Evolution of security operations from reactionary survival mode to forced sophistication

The most security-sensitive companies approach their job and their day with the default assumption that they have been hacked, and they set out to prove that important components of their environment are safe. Less security-sensitive companies approach each day with the assumption that they are clean, and start looking for breaches. Or, at least, that’s Paul Farrell’s experiences have taught him.

The challenges security operations teams face

Farrell is the CEO of Nehemiah Security, a company that offers software solutions, human expertise, and practical training to enterprises and government organizations looking to protect their data and network assets.

And with the massive wave of digital transformation and business connectedness, fending off cyber threat presents quite the challenge.

“For the first time, companies have to not only secure themselves, but also ensure that their partners, and their partner’s partners are secure as well,” he notes.

The pursuit of advanced threats, and the lust over today’s newest, most innovative technologies and solutions is also a challenge, because it distracts organizations from enacting basic security practices.

“Standard blocking and tackling actions – such as admin rights management, identity management, patching, software version management, non-business application removal, enforcement of network protocols, network segmentation, and so on – have been neglected. The most fancy security solution can’t be useful if the company doesn’t implement basic cyber hygiene,” he points out.

CISOs are also worried about many other things: their jobs, the gap that exists between how they communicate and how the rest of the business leaders communicate, their users being targeted by phishing attacks and social engineering (and anti-phishing and social engineering training not working), mobile and cloud security, and other new technologies that can completely change the IT and security landscape.

The future of security operations

The evolution of security operations has moved from reactionary survival mode to forced sophistication, and this is due to a few factors:

• Adversaries are evolving. They are becoming more sophisticated, more economically motivated, and their attacks more targeted.
• Technology has evolved from simple syslog maintenance, firewall management, and so on, and now it must manage integrations and orchestration.
• Regulations and compliance have asserted themselves into the cyber realm. With the increased spend and increased risk, businesses are starting to apply typical frameworks onto cyber metrics and quantification. The impact and risk of cyber threats is now being quantified at the Board and C-level through indicators like expected business loss and loss of reputation.
• Business is changing. Today, security operations are forced to walk side by side with IT and the business to enable and support both.

But changes due to that last factor are slow, and security operations still have to become more integrated with every facet of the business.

Also, at the moment, security questions often sound something like, “Is this malicious?” But Farrell predicts that in the near future, language will shift, and the question will become “Has it become malicious?”

“Malware evolution has enabled exploits to ‘live off the land’ inside the target environment, and has allowed attackers to use applications and other resources within that environment for their malicious goals,” he explains.

“’Snapshot security’ takes one look at an event or file and deems it good or bad. Morphing or malicious behaviour after that point goes unevaluated. Security operations therefore must add capabilities to continuously scan and monitor activity, endpoints, and other assets, and be constantly looking for anomalies.”

He also believes that AI will drive much of the automation that is necessary to accomplish anything in the data-intensive world of security. “AI can play a leading support role when it comes to detection and notification, but humans will still be required to activate and react,” he adds.

Finally, he notes, if there is one thing that they have learned from their clients, it’s that security testing must be frequent and never-ending. For example, the number one computer network defense team at the US Department of Defense includes a red team whose sole function is to test access to DOD facilities and systems.