Modernizing Your SecOps for Stability, Resilience and Growth

by Dan Lamorena on June 25, 2020

Matt Eberhart recently hosted a webinar with Peter Schawacker, Principal at Blinktag Solutions, and Chris Calvert, VP Strategy/Founder Respond Software on how SOCs can react to the changing times we are all facing. Here are some of the highlights.

Matt: With the events of the first half of the year, we have undergone a lot of change in our lives and in cybersecurity. In the last three months, phishing has seen a 5x increase with more remote workers and digital transformation. How has the SOC changed in 2020?

Peter: Everything has changed. The intensity of the work of the SOC has increased. The time it takes to handle a task is taking longer. The problems are more difficult. Blending home and work and the extension of hours is leading to increased stress.

Stress is the new normal.

Chris: Cybersecurity professionals live in stressful environments. We may be considered stress/adrenaline junkies. We are trying to capture people committing criminal activities. I used to put new analysts in front of executives and make them uncomfortable to help them acclimatize to stress. But there is a breaking point.

Sponsorships Available

Matt: What can we do to reduce stress loads?

Chris: We can reduce the cognitive burden on people using data science, so they can make the really important decisions and automate the less important ones. Tools can make decision-making easier, automate elements and reduce analyst stress.

Matt: We should enable math and data science to help them put the puzzle together to determine if a human should investigate further. If you were prioritizing security programs for an organization, what would you recommend?

Chris: One, how do we take care of people. How do we make them resilient? Can they get self-care? Is there a separation from work? My challenge is to prepare myself and my team to make sure they can handle this effectively. How do we work together to improve business processes (map steps, manage micro-decisions), and mitigate stress?

Matt: Peter, how have you traditionally organized your teams, and what has changed?

Peter: I’m a Level 1 cynic. I don’t believe it’s an effective construct. You’re pitting the least capable people and forcing them to make the most difficult decisions. They are the ones pitted against your adversaries. You need to automate this and it’s why I’ve invested in the Respond Analyst. The strategy is to get rid of the continuously low-level stress around false positives and real incidents. You need to eliminate the stress and provide some relief. The adrenaline junkies can’t live like that all the time. They need to get that hit a few times today.

Matt: Remote work is here to stay, however collaboration is a key element of any SOC. People lean on each other for the expertise and deal with the ups and downs of the job. How do SOCs collaborate now?

Chris: It is a collaborative job. They need to be sharing information, whiteboarding. We need to have conversations about what is happening. We need to fill the whiteboard and put people in front of it virtually.

Peter: I find myself running war rooms or conference calls around incident response. The collaboration allows people to work at a very high level. You can’t go from crisis to crisis or you will burn out. Many organizations may struggle to patch, manage security controls, etc., but when the pressure is on, it pushes people to act. Good SecOps teams need to embrace principles from Agile. If you do intrusion analysis the way you respond to an incident, you can be prepared when you really have one.

Matt: What has drawn you to cybersecurity?

Chris: We have a passion for finding bad guys. The job is the mission. That’s why we’re here. We care about the outcome. We need to keep the digital world up and running.

Matt: What advice do you have for those trying to break into security?

Chris: You put a finger on the keyboard and you keep right on going. Pick a new tool or topic. You put a sensor out. You read the news. You need to get accustomed to learning because we have to constantly learn in this industry. The criminal is agile. We need to adapt and constantly learn as well.

Peter: Know yourself and your temperament. Some can’t handle stress or constant learning. If you want hobbies or want to quit working at 5 pm, find another job. We’re up against people who are criminals and spies and want to do you harm. They are evil people who would kill you if they could. This is not fun. It’s serious business, and if you don’t want to take it seriously, I don’t think you should do it.

Matt: You need to be driven by helping and protecting other people and need a strong sense of right and wrong. Development/technical skills are very important. You need to be and remain super inquisitive.

Matt: We are hearing more about sharing constantly changing threat intelligence and how do you use data science to facilitate finding adversaries?

Chris: Threat intelligence is basically worthless. One percent of incidents in our data set are using threat intelligence to indicate something is a known-bad. Data science can tell us what’s working and what’s not working. How do we optimize our sensors? How do we measure our sensors/security controls and improve them? Deming/Six Sigma has been about people. We need to do Six Sigma / scientific management on technology, like sensors and SIEM, and use data science to improve those. What is working? Do more of that. What isn’t? Let’s stop wasting time.

Peter: What is the good signal, and what is wasting our time? In the past the telemetries were garbage. The endpoint world got pretty good at detecting stuff using ML/AI and the work of data scientists. Understanding the value of given data sets would be swell. It’s hard to recruit data scientists, so I am going to invest in software that incorporates AI/ML/applied data science. It’s easier and just makes sense.

Matt: Applied data scientists – database administrators of the past are going to be the practical data scientists in the future. To apply data you have to move it around put it in a place that is workable.