The Future of SecOps: Behind the 8 Ball

Posted under: Research and Analysis

As the velocity of technology infrastructure changes continues to increase, it’s putting a lot of stress on security operations (SecOps). This has forced security folks to face the reality that operations has never really been our forte. Sure that’s a bit harsh, but delusion has never been a means to address significant problems. The case is pretty strong that most organizations are pretty bad at security operations. How many of high profile breaches could have been avoided if one of many alerts were acted upon? How many attacks were made possible by not having properly patched servers or infrastructure? Moreover, how many successful compromises resulted from human error?

If your answers to any of those questions were greater than zero, then there is plenty of room for improvement. Yet there is no Cavalry off in the distance to magically address operational issues. If anything, SecOps is going to get harder for the following five reasons:

  • Adversary innovation: Your adversaries are innovating and finding ways to compromise devices using both old and new tactics. They follow the path of least resistance to achieve their mission with focus and persistence.
  • Infrastructure complexity and velocity: With the advent of SaaS and public cloud, the technology infrastructure is getting more complicated and changes happen a lot faster than ever before. Data ends up in environments you don’t control and can’t really monitor, yet you have to protect it.
  • More devices, more places: It seems every employee nowadays has multiple devices that need to connect to sensitive stuff and they want to access corporate systems from wherever they are. What could possibly go wrong with that? Compounding the issue is IoT and other embedded devices connecting to the networks and dramatically increasing where you can be attacked. Maintaining visibility and an understanding of your attack surface and security posture continues to get harder.
  • Hunters hunt: For a long time security folks could be blissfully unaware of the stuff they didn’t find. If the monitor missed it, what could they do besides clean up the mess afterwards? Now organizations are proactively looking for signs of active adversaries and these hunters are good at what they do. That means in additional to all of those alerts you get, you also have to handle the stuff that the hunters find.
  • Skills gap: We’ve been talking about the significant security skills gap for a long time. And it’s not getting any better. There just aren’t enough security people to meet the demand and the problem gets more acute with each passing day.


But the news isn’t all negative. By understanding the attacks that may be coming at you through more effective use of threat intelligence, you can benefit from the misfortune of others. In other words, you don’t have to wait until you experience an attack and then set your monitoring environment to look for it. Additionally, enhanced security analytics makes it easier to wade through all of the noise to find patterns of attacks and pinpoint anomalous behavior indicative of malicious activity.

The integration of threat intelligence and security analytics provides Security Decision Support. It is a key lever in scaling and improving the effectiveness of a security team. We’ll be fleshing out these ideas in much greater detail in a companion blog series.

But even with more actionable and prioritized alerts, someone still has to do something. You know, security operations. In a lot of cases, this is where everything falls apart. To illuminate the situation, the security teams involved in two of the highest profile breaches of the last few years (Target and Equifax) were alerted to adversary activity more than once before it was apparent there was a breach. They just didn’t execute on a strategy to stop the attack before it became a catastrophe.

To be clear, it’s easy to be critical of organizations after they’ve suffered a massive breach. That’s not our point. We bring that up as a reminder of a concept we’ve been talking about for more than a decade: Respond Faster and Better. That’s what it’s all about. We, as an industry, have to figure out how to more effectively operationalize world class security practices, quickly and effectively. And yes, we understand this is very easy to say, but very hard to do.

So why is this so hard? Let’s examine what security operations tends to do with their time. For those of you with backgrounds in manufacturing, you’ll probably remember time and motion studies aiming to improve the productivity of factory workers. Now security is far from a factory floor, but the objectives are the same. Can SecOps be streamlined by figuring out what takes up a lot of time and optimize it?

We believe the answer is a resounding yes. A lot of security operational tasks involve updates, policy changes, compliance reporting, and other fairly tedious and rote tasks. Certainly there are periods of more intense activity, when triaging a new attack or trying to figure out an effective workaround to an attack. But there is plenty of time spent with things that are distinctly unsexy.

This reality also causes unmet expectations for people entering the security field. Most entering the industry have dreams of being a l33t haXor or a threat hunter. Very few wake up excited to tackle a list of firewall changes or reimage endpoints after the CEO clicked on one of those links. Again.

And even if you could find people who got excited about security operations, they are still human. Which basically means they make errors. But when you need every update and every change to be done right lest you open a hole in your environment large enough to drive a truck through, perfection needs to be the goal and people are not perfect, no matter how hard they work.

Behind the 8 Ball

Basically, SecOps is behind the 8 ball – by definition. The deck is stacked against us. The attack surface is growing, the adversaries are getting better, and all you have is your ingenuity, a metric crap ton of alerts and too few humans to get things done. Yeah, definitely sounds like Mission Impossible.

So what? Do we give up? Just pack it in and take a job at the local coffee shop? To be honest, some days that sounds pretty good. Everybody loves coffee. But for folks that are passionate about security (like us), it’s the wrong answer. We don’t need to run. But we do need to think differently. We have to architect our technology stacks in a smarter, more secure fashion. We have to embrace automation, as opposed to being fearful of it.

We’re entering a different world. One where security is largely built into the technology stacks that run our infrastructure. Where we plan our operational functions and document them in clear runbooks. Where those run books are implemented in the infrastructure without the need for manual intervention.

This approach allows your security team to do what they are good at. They can understand the applications and design proper controls, evolve policies and runbooks, and handle the inevitable exceptions that happen in a dynamic environment. Adding value, as opposed to just doing stuff. This is the Future of Security Operations and in this blog series we’ll dig into what that looks like and how we believe you can get there.

To manage expectations, stepping into this future will require fundamental changes to how you do things, as well as, embracing processes that will likely make you uncomfortable. As it should, since every significant step forward involves discomfort.

Before we jump in, first we need to thank IBM Resilient for agreeing to license this content at the end of the project. It’s through support from forward thinking companies that allow us to publish our wacky ideas for the industry and sometimes even seem them come to fruition.

– Mike Rothman
(0) Comments
Subscribe to our daily email digest

This is a Security Bloggers Network syndicated blog post. Read the original at: Securosis Blog 2017-11-09.