
Here are the three most common pitfalls SOC leaders should avoid:
1. Negative Reinforcement
The SOC leadership team has a responsibility to ensure they are providing the appropriate level of training and mentoring to the younger and less experienced security analysts. They must be sensitive and actively aware when they reward, discipline, or punish any individual on the team. For a SOC that’s ever-evolving, discipline and punishment tend to reduce the free thinking successful SOC’s depend on. Disciplining or punishing a security analyst that took liberties with data to improve their work efficiency could decrease the likelihood that they would innovate or improve upon operation processes in the future, even if it represents a positive step forward in operational maturity. It is imperative that a SOC’s leadership team be cognizant of how they apply positive and negative reinforcement as to not steer an individual away from innovating on security tools and processes, which may result in better operational practices and instead explore methods that provide constructive reinforcement and help analysts learn how to make better decisions.
2. Muddled Communication
A very simple and quick win for any SOC leader is to apply simple communication practices into their daily activities. For instance, if a leader is making a decision on behalf of a security analyst then it is very important that the leader communicates their intent and thought processes to the security analyst. Little things like data normalization and timestamp assumptions can make a world of difference. Maintaining a transparent level of communication with your team will help them understand their role in the larger picture and enable them to better position themselves for success. Time is extremely valuable in a SOC and less abstraction from data is critical to understanding the intricacies of complex systems and improving response times.
3. Unrealistic Expectations
The phrase “real-time detection” has become commonplace marketing lingo for cybersecurity tools but it has also created a new paradigm that puts the quality and accuracy of analysis at risk. While systems and tools may provide real-time detection and analysis over data, human interpretation operates at a slower speed. Most SOC leaders today believe that if an analyst receives an alert and is presented with some degree of data that they will then be able to make a rapid decision on whether or not a breach has occurred, and to what extent. This places immense pressure on the SOC team and the mandate for a quick and final decision is not grounded in the needs of the situation at hand, but rather, the unrealistic expectation placed on the team. It is logically unreasonable to expect to detect and ascertain all of the pertinent details of a potential compromise in any kind of manner that resembles real-time or near real-time. Even if a security analyst is able to determine that malware has been installed and C2 communication is present, they still don’t know how the attacker got in, what other machines they are interacting with, the nature of the attacker (structured or unstructured), or if an attack if ongoing. The average statistics on real-world cyber attacks illustrates that attackers will often persist within a network for up to a year before executing the attack. As a SOC leader, it is critical that you consider the sheer volume of planning and preparation that the attacker is bringing to the table and that you respond calmly and ensure analysis quality, efficiency, and consistency across the team.
In today’s hyper-connected digital world, information technology reigns absolute. A long-standing and critical strategy for businesses is to safeguard their intellectual property, financial information, and reputation. Yet in just about every vertical market, large scale cybersecurity breaches continue to mount, security spending is down, and data trends point to an alarming increase and acceleration in enterprise breaches over the next few years. Simply put, businesses are struggling to find the right cybersecurity approach in today’s hyper-connected digital world.
Most businesses look at cybersecurity as an IT challenge for IT to solve but it is more than just an IT challenge, it’s a business imperative for continuous adaptation to their cybersecurity reality. State-sponsored and determined threat adversaries, cheaper and more accessible resources, and new innovative technologies represent a set of constants for businesses with each containing dynamic variables that increase a business’s exposure to cyberattack. To sufficiently protect competitive advantage and shareholder value, businesses must adapt their approach to cybersecurity to keep pace. Those of us who have been in the game long enough will recognize this as a painful truth. If you look back just six or more years ago, you’ll find a fundamental change in the approach business take today with cybersecurity breaches. Where focus used to be on preventative strategies, businesses today now view cybersecurity breaches as inevitable and instead focus their resources on managing and mitigating the impact from cyberattacks.
Another major change over the years can be seen with the sheer volume of media exposure for cybersecurity. News outlets across the world are standing by and ready to report on the latest and greatest enterprise cybersecurity breach or controversial revelation (evidence by the latest and already trending NSA leak that was published on the German website Der Spiegel). This heightened attention on cybersecurity has also provided businesses with a powerful marketing strategy to elevate their value propositions by championing their own cybersecurity prowess. As an individual who has been practicing cybersecurity for over a decade now, I would be amiss if I didn’t acknowledge that this attention has also helped drive better cybersecurity practices, regulations, and technologies. But at the end of the day, the reality is that cybersecurity is just not something that gets a lot of executive attention.
