Unlocking the potential of security operations [Q&A]
The use of security operations centers has become commonplace in larger organizations. But how can businesses unlock their full potential to protect their systems?
We spoke to Matt Walmsley, head of EMEA marketing at network detection and response specialist Vectra AI, to find out.
BN: Why has security operations become so key to defending business systems?
MW: It makes security teams able to identify the things that help them become more threat aware, so understanding not only the threats that are out there, but the things that are happening inside their organizations. This helps improve their agility and their ability to respond consistently in a much smaller time frame. And, as we know, particularly these days if you can respond very quickly but in a highly effective way you have a much better outcome.
So by helping organizations mature their security operations to be more threat aware and improve their agility payback, they can use people with higher efficiency, and they get a much better chance of reducing the ability for a threat actor to be active inside their organization for extended times
BN: So it helps avoid alert overload and getting overwhelmed by too much information?
MW: The large amount of information security operations teams have to deal with is one of the barriers to success. How do you find the really salient signals and focus on those? Technology has a part to play, we'll do things like prioritizing and scoring by indexes, find out who else is involved in the attack and put the right context around it. But we're also dealing with detecting things beyond your defensive control. It's no longer a simple world. We're not talking about signature matches to malware, there are also the methods they used to get in, perhaps using legitimate tools and services. Context is absolutely critical. Is this benign or, this is it an attacker?
Helping security teams to stand back and understand the threats inside their organization probably starts with trying to attenuate the volume, to give you fewer, better signals. But you also help them with the need to have contextual understanding to understand their business, do they have the processes in place to make sure they do things that help the security team actually understand the business and what's going on?
There's also understanding the attack surface. Most security teams don't have a robust, complete picture of the attack surface, the systems data and people that are protected, even in very large mature enterprises.
BN: How much is doing this going to rely on automation?
MW: The detection part, which is where the technology is, is already highly automated. So this is not a case of we build something that adds a lot of services. What we're focusing on is the output from the platform detections in context, how do I then feed that in and operationalize it and use it? That means maybe changing our incident response processes workflows, maybe looking for opportunities to integrate and automate some of the workflows that happen after detecting, after I've done my investigations. So, things like changing policies on my firewall, isolating devices on my network. We're not necessarily removing humans out of the decision making but we're looking for the opportunities to take an enforcement action or change a policy. There's no point having the world's best tech finding lots of stuff if you're not able to put that information to use.
BN: Does this help to understand things like unauthorized access internally?
MW: It's important to understand the organization's operating context and the internal attack surface as well. So, again, it's not a piece of technology that does all that, but showing how we can improve the security operation team's ability to have that knowledge and awareness, so that when something nefarious does surface you're able to understand it and take quick and decisive action.
BN: What about the human angle? Some research last week said that a high percentage of first time security operations center staff end up leaving their jobs after about 18 months.
MW: What you do in that junior analyst role? You sit there all day long, in general, just triaging alerts. That can take thirty minutes to an hour for each, it may turn out to be harmless but you only know that after you’ve looked at it. If we can put capabilities in instead of just using a human filter, take some of that burden off them, that would give them higher quality insights. They can then make better decisions or maybe start to do some of the investigation, which is using higher level capabilities and makes for a more fulfilling job.
Given the skills gap in the industry, if you're a junior analyst you're not particularly expensive and the opportunities to move and change jobs are many. If you can give them more interesting work that matters to the business, let them go off and do some investigation, understand and use these technologies and processes to support them, you get a more mature security operation. One that actually helps you get more out of your staff, and maybe can help with retention and motivation.
Effective technology can also help with recruiting as you can bring people in that don't have a cybersecurity specialist education. They can come in and have action based learning and not feel they're just doing a crummy job at the bottom of the tree, but rather getting into a worthwhile profession.