Improve SecOps by making collaboration easier

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

There’s one word that we’ve consistently been hearing from information security pundits year after year: Collaboration.

More often than not, they were talking about collaboration between governments, law enforcement agencies, and businesses, but collaboration is also crucial within an enterprise, especially when you take into consideration the rising sophistication of threats.

improve secops

Barbara Kay, senior director of strategic solutions at Intel Security

In fact, according to a recent Intel Security survey, many security decision-makers believe that improving collaboration between their threat management and incident response personnel will help them overcome the cybersecurity skills shortage, as well as make the company more prepared for handling attacks.

“Essentially, when you have different teams working on incident detection and response, as well as the inevitable surge in ad hoc personnel, the right collaborative technologies can significantly improve the effectiveness and accuracy of the human factor,” they believe.

Collaboration challenges

But ensuring smooth collaboration and sharing between SOC (Security Operations Center) analysts, incident responders, and endpoint and network administrators has its own challenges.

One problem that has to be overcome is the use of manual, ad hoc processes.

“Each incident is managed differently depending on the individuals involved. There is tribal knowledge about what to do and how to do it, so getting processes written down is critical to enabling them to be accelerated through any sort of workflow or process orchestration or helpdesk integration,” Barbara Kay, senior director of strategic solutions at Intel Security, told Help Net Security.

“A written-down and approved process helps people know where they can contribute best, and which data they need to receive and hand off in which form. It also enables more accountability, which facilitates trust between these different contributors.”

Another problem that must be solved is how to enable consistent, real-time access to the information these employees need. “It’s not easy. The data lives in different places and formats, and it can change and lose value very quickly,” she says.

How important is threat intelligence?

For SOC analysts, threat management is the most important activity, and it requires RELEVANT threat intelligence – from third parties, from local threats, and from inside the organization. This type of threat intelligence can enrich processes for prioritizing alerts and determining where to spend resources during investigation and response.

“Instrumenting your environment to collect and apply external and internal threat intelligence is one activity that will continue to pay off,” Kay points out. “The type of threat intelligence that you can collect will change over time, so using standards to consume and share threat intelligence will help you stay abreast of emerging threats and contribute to your industry ecosystem about threat details you find.”

Flexibility and openness to support integration of new capabilities, new analytics, and new types of collaboration will also help companies adapt to change and maintain organizational effectiveness.

“Standards will help here, too, but also ask your potential vendors about application programming interfaces so you can connect your building blocks. You may be surprised how many independent software vendors are more excited about shiny features than operational effectiveness,” she adds.

SOCs in large organizations

“It’s common for large SecOps teams to have been built through mergers and acquisitions or rapid company expansion with different buying centers driving different tool purchases, usually without paying much attention to integration, manageability, or visibility,” Kay notes. In these cases, the SOC usually ends up juggling silos of people, data, and processes.

A CISO – whether newly appointed or not – that ends up with this patchwork will simply have to attempt to streamline operations by finding a way to help these teams, systems and tools work together with higher accuracy, higher speed, and better transparency.

This usually involves setting up a centralized and collaborative system that will fit the teams’ needs.