Over the last 20 years I’ve seen security operations morph, grow, and evolve. Starting as an industry with black box origins and evolving into a white box opportunity, we’re left wanting more in 2023. The mix of evolving technology, a shifting threat landscape, and increased industry knowledge has left security operation centers struggling with ongoing pressure to either include or delete. Do you include more cybersecurity telemetry into your security operations for better coverage? Do you delete some of your cybersecurity telemetry for the purposes of clarity and reduction of grey noise for better outcomes?
The question is: are you a security operations inclusionist or deletionist?
Whichever camp you’re in, in a post-Covid world there are evolving cyber security operations considerations that can’t be dismissed for years to come, and these are important trends to watch so that your security operations program integrates best practices for maximum operational longevity. These new security operations insights include five revelations and one note of caution.
Revelation #1: 50 Shades of Correlations
For as long as cybersecurity has been evolving, correlation of high volumes of information has been a requirement of effective security operations. The velocity of information – and information format change – has made it difficult for correlations to run with a high degree of confidence. The result is that our industry has accepted a level of ambiguity in correlating search results. This ambiguity has put added pressure on overloaded security analyst teams as they sort through growing piles of alerts to decide what matters. If you aren’t using machine learning or other data-science assistance for investigations, your dependence on legacy correlation techniques won’t provide the quality outcomes you’re hoping for.
When it comes to categorizing correlations and security activities, each will exist in one of three buckets. In the first bucket are things that are known but not particularly troublesome, such as an elevated number of failed logins on perimeter devices. It’s nice to have situational awareness of these events, but these events tell you that your technology is doing its job and blocking bad authentication attempts. The second bucket includes things that are truly suspicious, such as when we receive notice that there are repeated failed login attempts which sometimes indicates a brute force attack. If we then see a successful authentication and access, we then need to perform a serious investigation. The third bucket contains sophisticated or nation state-sponsored activity that evades detection and works at the edges, out of sight. These attackers know how commercial security tools work, and they know how to avoid detection. Here, detection requires similarly sophisticated and similarly tuned techniques, often optimized through machine learning.
To be successful, none of this categorization should require advanced security correlations in need of constant tuning. An efficient security operation means letting your security technology work, investigating with the correct context, and intelligent application of machine learning to discover and describe evasion tactics.
Conclusion: Clarity of alerts is more important than the number of alerts.
Revelation #2: Intelligent Threat Intelligence
Threat intelligence has a very short shelf life. From the moment an indicator of attack (IOA) or tactic, technique, or procedure (TTP) is used, the bad actor associated with that IOA or TTP begins to change their techniques to evade future detection. Unfortunately, because of the time needed to collect and distribute it, most threat intelligence readily available to cybersecurity professionals already has an expired shelf life. Threat intelligence typically comes from open-source resources that are between 24 hours and one week old. While this information sharing still has merits, much of its value can be lost on an already busy cybersecurity workforce. In contrast, some of the best sources of threat intelligence come from organizations that are currently engaged in the practice of attack simulation and red teaming. These organizations are in the business of discovering vulnerabilities and security weaknesses in infrastructure and applications before attackers have developed means, or opportunity, to exploit them. These vulnerabilities and security weaknesses may be previously known or unknown, but in either case, a team with this level of expertise can use this research to develop IOAs and TTPs to quickly upgrade and inform your security operations.
To be clear, this does not mean a security operation needs an expensive research and development team constantly discovering new and novel attack patterns. It means that being attack savvy can help you to be a better defender. Whether done in-house, or with the assistance of a reliable partner, this advanced insight combined with active operational integration makes security better together.
Conclusion: Being able to perform adequate electronic battlefield assessment is a requirement.
Revelation #3: Integrate for Triangulation
Unfortunately, the state of asset telemetry in the cybersecurity industry is in sad shape because of incompatibility, inconsistency, and a lack of interoperability. Efforts such as OSCF, and the older STIX and TAXII formats, are meant to create some type of common data standard, but until this is more fully realized, there’s value in the idea that many technologies, monitoring for different outcomes, can create a triangulation effect. By leveraging all available cybersecurity technologies in an integrated way, a security operation can create a system of checks and balances useful for confirming an investigation, or simply ensuring that fewer events are lost in technology gaps. For example, if there are three integrated core security technologies, and two report an event while one does not, without a detailed analysis there’s a higher likelihood that there might be something worth investigating. Triangulation, as a practice, can save time for an already overburdened team and serve to reveal confirmation bias.
Conclusion: Integrate boundary security technologies to create a system of checks and balances.
Revelation #4: Boxed into a Corner
As an industry, we’ve come a long way from our black box origins to empowering the end user with white box options. Unfortunately, we’re seeing a resurgence of closed system, black box solutions coming to market. This creates a challenge for cybersecurity teams as they figure out which of those black box solutions will allow for flexibility in data ingested, extensibility in deployment, and technology data that can be integrated.
In the evolved security operations model, two things must be absolutely protected: coordination and communication. How hard is it to coordinate with partners? How (near) perfect is the information and communication received? In evolving security operations and the MSSP industry, if the technology presented provides a central source of failure, is hard to coordinate, or can’t communicate effectively, you may have boxed your security operations program into a corner in the event of an incident.
Conclusion: Security solutions should be flexible and accommodate a changing cyber environment.
Revelation #5: Knowing (Your Outcomes) is Half the Battle
Managing a security operations function is hard work, and frustration often starts with the lack of outcome definition. People often outsource their security operations because they’re hard to understand, measure, and ultimately improve. All of this makes it hard to justify security decisions, which in turn makes it hard to sleep at night.
The road to improvement starts with knowing your desired outcomes, the checkpoints along your path to improvement. If you don’t know how to set your own reasonable outcomes, an experienced cybersecurity provider with broader and deeper experience can help to provide this clarity. The road to security is unending. Setting appropriate and reachable goals is key to both achieving and demonstrating progress.
Conclusion: Aim small, miss small.
A Caution: The Automation Panacea
The cybersecurity industry has been taught that security orchestration automation and response (SOAR) is a solution to alert fatigue and extending the capabilities of a cyber security analyst. In 2023, W.L.W. Borowiecki is still right: “If you automate a process [data] that has errors, all you’ve done is automate the generation of those errors.” The problem, and why we struggle, with SOAR is that cybersecurity has been using it as a crutch to compensate for inefficient or broken processes. Before you apply automation, ask yourself, what are you automating and why? If you build better alerts or better processes, do you still need automation? Automation with data fidelity and applied in harmony with coordination can work. This requires that security operation hygiene be enforced, data fidelity enacted, processes optimized, and outcomes defined.
Conclusion and nota bene: Automation applied to efficient operations magnifies the efficiency, but automation applied to inefficient operations only magnifies that inefficiency.
Back to the question – are you an inclusionist or deletionist? Maybe an evolutionist is most fitting.
The cybersecurity industry is, and will remain, constantly changing. Including vast amounts of new data, or deleting swaths to create more focus, is not the right answer. Instead, the best path is somewhere in-between. It starts with including the things that are important and deleting the things that are a distraction, and to find this balance takes experience. It's experience using security tooling and experience with complementary security capabilities. It’s cybersecurity technology industry familiarity and it's knowing the specific, sometimes simple, outcomes to make cybersecurity easier. Most importantly, it's knowing how to stay strong when our industry tells you that you need more, you need different, or you need to do what all the other companies are doing.
Looking for help to build an effective security operation? Download this checklist of best practices to define what an effective security operation looks like – whether you're building your own or evaluating a potential partner.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.