May 17, 2022
Paul-Arthur
Jonville
"The future of SecOps - A new approach to security" is part of a three articles series published by Mindflow to have a catch of what comes next in the cybersecurity world.
When talking about your Security Operations structure, you invariably speak about the lack of talents. Indeed, in the cybersecurity field, talents are scarce.
Empowering the effectiveness of the people in the cybersecurity world cannot be fully achieved by focusing on the recruitment of new personnel. As we said, there is a structural deficit in the workforce on the field.
On top of this, we also demonstrated that threats are increasing by an exponential factor. 2020 and 2021 were a snippet of what's coming next. Have a look at Ransomware, 2022 will be a year as tough as the others, if not worse.
And the targets they are aiming at are also multiplying; IoT, remote work, BYOD, and cloud migration are dramatically multiplying companies' surface of attack.
Trying to face this increasingly dangerous environment leads security operations teams (SecOps) to do more and afford new tools to counter new threats. All of these, although already outnumbered.
There are some ways to empower SecOps without relying on increasing the number of humans:
Adopt a new SecOps approach focused on consistency and scalability
Change your SOC structure to enhance the productivity and effectiveness
The sharing of responsibility in the cloud is an opportunity
Tomorrow's SecOps need to be built around knowledge sharing
A new approach to SecOps
First, you need to think about the right approach to cybersecurity - talents per se aren't working. You need to think smart and look at scalability and consistency rather than mere numbers.
Indeed, looking to solve this equation by hiring more and more people isn't the right approach. You're overlooking the root cause of the issues. The main problem isn't entirely about talents but rather how you're concretely dealing with threats and alerts.
Your de facto approach to cybersecurity needs to change. Pieces of inspiration can be found in other processes in the cyberspace world. One among others is the Site reliability engineering (SRE) approach. It's a software approach to solving problems based on standardization and automation. It uses software and automation to solve tasks otherwise done by operations teams, often manually.
You're talking about scalability and consistency. SecOps would develop solutions to solve detection issues with the help of automation, standardize, and implement them at scale.
A SecOps structure to empower humans
To answer tomorrow's threat, SecOps has to evolve to favor processes that scale. Humans need to be increasingly empowered by automation, upskilled to address more complicated problems, and augmented with technologies that may help them accomplish more.
To accompany this metamorphosis, new structures need to be created. Start with the Security Operations Center (SOC). It's old tiering system needs to change. As of today, a SOC is structured as follows:
Tier 1: monitor and triage
Tier 2: contain and remediate
Tier 3: forensics and intelligence
The SOC tiering structure needs, at the very least, to be challenged. It needs to evolve towards a skillset team, where individual people bring their expertise. These skillsets would be aligned with corresponding use cases.
Exclusively dedicating an analyst to tier 1 work needs to stop. It inevitably leads to exhaustion, and stress, ultimately to a high turnover. A SOC pictured as a team would present the advantages of reinforcing learning throughout the whole detection and response path. It would also widen the scope and increase rewards by making analysts act from zero to finish on each use case. Furthermore, by working as such, upskilling among SecOps teams will be facilitated, with more precise career goals.
Moreover, there is a crucial need to consider life quality at and outside work. Two characteristics SecOps teams share across the industry are exhaustion and stress. Analysts working under the sword of Damocles or drowning under the tasks aren't productive and are prone to commit errors. To increase the productivity of a SOC, one needs to consider a healthy balance between work and life. Solutions could be found in growing rotations between tasks, improving the workspace's quality, salaries, career prospects, etc. The goal is to meet some of their needs to ease the burden.
Furthermore, exponential productivity and effectiveness cannot be achieved without automation. It simplifies tedious tasks such as ingestion of logs across tools and manages detection processes or workflows. More, automation is prone to scale across the enterprise and more. Such automation improves analysts' capacities. You have to enhance humans. You don't have to replace them.
You need to take the best of cloud migration
The cloud undeniably increases your attack surface. SecOps are cornered between extinguishing fires, trying to increase coverage, and staying afoot of evolving data sources and technology evolution.
Automation and orchestration are the solutions to this exponential asset growth and multiplicity of tools.
The cloud migration ensures a more secure environment by default or, at least, a shared responsibility. As you move applications, data, containers, and workloads to the cloud, security teams maintain some responsibilities, and cloud providers take some. Shared responsibility models differ from one to another cloud provider.
For example, two typical responsibilities devoted to cloud providers are centralizing and protecting networking and physical hosts. It also eases the burden of keeping all the software used to that end. The same goes for compliance and other administrative tasks.
Consequently, responsibility-sharing helps security operations reallocate time to other use cases.
Thanks to automation and the cloud, the SOC should evolve and focus on threats and challenges that necessitate human action.
Tomorrow, security needs to be built around knowledge sharing
Security is a global matter. I'm stating the obvious, I know, but still, you have to remind yourself that security doesn't come as a priority to most of the people out there.
To them, security is often an esoteric matter done by some people in the darkroom where nobody else goes.
Security as a domain cannot be siloed in some dark place of your company anymore. It needs to infuse into the broader company and reach out to everyone there. Whether you're on a public or private cloud, multi-cloud, or on-premises, the first threat will always come from the inside.
You can have every tool you can afford and enforce rules and policies directly on your colleagues' devices. The fact is that they're the primary vector of knowledge in your company. They know secrets, they have access to them, and they're your first line against attackers.
No security architecture can prosper without taking this reality into account. Therefore, you need to work hand-in-hand with everyone. Make yourself known, publicize your objectives and why you matter in the company, and incentivize good behaviors. Long story short, evangelize people and make them want to be on your side.
On the other hand, security-wise, complexity is still an obstacle for sharing among the teams themselves, in time and space. We've talked about technical debt. This is what we mean by breaking the barriers to enable sharing. Here, the no-code comes into play. Before everything else, it's a more accessible communication medium. That is what people strive for to evolve.
Teams adopting it increase the communicability of their work, thus the probability of emulation around it. Finally, you're bolstering creativity besides getting rid of sclerosis coming from technical debt.
As a whole, you're looking to make SecOps a collaborative space, open to the world, where communication is favored. You're looking to increase quality at work by empowering your teams, thanks to automation, without conceding to consistency and scalability.