Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/13/2015
12:00 PM
Tal Klein
Tal Klein
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Has Security Ops Outlived Its Purpose?

CISOs will need more than higher headcounts and better automation tools to solve today's security problems.

It's telling how a devastating information security failure can bring about a sudden change in priorities. Nobody was surprised that in the aftermath of Target’s compromise, retailer created a CISO role with a budgeted security operations team. Similarly, after the Sony Pictures hack, the entertainment company opened requisitions for key IT security positions.

But adding headcount alone is not sufficient (nor scalable) as an à la carte information security investment due to the effect of specialization. We live in an age of increasingly specialized niches, which in turn has created a highly segmented security environment, making the generalist—the person who used to be part of every aspect of security—a thing of the past.

Today, for example, a mid-size enterprise with a decent security posture would likely have dedicated resources for auditing, scanning, patching, documentation, vulnerability analysis, etc. These create silos, silos create bureaucracy, and bureaucracy begets gaps which tends to thwart effective communications within the security department.

Revisiting the Target scenario, as the attackers uploaded exfiltration malware to move stolen credit card numbers, one or more of Target’s security tools spotted them, and generated alerts. However, those alerts were but a few of the hundreds of alerts generated by various security tools. The company’s Bangalore security team first had to sort through all the other alerts to validate this particular event, and then ostensibly, once validated as worthy of triage, the Bangalore SOC team flagged the security team in Minneapolis, who most likely were fighting other, more palatable problems.

After all, there’s no telling which alert is truly the “big one.” And for a “generalist” SOC team who cut their teeth protecting servers and laptops, POS malware might be the sort of thing that ends up looking benign until it’s too late (or worse, it could fall into the SEP field – somebody else’s problem). So the attack persisted and the rest is history.

If the lack of an integrated (albeit specialized) security team is one problem, another piece of the puzzle is signal-to-noise ratio. SIEMs were supposed to be the saving grace of SOC teams, corralling and correlating data from distributed data sources and extending IT purview to the entirety of an enterprise’s infrastructure.

I’m not the first to posit that security has become a big data problem; real-time security monitoring has always been a challenge, given that the number of alerts generated grows exponentially as a company’s IT footprint grows. The sheer quantity of these alerts leads to many false positives, which are mostly ignored or simply “clicked away” as humans cannot cope with the volume.

As compute environments become more distributed, applications environments become networked, and system and analytics environments become shared over the cloud, security, access control, compression and encryption and compliance introduce big data challenges that cannot be solved with higher headcounts and better automation.

Do you agree that the current security operations model has outlived its usefulness? Let’s chat in the comments about how to replace it.

  Tal Klein is Vice President of Strategy at Lakeside Software. Previously, he was vice president of marketing and strategy at Adallom, a leading Cloud Access Security Broker. He was also senior director of products at Bromium where he led product marketing and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Paladium
100%
0%
Paladium,
User Rank: Moderator
3/17/2015 | 4:27:53 PM
Re: Never complain without a solution!
Let me add this final comment. Fund SecOps properly and it won't fail as falsely implied in the original article. As I stated in my original response, when every single company breached over the past two years doubles its SecOps funding ask yourself why. The obvious answer is a great big slap up side the head and a resounding "Oh...".  Also note how many of those breached companies did not have a real, honest to goodness capable SOC.  Just more evidence to make my point.  Use your Googlefoo to find the answer.  It will shock you.
bhanstiu
100%
0%
bhanstiu,
User Rank: Strategist
3/17/2015 | 3:34:29 PM
Re: Never complain without a solution!
It's a pipe dream right now :) Maybe someday something like it will become the standard (the 'cloud' is moving in that direction), which will then become the primary target, become more and more vulnerable, until a newer model becomes the standard, lather rinse repeat. Crime is not going away. It has always been part of the human condition, and will remain so as long as we are human.
TalKlein
50%
50%
TalKlein,
User Rank: Author
3/17/2015 | 3:24:25 PM
Re: Never complain without a solution!
FWIW, many of the people who "disagree" with the article are more upset with the fact that I didn't posit a magic bullet that solves for the problem statement. Rather than attempt to solve the problem by "fixing the SOC" I believe we need to solve for the SOC itself - whatever we come up with cannot possibly look like a SOC because a centralized model isn't working. I sympathize with many of the commenters because they may perceive the article as an attack on their livelihood, but my intent was to catalyze some thinking to challenge the increasingly ineffective status quo. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
3/17/2015 | 3:20:13 PM
Re: Not even fully deployed with most organizations
The heading and the article are aligned, though the first may be more bombastic than the latter. Ultimately what I'm saying is that the current SOC approach is provably failing. While another commenter seemed to be upset that I pointed out the problem without offering a solution, I think the first part of solving the problem is admitting that it exists.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/17/2015 | 11:03:49 AM
Re: Never complain without a solution!
Is this your vision, @bhanstiu. Or is it somethng that is actually happening in your company, or elsewhere?
bhanstiu
100%
0%
bhanstiu,
User Rank: Strategist
3/17/2015 | 10:59:46 AM
Re: Never complain without a solution!
Thanks for the reply. I do not think the answer is more people, and more tools. It is getting a functional team together, that is dedicated, secure in thier jobs and skillsets, and an organizational understanding that security is not a black hole expense- it is insurance for the future, and although costly today, it will mean profitability (and continued gainful employment) tomorrow.