This creates a bottom-up approach for cybersecurity teams that are trying to get their business to take cybersecurity seriously. These teams face a minefield of corporate politics that significantly reduce any likelihood they would have for security success. This is compounded for larger enterprises as cybersecurity teams require stakeholder cooperation and collaboration from across the business in order to be successful and these stakeholders do not always see eye to eye on the business’s cybersecurity issues and goals. But whether the business is small or large, stakeholder disparity will ultimately stagnate progress and force the cybersecurity propagative into the background driving attention back to the more pressing issues found in daily operations- until there is a cybersecurity attack. Then the cybersecurity propagative returns in force by enacting emergency responses and an overabundance of resources that are exclusively dedicated to damage control.
This reactive approach is business reality and it is all too common.
The CIOs and CSO/CISOs of today, have the grand responsibility of challenging this reality by underscoring the criticality of safeguarding the data and information systems inside their business. They must communicate that an effective and robust cybersecurity program can better position their business, partners, customers, investors, and other stakeholders for success. CIOs and CSO/CISOs must lead the charge across their business by assigning accountability, assessing the information security risks within their IT environments, defining their digital crown jewels, and devising a strategy that measures both the security progress and success. Businesses that take a sustained approach to cybersecurity also take better advantage of the latest innovative technologies in mobile, social media, and cloud, which help a business maintain its competitive edge and drive growth.
At CyberSheath, we specialize in supporting strong security leadership by equipping them with a comprehensive approach that continually links cybersecurity back to the business strategy, ensures security investments are maximized, and elevates the security posture of their business better positioning them for success.
A trend that I have picked up on in conversations with CIO’s, CISO’s and other leaders responsible for securing the enterprise is the huge gap between what they need and what many vendors are marketing. Security leaders in the trenches need solutions to optimize and integrate existing tool investments, manage security capabilities in a coordinated way, and a means for engaging in business conversations about the security they deliver. Vendors seem focused on marketing the future and selling more capability into already resource-strapped security teams that can’t even effectively use the tools they already own due to an under-investment in people and process.
Instead of buying more “stuff” to manage I’d suggest finding a way to measure and manage what you already own. What’s that look like?
Focus on the things you have control over, for example, privileged accounts. Instead of academic discussions around data classification (you know with all the re-organizations and M&A activity you are never going to get there) put your energy into identifying, reducing and then managing your privileged accounts. You own and control your privileged accounts and they are exploited in 100% of the attacks you are most worried about so before you buy that next-generation firewall make sure you’ve taken care of the fundamentals.
Another opportunity to seize today in lieu of investing in the unknown future is vulnerability management. Your effectiveness at vulnerability management has a direct impact on nearly every other part of the security organization you manage. No process for patch management: expect to spend more on incident response. Scanning only a portion of your environment: expect more alerts for your Security Operations Center team to manage. There is a direct correlation between resources consumed in other areas of security and your investment in vulnerability management. It’s another example of managing what you already own before you try to ingest another tool without adding any engineers or process.
I’m not suggesting that CIO’s and CISO’s shouldn’t be trying to “see around corners” and prepare for the future but the amount of hype about what’s next taking away the focus from managing today.
The last week or so marks what I would describe as an unprecedented shift in the impact of cyber attacks with the Sony breach. I run from the constant fear, uncertainty, and doubt (FUD) that gets circulated and recirculated by vendors and media outlets but I see this attack and more specifically the impact as different for several reasons. The Sony attack is also a call to action for the government of the United States to get their act together on cybersecurity and DO something to help American businesses large and small better defend themselves.
So what was different about the Sony attack?
Scope and impact. The scope of the attack as we know it so far is different from anything I can ever have remembered seeing before. Instead of a massive attack targeting specific information like large volumes of credit card or social security numbers, this attack stole intellectual property, HR records and caused disruption to “the network”. That’s malice and the intent to do measurable harm to a specific company rather than gain financially, the scale and scope of which we have never seen before.
The impacts of this attack were swift and far-reaching. Intellectual property in the form of five or more movies from Sony Pictures was stolen and are being shared illegally around the web. Salaries, home address and other Human Resources related data of 6,000 Sony Pictures employees were stolen and shared and posted in one form or another across the web. Finally, the company was reportedly shut down and held hostage to ransom demands that left many computers unresponsive.
All of these details in both and scope and impact represent an unprecedented attack on a US-based company (Sony Pictures Studios is located in Culver City, CA). Our government has fiddled while Rome burns and it’s time that the government step in and partner with industry to find a way to stop the bleeding. I’ve had the pleasure to be part of a measurably productive government/industry partnership in cybersecurity with the Defense Industrial Base (DIB) program and I testified before the House Armed Services Committee (HASC) Subcommittee on Emerging Threats and Capabilities extolling the incredible value of the DIB program and how it could and should be meaningfully expanded. So I know we have the talent, both in government and industry to address (not solve) this issue.
