theDocumentId => 1341269 4 Habits of Highly Effective Security Operators

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/18/2021
10:00 AM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Habits of Highly Effective Security Operators

These good habits can make all the difference in advancing careers for cybersecurity operators who spend their days putting out fires large and small.

For many of us, a habit is all too often construed as an undesirable behavior that we are trying to disrupt. Smoking cigarettes, biting your fingernails, drinking too many Diet Cokes — these are the types of behaviors that often leap to mind when someone is asked to consider their own personal habits.

Related Content:

As Threat Hunting Matures, Malware Labs Emerge

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

However, just as we are subject to habits we might find unhealthy, we can also promote those that engender greater productivity and efficiency. Through repetition, commitment, and a constant drive to learn and improve, we can intentionally stimulate constructive habits that can transform both our personal and professional lives. For cybersecurity operators who spend their days putting out fires large and small, these habits can make all the difference in advancing your career.

To get a better understanding of how we as cybersecurity professionals can cultivate and embed positive habits into our daily work lives, I recently sat down with two industry veterans who have put these habits into practice: SANS instructor Jorge Orchilles, CTO of SCYTHE and co-creator of the C2 Matrix project, and Evgeniy Kharam, VP, Cybersecurity Solution Architecture at Herjavec Group, and from that conversation, have compiled this top four list of good security habits.

Habit #1: Operationalize Existing Frameworks into Your Daily Routine
According to researchers at Duke University, habits account for about 40% of our behaviors on any given day. Though I would argue that number is considerably higher when it comes to the daily life of a cybersecurity professional. Perhaps the most challenging aspect is the simple fact that no day in the security operations center (SOC) is ever the same. 

With so much uncertainty present in our daily schedule, it becomes all the more imperative that we not only leverage existing frameworks and learn from others in the industry who are facing similar challenges but also operationalize these frameworks into our everyday routine. One resource that Jorge urges security operators to embrace is MITRE ATT&CK, the globally  accessible knowledge base of adversary tactics and techniques based on real-world observations.

As Jorge points out, "MITRE provides a common language that we can all understand allows the cyber threat intelligence team to understand how adversaries work, share that information with incident responders and the security operations center."

Credit: Michael Traitov via Adobe Stock
Credit: Michael Traitov via Adobe Stock

Habit #2: Leverage Internal Security Signals First
Anyone who has spent time in the enterprise trenches can relate to the saying, "Swimming in data, drowning in wisdom." And modern security teams are no exception. Organizations have dozens of intelligence sources that feed their security operations center and this surfeit of data all too often leads to an inability to take decisive action.

As Jorge observes, "You have all this data already inside that we need to do a better job of leveraging and internal signals are a natural place to start." Evgeniy also emphasizes the key role that internal data can provide adding that "there's so much information available internally that security teams can use for threat intelligence — for instance, they can use the data from DNS and from their firewalls to better understand what's happening inside the network." 

Habit #3: Cultivate a Proactive Threat Hunting Posture
The top performing cybersecurity teams understand they can't just wait until they are under attack. Rather, they must dedicate a portion of their time to proactively hunting out new and evolving threats before an alert is sounded. 

In terms of developing solid threat hunting capabilities, Evgeniy and Jorge offer some tips based on their own experience. Says Evgeniy, "You need to allocate a set amount of time each day to do threat hunting. The idea of doing this activity on a continuous basis is what really makes it an effective habit."

Jorge meanwhile suggests turning to books, such as the free Threat Hunter playbook developed by Roberto Rodriguez as a way to codify this practice into a daily habit. What are the top things most likely to attack you? See if you can create a playbook for that and go hunting. If you're a SOC analyst, work with your manager and see if you can get at least an hour a day to do this, Jorge suggests.

Habit #4: Make Threat Intelligence Actionable
As we all know, there's no shortage of threat intelligence to work with in the modern SOC. The real challenge for cybersecurity operators is learning how to prioritize the intelligence that matters most and making it actionable. Enabling this into a habit requires a combination of machine automation and human supervision.

To facilitate this habit, Evgeniy underscores the importance of automation. "Humans are simply not capable of looking at so many different locations. We need tools to help automate and aggregate the information so we can correlate it across different areas and sources."

Of course, what works for one individual or team might not work for you. The unifying theme is that by investing the time upfront to objectively deconstruct how you spend your time, you can cultivate smarter and more beneficial habits that will help you become both a more effective and valued member of your security team.

Ricardo Villadiego is the founder and CEO of Lumu, a cybersecurity company focused on helping organizations measure compromise in real-time. Prior to LUMU, Ricardo founded Easy Solutions, a leading provider of fraud prevention solutions that was acquired by Cyxtera in 2017 as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32794
PUBLISHED: 2021-07-26
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code `POST /Api/ASF` ASF API endpoint responsible for updating global ASF config incorrectly removed `IPCPassword` from the resulting config when the caller did no...
CVE-2021-36563
PUBLISHED: 2021-07-26
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS pay...
CVE-2021-37392
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected use...
CVE-2021-37393
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user...
CVE-2021-37394
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.