It's telling how a devastating information security failure can bring about a sudden change in priorities. Nobody was surprised that in the aftermath of Target’s compromise, retailer created a CISO role with a budgeted security operations team. Similarly, after the Sony Pictures hack, the entertainment company opened requisitions for key IT security positions.
But adding headcount alone is not sufficient (nor scalable) as an à la carte information security investment due to the effect of specialization. We live in an age of increasingly specialized niches, which in turn has created a highly segmented security environment, making the generalist—the person who used to be part of every aspect of security—a thing of the past.
Today, for example, a mid-size enterprise with a decent security posture would likely have dedicated resources for auditing, scanning, patching, documentation, vulnerability analysis, etc. These create silos, silos create bureaucracy, and bureaucracy begets gaps which tends to thwart effective communications within the security department.
Revisiting the Target scenario, as the attackers uploaded exfiltration malware to move stolen credit card numbers, one or more of Target’s security tools spotted them, and generated alerts. However, those alerts were but a few of the hundreds of alerts generated by various security tools. The company’s Bangalore security team first had to sort through all the other alerts to validate this particular event, and then ostensibly, once validated as worthy of triage, the Bangalore SOC team flagged the security team in Minneapolis, who most likely were fighting other, more palatable problems.
After all, there’s no telling which alert is truly the “big one.” And for a “generalist” SOC team who cut their teeth protecting servers and laptops, POS malware might be the sort of thing that ends up looking benign until it’s too late (or worse, it could fall into the SEP field – somebody else’s problem). So the attack persisted and the rest is history.
If the lack of an integrated (albeit specialized) security team is one problem, another piece of the puzzle is signal-to-noise ratio. SIEMs were supposed to be the saving grace of SOC teams, corralling and correlating data from distributed data sources and extending IT purview to the entirety of an enterprise’s infrastructure.
I’m not the first to posit that security has become a big data problem; real-time security monitoring has always been a challenge, given that the number of alerts generated grows exponentially as a company’s IT footprint grows. The sheer quantity of these alerts leads to many false positives, which are mostly ignored or simply “clicked away” as humans cannot cope with the volume.
As compute environments become more distributed, applications environments become networked, and system and analytics environments become shared over the cloud, security, access control, compression and encryption and compliance introduce big data challenges that cannot be solved with higher headcounts and better automation.
Do you agree that the current security operations model has outlived its usefulness? Let’s chat in the comments about how to replace it.