We have all the right people to deal with this in a meaningful way that can improve the current situation. I’m the last person to ever ask the government to lead anything but in this case, I really do think it’s their job and I know firsthand that they have a template for doing it.
When I was a CISO for a global defense company, I realized that a company of any significant size or complexity could never “do” security for themselves. Why can’t big companies go it alone? Partly because of specific resources and expertise that is not resident in-house and partly because of all the things that compete with delivering security, namely projects, politics, personalities, egos and all the other fun stuff that comes with being in a big company. Political correctness and all of the other impediments of a big company naturally get in the way of delivering actual security. Executives have pet projects that compete with core mission requirements and day to day security falls behind.
Couple that with an executive audience that didn’t grow up with and therefore can’t understand the threat, at least not in a way they can quantify like other business issues, and you have a recipe for excess spending on underperforming solutions. This article makes the point. It’s not the sexiest breach to be reported but I’d argue it’s the kind that most likely applies to the majority of companies. Said another way, this was work that probably could and should have been done by internal resources but there are no villains in the story. Security and IT were probably overworked and delivering some IT projects rather than actually delivering security.
I don’t think this is going to change anytime soon which is why I think deliverables-based engagements with trusted partners are here to stay.
Due diligence and fiduciary responsibility for corporate executives is now widely acknowledged to include exercising sound judgment and effective controls in the domain of cybersecurity. There’s no escaping the responsibility to protect corporate information and infrastructure and eventually the law will catch up with this reality. Until it does here’s what you should be doing to right now to exercise due care in managing cybersecurity risk.
1 – Be pragmatic, there are more risks than you can possibly address. If you try to do everything you will end up doing nothing.
2 – Get a baseline of the controls you currently have in place, how effective they are and compare yourself with NIST 800-53 or the Consensus Audit Guidelines. (HINT: Remember step 1 and don’t overthink this, your assessment shouldn’t be a six month exercise.)
3 – Do something! Prioritize your risks and address ONLY the things that can show measurable improvement, i.e. reduced risk. If you’re stuck in analysis paralysis just start with Consensus Audit Guidelines and address the ones that you’ve found to be vulnerabilities in your baseline.
4 – Document and tell your story using words and numbers that matter. Telling the board that SQL injection vulnerabilities have been reduced because you implemented a Web Application Firewall is why security often doesn’t get “a seat at the table”. Talk in term of compliance and risk, they get that.
5 – Stop buying tools and adding complexity until you’ve mastered the ones you already own and have laid in the process (documented) to use them effectively and in an integrated fashion.
As Einstein said, “Everything should be made as simple as possible, but not simpler.” Apply this approach in exercising due care with respect to cybersecurity.
I’ve spent the week here at RSA talking with current and future customers and a great question I get from customers looking for a trusted security partner is “So what exactly is it you do?” It seems like a simple question but what it usually implies is some level of “consultant fatigue”, CISO’s have had enough assessments, reports and outsiders telling them what their problems are. They want solutions and partners who do real work. Here’s what CyberSheath does to add value …guaranteed.
What We Do
We integrate your compliance activities with security activities and measureably reduce your risk.
How We Do It
Set a security strategy, select standards, implement controls, measure effectiveness.
What Results Look Like
A recent engagement for a customer led us to design and deploy an incident response and management plan. This particular security control happens to be Critical Control 18: Incident Response and Management from the CSIS: 20 Critical Security Controls list. Implementing all 20 controls would have been ideal but we are realists not idealists. The customer had suffered a significant attack where the APT had been embedded for over two years and the lack of process to contain and expel attackers directly contributed to massive amounts of data loss.
What We Did
Documented written incident response procedures that included specific roles and responsibilities for both management and technical personnel during each phase on an incident.
Documented and implemented organization wide service level objectives (SLO’s) related to mitigation of an incident.
Customer has a documented, repeatable and measureable incident response and management plan for cyber-attacks and mitigates attacks on average in less than 2 hours once discovered.
Our focus is on implementing real results that make you more secure, we guarantee it.
The Keynote sessions here at RSA 2013 kicked off yesterday and Art Coviello, RSA Executive Chairman, focused on the importance of big data and the opportunities that it presents security teams from an intelligence perspective. He’s right, the opportunities are tremendous and customers are anxious to better leverage “big data” but documented and repeatable process along with baseline implementation of critical controls are prerequisites for taking advantage of “big data”.
The actionable intelligence that can be gained from big data is only useful if it causes an organization to take the RIGHT actions in the correct sequence with measurable outcomes. Conceptually leveraging big data makes perfect sense but the implementation will yield more of the same firefighting that bogs down security organizations today if it’s not part of a documented strategy with measurable outcomes enabled by rigorous process and a thorough understanding of the controls you currently have in place.
