Over the last few blog entries, I outlined some of the dimensions that security operations need to think about during 2013 and beyond. In some respects, this is the tip of the iceberg – there is only so much you can cover in a blog. However, I think there are some important items to put on the radar.
First, Business Context is becoming a big priority for security. No longer can companies chase vulnerabilities and events around the infrastructure. There has to be a layer on top of the monitoring and analysis processes that is cognizant of the business impact. This is not just about prioritizing events but understanding the business impact when specific systems are involved. Escalation of a security incident can be triggered by the nature of the events, the magnitude of the threat or the data or business process impacted. The only way to truly add this dimension to the “tuning” of security monitoring is through Business Context.
Secondly, we need to continue to recognize that security incident handling must evolve in parallel with the threat landscape. Quarantining a virus infected system is one thing; responding to an international data breach with significant regulatory and catastrophic business implications is a totally different animal. Companies can begin with streamlining the security event-to-investigation transition to bolster the foundation. Folding in Breach and Crisis Management takes the process to the next level.
Finally, there are many related processes that should be evaluated regularly to minimize attack vectors. Processes that educate or involve the end users of the companies are key points of defense. There is only so much that technology will do and the ‘flesh and blood’ of the company must be engaged. One way to improve this within your company is to implement some type of threat assessment or brainstorming on a regular basis to highlight possible attack vectors. Key business contacts can prove to be valuable assets when thinking outside the box on possible internal and external threat scenarios.
The need for a next generation security operations mindset is evident across the industry. Technologies will continue to improve but we need to keep the pressure up on how we view security processes. The attackers are constantly evaluating their methods and improvising new techniques. The defenders must think in those same fluid terms. I started this blog series using the analogy of the appearance of the catapult and trebuchet on the horizon outside a castle. In some respects, this analogy holds water but in reality, the threats we need to prepare against are not obvious hulking pieces of machinery being drug across the battlefield but electrons and shadowy figures that we only catch in fleeting glances. The next generation of security operations will need to dispel the shadows. In the end, it isn’t just arming our lookouts with telescopes; we need to give them searchlights as well.
To follow my entire blog series on this topic, check out: