Moving From ‘the log dustbin’ to Effective Security Operations

Guest Blog Post by Bryan Littlefair, CEO Cambridge Cyber Advisers former Global CISO of Vodafone and Aviva

If you work in cyber security, you are already aware that we are currently operating in unprecedented times.  Threat and risk levels for organisations across the globe are constantly rising, as well as the number of successful attacks.  This is compounded by organisations struggling to attract skilled resources and budgets for security in decline.  The net effect is security operations teams are being asked to do more with less!

Security operations is a numbers game, with potentially billions of security log events flowing into the central data lakes daily.  A good analogy is that security operations is like the human brain.  Our brains rely on information from our senses to understand what is happening around is.  Just like a security operations centre relies on a distributed suite of technologies and processes to inform about the current status of security.

An operations capability without its supporting technologies would be like a human brain without sight, sound, smell and touch… it would be significantly harder to understand what is happening around us.

But not all operations centres and functions are equal.  The technology within a Security Operations Centre is not something that you can just deploy and reap the rewards straight away. Some security operations centres just collect and store logs – the log dustbins ……

On the flip side, effective Security operations centres need tuning into your individual environment and more importantly they need skilled analysts to understand the output and take appropriate action.

In this blog we are going to be looking at what differentiates great security operations teams from good ones.  What key components tip the balance in the security operations favour and therefore reduce the risk exposure for your organisation.

Security operations exist to protect the organisation proactively and effectively from attack and compromise from both outside and within the organisation, the more mature operations functions have defined the outcomes they are going to deliver for the business and then track their performance on achieving them.

The three principal outcomes are:

  1. Speed and Simplification – Business aligned security operations that produces actionable and contextual based output that can be trusted to achieve maximum risk reduction.
  2. Visibility and Control – Holistic coverage with design and operationally effective controls that protect existing environments and pre-protect new environments prior to go live.
  3. Automation and Impact – A reduced volume and impact of security incidents and issues through effective security baselining across the business and automating security controls and response.

Speed and Simplification

In security speed is everything, attacks can happen with the click of a mouse and spread across an organisation in minutes, or attackers may want to go long and slow studying your organisation and when they compromise your network, they will just watch what’s going on for months planning their attack very carefully, so our operations capability must be able to detect the ‘smash and grab’ attacks and the carefully planned out data compromises.

For organisations to be susceptible to attack, they must find a way into your systems.  This can be via a vulnerability or misconfiguration or by ‘hacking the human’ and socially engineering an internal staff member or by compromising a trusted third party and accessing your systems via them.  Our focus must therefore be on proactively identifying the potential risk and threat vectors and planning our security countermeasures around them, a threat led approach!

Visibility and Control

The number one mantra for security operations is “you cannot secure, what you do not know about.”

Long gone are the days when all a company’s physical and information assets were residing in the company’s data centres, that horse bolted a long time ago.  Now the norm is for organisations to co-exist in a hybrid world of data residing on-prem and within different cloud-based service providers and third parties.  But one thing remains constant, you are still accountable for the security of it, wherever it resides.

Security operations needs to be both reactive and agile to changing business dynamics. Such as all employees working from home during the pandemic, as well as holistic in nature to extend control and coverage into third parties and cloud service providers.  Your services and solutions need to traverse organisational and geographic boundaries and operate as an effective extension of your on-prem capabilities wherever and whenever they are required.

Automation and Impact

I have yet to meet a CISO that thinks they have all the resources in terms of people and budget that they require.  There is always more to be done, which requires more people and resource.  Compounded by the fact you must segment your security expertise to support part of the business doing waterfall delivery and the other part doing Agile and DevOps.  So, every security leader needs to optimise their valuable resource to ensure that risks do not go unidentified or unmanaged.

Automation plays a valuable role within resource optimisation.  Many of the tasks that are performed by the security function can be at least partially automated, removing part of the manual processes and codifying your security policy and approaches into automated workflow and decision making, which can reap huge rewards in terms of operational efficiency. Enabling your security expertise to focus on areas which require human logic and decision making, rather than those that do not.

By adopting automated workflow, you can move rapidly towards real time risk analysis, as compliance checks are performed continuously on systems, applications, and infrastructure rather than waiting for a manual check to be performed maybe once or twice a year.  We are used to this way of working with some of our systems, but it has not been ubiquitously deployed across the security team’s workload.

Watch The Webinar

Want to hear directly from me on this topic? Join our webinar where I talk about this topic and review strategies for effective security operations that can lessen the manual burden on SOC teams and improve response time, while optimising current resources.

On Demand Webinar: Achieving Maximum Efficiencies and Outcomes Across Security Operations