Security Experts:

An Important Security Lesson Taken from the Printing Press

It’s Time to Bring the Capability to Achieve a Mature Security Posture Through a Robust Security Operations Function to the Masses

The printing press was invented around the year 1440 by Johannes Gutenberg.  Before the printing press, books were produced by hand, and thus were extremely expensive.  After the invention of the printing press, it became possible to mass produce books, thus reducing their cost considerably.  In other words, books were no longer something that only an elite few could afford.  The power of the written word could make its way to the common person as well.

What does this have to do with security?  Let’s dive in to find out.

It has always surprised me that given all we know about the negative consequences of poor security, so few organizations achieve the security maturity that they should.  In my experience, there is no function within security where this is felt more acutely than the security operations and incident response function.  That we find ourselves in this situation may not surprise you.  But why, at least in my view, this is the case might indeed surprise you. 

Printing PressBased on my own past operational experience, as well as my continuous interaction with those in operational positions today, I don’t think that lack of awareness is the main issue.  Granted, there will always be people and organizations who just cannot understand the need to mitigate risk by strategically leveraging a variety of different approaches, among them security operations and incident response.  While I do encounter this situation in some cases, I most often encounter a different situation entirely.

There are many people and organizations that understand the need to perform security operations and incident response perfectly well.  They know that they need visibility across their enterprise and cloud environments.  They know that they need to prioritize risks and threats.  They know that they need to write incisive, targeted, high fidelity alerting to identify behaviors matching the very risks and threats they are concerned about.  They know they need to manage, prioritize, and enrich their work queue with the right context at the right time.  They know that they ultimately need to make educated, informed decisions about what type of action may or may not be required in a given instance.  They know that they need response capabilities across their enterprise and cloud environments.

If they know all this, you ask, why don’t they take action where action is required?  Unfortunately, the answer is quite simple.  Money.  Although many organizations with fewer than 10,000 employees face many of the same risks and threats that larger organizations face, they seldom have anywhere near the budget to address those risks and threats.  But why does budget alone present such an obstacle to maturing an organization’s security posture?  Let’s look a bit deeper. 

To better understand why budget can be such a challenge, let’s take a look at even a partial list (in no particular order) of what is required to build a mature security operations and incident response function above and beyond just meeting compliance requirements:

● Processes and procedures

● Trained people

● Intelligence

● Visibility on the network

● Visibility on a wide variety of endpoints

● Visibility in the cloud

● Application level visibility

● Security Information and Event Management (SIEM)

● Case management (ticketing)

● High fidelity, low noise alerting

● Supporting evidence/data to enrich alerting

● Investigative and forensics capabilities

● Analytics

● Metrics

● Reporting

● Response capability 

I could go on and on here, but this list isn’t meant to be complete by any means.  Rather, it is meant to illustrate two main points:

● A mature security posture with a robust security operations and incident response function requires both a diverse ecosystem of people, process, and technology, as well as an understanding of how to use that ecosystem properly.

● A mature security posture with a robust security operations and incident response function takes a considerable investment in both time and money that most organizations simply cannot afford. 

Given this, it should come as no surprise that a mature security posture has eluded all but the most elite organizations.  Well, if you ask me, enough is enough.  It’s time that security operations went the way of the printing press.  It’s time to bring the capability to achieve a mature security posture through a robust security operations function to the masses.

What the overwhelming majority of non-elite organizations need is a totally different type of thinking and a totally different type of solution from their security vendors.  The cloud, with its cost advantages, opens up entirely new possibilities here.  Imagine an end-to-end platform enumerating the capabilities listed above -- “security operations in a box”, if you will.  All of these capabilities need to be delivered through the low cost mediums of cloud and software virtual images.  But that in and of itself is not enough.  Any worthwhile solution also needs to be attainable for a reasonable monthly fee, with no large upfront equipment costs.

To some readers actively looking for better options, this type of solution may sound like it can only exist in the distant future.  To those readers, I would say that we are not as far away from the security operations version of the printing press as you might think.  The cost of being security operations literate may come down faster than you might expect.  It’s about time.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.