Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
6/18/2021
10:00 AM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv

4 Habits of Highly Effective Security Operators

These good habits can make all the difference in advancing careers for cybersecurity operators who spend their days putting out fires large and small.

For many of us, a habit is all too often construed as an undesirable behavior that we are trying to disrupt. Smoking cigarettes, biting your fingernails, drinking too many Diet Cokes — these are the types of behaviors that often leap to mind when someone is asked to consider their own personal habits.

Related Content:

As Threat Hunting Matures, Malware Labs Emerge

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

However, just as we are subject to habits we might find unhealthy, we can also promote those that engender greater productivity and efficiency. Through repetition, commitment, and a constant drive to learn and improve, we can intentionally stimulate constructive habits that can transform both our personal and professional lives. For cybersecurity operators who spend their days putting out fires large and small, these habits can make all the difference in advancing your career.

To get a better understanding of how we as cybersecurity professionals can cultivate and embed positive habits into our daily work lives, I recently sat down with two industry veterans who have put these habits into practice: SANS instructor Jorge Orchilles, CTO of SCYTHE and co-creator of the C2 Matrix project, and Evgeniy Kharam, VP, Cybersecurity Solution Architecture at Herjavec Group, and from that conversation, have compiled this top four list of good security habits.

Habit #1: Operationalize Existing Frameworks into Your Daily Routine
According to researchers at Duke University, habits account for about 40% of our behaviors on any given day. Though I would argue that number is considerably higher when it comes to the daily life of a cybersecurity professional. Perhaps the most challenging aspect is the simple fact that no day in the security operations center (SOC) is ever the same. 

With so much uncertainty present in our daily schedule, it becomes all the more imperative that we not only leverage existing frameworks and learn from others in the industry who are facing similar challenges but also operationalize these frameworks into our everyday routine. One resource that Jorge urges security operators to embrace is MITRE ATT&CK, the globally  accessible knowledge base of adversary tactics and techniques based on real-world observations.

As Jorge points out, "MITRE provides a common language that we can all understand allows the cyber threat intelligence team to understand how adversaries work, share that information with incident responders and the security operations center."

Credit: Michael Traitov via Adobe Stock
Credit: Michael Traitov via Adobe Stock

Habit #2: Leverage Internal Security Signals First
Anyone who has spent time in the enterprise trenches can relate to the saying, "Swimming in data, drowning in wisdom." And modern security teams are no exception. Organizations have dozens of intelligence sources that feed their security operations center and this surfeit of data all too often leads to an inability to take decisive action.

As Jorge observes, "You have all this data already inside that we need to do a better job of leveraging and internal signals are a natural place to start." Evgeniy also emphasizes the key role that internal data can provide adding that "there's so much information available internally that security teams can use for threat intelligence — for instance, they can use the data from DNS and from their firewalls to better understand what's happening inside the network." 

Habit #3: Cultivate a Proactive Threat Hunting Posture
The top performing cybersecurity teams understand they can't just wait until they are under attack. Rather, they must dedicate a portion of their time to proactively hunting out new and evolving threats before an alert is sounded. 

In terms of developing solid threat hunting capabilities, Evgeniy and Jorge offer some tips based on their own experience. Says Evgeniy, "You need to allocate a set amount of time each day to do threat hunting. The idea of doing this activity on a continuous basis is what really makes it an effective habit."

Jorge meanwhile suggests turning to books, such as the free Threat Hunter playbook developed by Roberto Rodriguez as a way to codify this practice into a daily habit. What are the top things most likely to attack you? See if you can create a playbook for that and go hunting. If you're a SOC analyst, work with your manager and see if you can get at least an hour a day to do this, Jorge suggests.

Habit #4: Make Threat Intelligence Actionable
As we all know, there's no shortage of threat intelligence to work with in the modern SOC. The real challenge for cybersecurity operators is learning how to prioritize the intelligence that matters most and making it actionable. Enabling this into a habit requires a combination of machine automation and human supervision.

To facilitate this habit, Evgeniy underscores the importance of automation. "Humans are simply not capable of looking at so many different locations. We need tools to help automate and aggregate the information so we can correlate it across different areas and sources."

Of course, what works for one individual or team might not work for you. The unifying theme is that by investing the time upfront to objectively deconstruct how you spend your time, you can cultivate smarter and more beneficial habits that will help you become both a more effective and valued member of your security team.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file