Some time ago, I met with an organization that was interested in speaking with me because of my experience in the security operations realm. After a few minutes, it became apparent that the organization had many of the same challenges I often see in organizations that have immature security operations functions. These challenges include, but are not limited to, incomplete logging, lack of visibility into network traffic and endpoints, no communicated leadership vision, no formal process, no unified work queue of events, incomplete staffing, inadequate training, and other challenges. That didn’t surprise me in the least, as these are common challenges. What did surprise me was the direction in which the organization wanted to take the conversation.
The organization began asking me about machine learning and other sophisticated data mining techniques, insisting that “we already have data, but we need to know what to do with that data”. Long term, yes, absolutely — “digging” (through a variety of techniques, whether manual or automated) is an important part of a mature security operations function. But lacking a mature security operations function, does it make sense to jump ahead to machine learning without first visiting the foundational components of security operations? I don’t think so, and I’ll explain why.
I’ve noticed over the course of my career that people sometimes want to boil the ocean. In other words, rather than proceed step by step through the process of building and maturing a security operations function, they want to move immediately into very advanced topics. This is more than just impractical and nearly impossible — in my experience, it prevents the step by step progression that ultimately leads to a mature security operations function.
In my experience, there is a hierarchy of needs — almost like Maslow’s hierarchy of needs, but for security operations. That hierarchy looks something like this:
Awareness: The first step to a mature security operations function is understanding that you need one.
Vision: Leadership vision and the communication of that vision are an essential foundation for a successful security operations function.
Process: A formal incident response process from the strategic level down to the tactical level is critical. This instructs and informs the security team, and serves to show executives, partners, customers, and other stakeholders that the organization takes a formal approach to security.
Instrumentation: Proper network and endpoint instrumentation provides us the data we need to understand what’s going on within our organization.
Content: Content development (the process by which a reliable, high fidelity work queue is created) allows us to leverage our network and endpoint data to produce reliable, high fidelity, actionable alerting.
Unified Work Queue: Sending our actionable alerts to a unified work queue allows us to focus our security operations resources and provide an orderly workflow in an often chaotic environment.
Staffing: Talented people are needed alongside process and technology to make a successful security operations program.
Training: The team needs to be trained not only on the technology, but also the process, as well as the strategic vision and philosophy of the organization.
Operations: Smooth operations require adequate staffing, good communication, proper shift handover, and a large amount of coordination.
Intelligence: The knowledge of 100 organization will always be greater than the knowledge of just one. As such, integrating actionable intelligence is an important need that arises when the organization has almost reached maturity.
Information Sharing: Organizations with mature security operations functions will often share intelligence, techniques, and process with one another. Achieving this level is a tremendous accomplishment and usually comes after a significant amount of time has been invested in maturing the security operations function.
This hierarchy is very high level and really only scratches the surface of course, but you can see that a mature security operations function doesn’t build itself. If an organization works its way up the hierarchy of needs, I would argue that at that point, the incorporation of sophisticated data mining techniques would be warranted as a next step in maturity. Before that point though, I’m not sure it is productive to discuss or pursue that angle. Data mining will produce results that need to be investigated further, which requires a strong foundation and a complete hierarchy of needs. Before the security operations function is mature, it’s not clear to me that the organization would know how to make sense of the output from data mining techniques. Put another way, investing resources in data mining before the security operations function is mature puts the organization at great risk. Why? Because there are many risks and priorities that take precedent and require more immediate attention. Instead, I recommend a step by step progression to mature the security operations function before moving on to more advanced topics.
Boiling the ocean has never done anyone any good in my experience. First things first.