What Do I Want To Know?

It’s early to have this conversation. Truly, I understand that.

But, I came back from RSA Vendor-a-palazooa in San Francisco wondering if any of the companies had a real connection with their marketing hype. If you’ve been to one of these events, you know that words loose meaning pretty quickly on the show floor.

So, here I am with more tools and data than insight. That is the hangover many of us are familiar with in the industry. It goes something like this. In some year past, we had a problem that scared everyone. We thought to ourselves, if only there was a way to protect ourselves against that threat. So, we bought a tool.

There are a lot of threats.

Unfortunately, there are now a lot of tools. And not just tools, but data – if we just had enough human talent to wade through all of the data, we could get more talent to respond to what we found!

OK, so we all know this. In fact, if you’ve had a view of the market from the perspective of a CISO or CIO, you probably feel a hangover coming on.

So, what to do?

When I first started my position at the lab, I asked myself this. Having spent time in the MDR space of a small niche SOC, and the large institutional space of governmental organizations, I see the same strategic and tactical shortcomings. I think of it as calibrating your risks.

Calibrating your Risks is first, and foremost, a conversation with the risk owners. Do they see and understand the risk that they are accepting? Do they have areas where they have over or under compensated for the types of threats their business is exposed to?

In my experience, it’s very common for humans to become accustom to the patterns or tempo of thought that produces a desired outcome. Even if that outcome isn’t the most desired, it is often easier to still do the same thing rather than change and risk future losses – or rewards.

Thus the idea of Calibration. Specifically, calibrating risk. The concern is that as a leader, I may be blind to a risk or may be overreacting to risk that I don’t understand. These mis-calibrations can cause me to miss opportunities to increase efficiency, drive out costs or improve efficacy. But, how do I as a leader pick up on the signals of change?

OK, so you know this, right? You’re looking for signals that drive change in your organization? You’re talking with your team about your intentions and helping them align their tactical plans to the big picture, right?

Like calibration, signaling your intent is an important part of the journey any leader.

So, again, what are the signals here? How do I calibrate all of the tools, strategies, tactics and data that the team generates?

For my team, I came up with a quick three quick strategic initiatives that will drive our tactical projects for the next year.

Normalize the operational tempo of the SOC

I think this maybe true of every SOC I’ve seen. The playbooks, operating procedures, even the threat and what has been gratuitously called the ‘threat landscape’ changes constantly; but the basics remain the same. Are we doing the fundamental work of the SOC? Do we have enough tempo to hear when things deviate? This drives at the core of the signal to noise problem I mentioned earlier. My primary interest here is in getting past the Tier 1 noise to, as one of my analysts says “automate the silly”. In fact, we are re-orienting Tier 1 activities this year to focus less on managing the queue to automating the tier 1 tasks to categorize and enrich the types of searches the team does.

Calibrate to the Threat

The team went through our tools and mapped them to controls. Initially, the exercise was simply to understand which controls would be affected should we change out tool sets. It was a basic requirements exercise and produced some great insights. Among them was the amount of duplication or lack of coverage for critical controls. To better understand this in context, we are now mapping this to the MITRE ATT&CK framework. The key is to ask, given the threats we are likely to experience, how could we identify, contain, respond and recover from a given threat. This insight also gives us a roadmap into what playbooks to build out and hopefully automate.

Measure the Results

Lastly, we need to focus on measuring the results of our efforts. Key performance metrics in security is always somewhat elusive in that the measurement is contextual, and can be hard for people outside the field to understand. Our first take on this is somewhat simpler. We want to get data analysis and reporting in to the hands of both our analysts and clients. This means all data, all the time. Every product has to provide normalized performance data that we can store, analyze and share. For our analysts, that means that we are adding new skill sets for data engineering to their plate. This feels like more of a recognition and acknowledgement of the skills on the team than a net new requirement; but in that, we provide a more structured and outcome based focus for our efforts.

So what does this all mean?

As I said, it’s early. This is strategic intent over tactical substance. But, it sets the stage for what’s next.

My question to you is “what do you want to know” about your SOC or Security Operation?

Comment on LinkedIn


Leave a Reply