The actionable intelligence that big data can provide could very well enable an organization to quickly and efficiently mitigate an attack by correlating unstructured data in a context that directs an SoC analyst to take appropriate action. Attack mitigated, the good guys win right? Maybe not…are we really still just addressing the symptoms and not the root cause? The attack is a result of a vulnerability that was exploited and resources are being expended on the incident response because resources were not expended on preventative maintenance. Perhaps if the control to prevent the attack in the first place had been documented, implemented and measured the attack would never have happened.
I realize that implementing critical controls won’t stop every attack but there is such a great opportunity to do some fundamental and meaningful work around implementing critical controls to stop attacks that get overlooked.
It’s just good hygiene. Would rather brush your teeth, floss and get regular dental examinations or be really good at getting fillings?
Day 1 at RSA wrapped up yesterday evening when the vendor expo opened and conference attendees had an opportunity to visit vendors and check out the latest and greatest products. The vendors are primarily products vendors which reminded me how important it is for a CISO to have a services partner to help cut through the FUD and deliver value.
CISO’s are inundated with point solutions, some of them excellent, but many of them duplicative of existing investments. I’ve found that in selecting products the process/project often ends with “100% deployment” leaving security organizations unable to measure the return on their investment. A simplified view of the process goes something like this:
- Identify a need
- Hold a “bake-off” and select a product
- Set deployment objectives (entire enterprise, all Windows desktops, etc…)
- Achieve deployment objectives
- Declare victory with reports showing deployment saturation metrics
It’s a missed opportunity for security to instead align with the business and demonstrate quantifiable value by defining the project in the context of the business problem that is being solved. Security organizations can get myopic in viewing risk and laser-focused on point solutions that address specific security requirements missing the opportunity to tell the story of the business issue they are addressing as a part of the bigger picture.
100% deployment isn’t the goal, that’s just your day job. Enabling the business to engage customers, capture sales and recognize revenue is the goal. When you are in the trenches every day it’s difficult, sometimes impossible, to address the bigger picture but in my experience, the organizations that do are the most effective.
All checked in @RSA 2013 here in San Francisco!
It’s interesting to me the difference in perspective in attending one of these industry conferences as the CEO of a security services company rather than a CISO. When you are a CISO for a Fortune 500 company EVERY vendor wants your time and you can be sure you will meet for as long as you want with whomever you want. As the CEO of a services company you’re competing for time with all of the big vendors and had better have something important to say as you vie for precious the precious time of oversubscribed CISO’s.
It’s a great reminder for me of how important the work we do is. C level executives are inundated with competing demands on their time and what they need most is someone to solve real-world problems for them. They need a vendor, individual, product or service that literally takes something off of their plate so that they can move on to other priorities. Adding value in the security space is about delivering real-world pragmatic solutions that improve security posture.
Do you need that kind of a partner for your company? Let’s talk; I’ll be here all week, firstname.lastname@example.org.
Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately, it’s the wrong discussion.
As a knowledge-based economy, intellectual property is the lifeblood of many businesses in America today and ultimately protecting it, collectively, is a matter of national security. The government has an appropriate role, indeed a responsibility, to regulate how that is done and they have done a tremendous amount of good work in defining recommended controls with the National Institute of Standards and Technology Special Publication 800-53. So I write this as a believer that the government has an important role to play in defining and implementing cybersecurity standards given the national security implications.
Compliance to standards and regulations like PCI DSS, HIPAA and others, voluntary or not, should be outcomes of an effective security program and not separate objectives divorced from day to day operations. When viewed in a vacuum, compliance to standards can be bureaucratic, costly and not materially effective in reducing actual risk. Fortunately, there is an efficient and effective way to deal with compliance and that’s the discussion we should be having.
The work being done in security operations centers and IT delivery organizations to secure a company’s assets and information should be documented, measurable and process-driven. If your security program meets these criteria then the outcomes and effectiveness of your efforts can be easily measured against compliance to standards, often in an automated fashion. If your security program isn’t documented, can’t be consistently measured for effectiveness, and is not process-driven then compliance to standards is a paperwork exercise that adds little or no value. Security programs like this often struggle to demonstrate their relevance to the underlying business, as well, because the business isn’t sure what they should be getting for their security dollar.
If compliance to prescribed standards is a drain on your resources and you can’t see the value that could be a red flag that your overall security program isn’t meeting its objectives. Seize the opportunity to develop a strategy for your security organization, set success criteria, define metrics and articulate your value to the business. If you’re doing that, compliance will be easy.