The current road most businesses are sticking with is a very 1990's model of the network (thousands of endpoints, physically dispersed, with important data stored on each of them), which has proven to be very vulnerable in a great many ways- too many for ANY team to be able to manage. A new network model needs to be implemented, namely, getting out of the watch all the things for something out of the ordinary, to watch your data, how it moves, and where it's trying to go. If you know where your data lives, in a physically secure locatioon, and the only way anyone gets to see the data is within those physical boundaries (the data center), then all you have to do is watch for data trying to leak out of the data center, rather than watching each and every distributed endpoint for nefarious activity. Virtualization, where no one ever removes data from the datacenter without a process to monitor that activity, much like a change control process, will dramatically change the threat landscape. It won't be so easy to take data, it won't require so many eyes looking at so many things.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/17/2015 | 8:59:52 AM
Re: Never complain without a solution!
Pick two: Inexpensive, Quality, Fast implementation. You can't have all three.

Great point @bhanstiu.Sounds like what you are saying is that the problem is not that security ops has outlived its purpose. Rather, that SecOps doesn't have the attention/resources that it needs to succeed. Here's my question: do you think the solution is more tools and people? Or there a bigger,more fundamental  issue that needs to be addressed?
bhanstiu
0%
100%
bhanstiu,
User Rank: Strategist
3/16/2015 | 5:40:47 PM
Re: Never complain without a solution!
This sums up the problem far more accurately than the article. Avoiding the reality that security operations is an expense that most boardrooms ignore until it is too late, provides no impetus for the boardrooms to change the profit driven behavior of ignoring ugly expenses in the name of short term gains (and lucrative bonuses).

Any organization with a desire to remain profitable, and viable into the future would do well to stop blaming 'incompetent staff', and start accepting the blame for not doing what it should have done 5 years ago: invest in security teams, properly train staff, and provide funds for the right tools (ie. quit making your admins force square pegs into round holes to save a dollar).

Pick two: Inexpensive, Quality, Fast implementation. You can't have all three, no matter how much you demand it from your staff, nor how loudly you proclaim your desires. It's what is known as IMPOSSIBLE. So is defending your 10,000 node network with 10 people, no training, and old tools which were never meant to protect the environment.

 

 
Andrew Froehlich
100%
0%
Andrew Froehlich,
User Rank: Apprentice
3/16/2015 | 4:29:26 PM
Re: The model will need to become distributed
I like the idea of a distributed security model because of the fact that it creates more accountability for each individual security unit. When all of IT security is under a single umbrella, it's easy for the SOC managers to simply shrug their sholders and say that they were focused on something else security related. With a distributed approach, it breaks out responsibilities into managable segments and each group will then control accountability for said segment.
Paladium
67%
33%
Paladium,
User Rank: Moderator
3/16/2015 | 11:09:46 AM
Never complain without a solution!
I really wish these articles actually proposed solutions instead of throwing darts.  Never, ever complain without a solution! 

If its time has come and gone as your headline suggests, what do you propose to replace SecOps with?  Let me guess, some third party security firm, right?  If yes then this is really about organizations unwilling to properly invest in SecOps, third party security firms trying to generate more revenue, and nothing to do with the existing SecOps staff or their abilities. 

Let me assure you that this is not SecOps fault by a long shot.  We continue to do everything we can to shoulder the security burden despite limited staff, outdated or incomplete security technologies, and ZERO training $$$.  As others have said, every single breach over the past two years has resulted in a major reinvestment in cyber security.  Why is that?  To a degree it is reactionary, but at the end of the day it's because the organizations FAILED TO FUND SecOps properly in the first place.  There is NO escaping that brutal fact.

Let me go old school for a moment.  Do you have life insurance to protect your family in the unfortunate event that you croak?  Do you have enough insurance to take care of them for several years, or maybe for the rest of their lives?  Did YOU invest enough?  If you were to pass away and don't have enough life insurance who suffers the consequences?  Your family does.  So if you care enough about your family then you will invest properly in that insurance policy.  Bottom line! 

Now to bring it home.  If a company cares enough about its customers, its future, its investors, then maybe it should invest properly in its SECURITY.  It's not complicated at all.  Old school...

As the saying goes, "You get what you pay for..."
Page 1 / 2   >   >>
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.