Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/18/2021
10:00 AM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Habits of Highly Effective Security Operators

These good habits can make all the difference in advancing careers for cybersecurity operators who spend their days putting out fires large and small.

For many of us, a habit is all too often construed as an undesirable behavior that we are trying to disrupt. Smoking cigarettes, biting your fingernails, drinking too many Diet Cokes — these are the types of behaviors that often leap to mind when someone is asked to consider their own personal habits.

Related Content:

As Threat Hunting Matures, Malware Labs Emerge

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

However, just as we are subject to habits we might find unhealthy, we can also promote those that engender greater productivity and efficiency. Through repetition, commitment, and a constant drive to learn and improve, we can intentionally stimulate constructive habits that can transform both our personal and professional lives. For cybersecurity operators who spend their days putting out fires large and small, these habits can make all the difference in advancing your career.

To get a better understanding of how we as cybersecurity professionals can cultivate and embed positive habits into our daily work lives, I recently sat down with two industry veterans who have put these habits into practice: SANS instructor Jorge Orchilles, CTO of SCYTHE and co-creator of the C2 Matrix project, and Evgeniy Kharam, VP, Cybersecurity Solution Architecture at Herjavec Group, and from that conversation, have compiled this top four list of good security habits.

Habit #1: Operationalize Existing Frameworks into Your Daily Routine
According to researchers at Duke University, habits account for about 40% of our behaviors on any given day. Though I would argue that number is considerably higher when it comes to the daily life of a cybersecurity professional. Perhaps the most challenging aspect is the simple fact that no day in the security operations center (SOC) is ever the same. 

With so much uncertainty present in our daily schedule, it becomes all the more imperative that we not only leverage existing frameworks and learn from others in the industry who are facing similar challenges but also operationalize these frameworks into our everyday routine. One resource that Jorge urges security operators to embrace is MITRE ATT&CK, the globally  accessible knowledge base of adversary tactics and techniques based on real-world observations.

As Jorge points out, "MITRE provides a common language that we can all understand allows the cyber threat intelligence team to understand how adversaries work, share that information with incident responders and the security operations center."

Credit: Michael Traitov via Adobe Stock
Credit: Michael Traitov via Adobe Stock

Habit #2: Leverage Internal Security Signals First
Anyone who has spent time in the enterprise trenches can relate to the saying, "Swimming in data, drowning in wisdom." And modern security teams are no exception. Organizations have dozens of intelligence sources that feed their security operations center and this surfeit of data all too often leads to an inability to take decisive action.

As Jorge observes, "You have all this data already inside that we need to do a better job of leveraging and internal signals are a natural place to start." Evgeniy also emphasizes the key role that internal data can provide adding that "there's so much information available internally that security teams can use for threat intelligence — for instance, they can use the data from DNS and from their firewalls to better understand what's happening inside the network." 

Habit #3: Cultivate a Proactive Threat Hunting Posture
The top performing cybersecurity teams understand they can't just wait until they are under attack. Rather, they must dedicate a portion of their time to proactively hunting out new and evolving threats before an alert is sounded. 

In terms of developing solid threat hunting capabilities, Evgeniy and Jorge offer some tips based on their own experience. Says Evgeniy, "You need to allocate a set amount of time each day to do threat hunting. The idea of doing this activity on a continuous basis is what really makes it an effective habit."

Jorge meanwhile suggests turning to books, such as the free Threat Hunter playbook developed by Roberto Rodriguez as a way to codify this practice into a daily habit. What are the top things most likely to attack you? See if you can create a playbook for that and go hunting. If you're a SOC analyst, work with your manager and see if you can get at least an hour a day to do this, Jorge suggests.

Habit #4: Make Threat Intelligence Actionable
As we all know, there's no shortage of threat intelligence to work with in the modern SOC. The real challenge for cybersecurity operators is learning how to prioritize the intelligence that matters most and making it actionable. Enabling this into a habit requires a combination of machine automation and human supervision.

To facilitate this habit, Evgeniy underscores the importance of automation. "Humans are simply not capable of looking at so many different locations. We need tools to help automate and aggregate the information so we can correlate it across different areas and sources."

Of course, what works for one individual or team might not work for you. The unifying theme is that by investing the time upfront to objectively deconstruct how you spend your time, you can cultivate smarter and more beneficial habits that will help you become both a more effective and valued member of your security team.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3903
PUBLISHED: 2021-10-27
vim is vulnerable to Heap-based Buffer Overflow
CVE-2021-41191
PUBLISHED: 2021-10-27
Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website....
CVE-2021-1115
PUBLISHED: 2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs, where an attacker with local unprivileged system access may cause a NULL pointer dereference, which may lead to denial of service in a component beyond the vulnerable co...
CVE-2021-1116
PUBLISHED: 2021-10-27
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash.
CVE-2021-1117
PUBLISHED: 2021-10-27
Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an attacker through specific configuration and with local unprivileged system access may cause improper input validation, which may lead to denial of service.