Emerging trends in security operations management
- Published: Friday, 26 February 2021 08:15
Looking back over more than 12 months of pandemic lockdowns in various parts of the World and looking forward to the 'next normals', Spencer Lichtenstein considers the impacts on security operations management and the future trends in this area that we are likely to see.
It's tempting to say that the 2020 pandemic will shape the future of security operations through 2021 and beyond. The truth is that the security operations centre / center (SOC) was itself evolving already; the COVID factor has simply accelerated the need for change. One area the SOC did feel the impact of was the rapid move to remote working: who would have thought at the start of 2020 that many in-house SOCs would have to pivot to being managed remotely?
The phrase 'new normal' has been used and abused, but operations certainly are going to have to come to terms with some 'next normals'. For example, the work-from-home model will not disappear but it's likely to become a larger part of what you might think of as a hybrid work dynamic. Added to changes in operations and business models and the economic impact that the pandemic leaves behind, security operations leaders are going to need to make some adjustments in order to continue to operate effectively.
Dialling down the network noise
Reducing all-day access to the corporate network and VPNs is a good place to start. It sounds somewhat counter-intuitive, but actually makes a lot of sense in the context of reducing the attack surface.
By way of example, if a worker needs to access a corporate HR system to submit a document, instead of sitting on the VPN all day so they can access the server for the two or three things they need to, they could instead be sent to an Internet-based portal. Their identity would then be verified for this specific action using, say, a simple smartphone push notification or OTP. Access is granted and then the user is logged out straight after. This shifts traditional network access to a more ‘zero-trust’ mentality, where remote workers are asked to verify their identity each time they want to access corporate assets – improving security without being too invasive.
Pushing some of these assets onto the Internet and giving them dedicated security controls has the added security benefit of reducing 'noise' on the corporate network. This presents an improved opportunity for analysts to spot abnormal activities that indicate compromise because there’s less activity for cybercriminals to hide amongst. This should be an easy sell, as rethinking access to the corporate network delivers not only in terms of security, but in resource usage and, therefore, lowers costs.
Achieving 20/20 cloud vision
Although the cloud is hardly a new normal, let alone the next one, it's fair to assume that business leaders will be accelerating cloud initiatives. All these new apps and infrastructure can be problematical from a security operations perspective, but they don't have to be. The key is visibility; or, rather, the right visibility.
Simply put, that means getting the right data out of your 'as-a-service' applications. If thousands of users have adopted Zoom, for example, are you getting as much data back from Zoom as possible? Is that data coming into a central location within the SOC, where it can be mashed together with your own on-premises data and used to paint a clear picture of what is happening? A granular understanding of everything is essential: be that on your traditional network, or newer cloud resources.
Endpoints are going to become a huge piece of the puzzle when it comes to building next-normal levels of visibility. Employees working at home are potentially using devices for both personal and work activities, switching between multiple work and personal devices, and could be distracted from their normal ‘good’ security practices. To deal with this scenario, security operations teams need to ensure that the incident detection and response on these endpoints is up to scratch, and put in place measures to control access from non-corporate devices. They should also look at ways to understand what sensitive data is coming from personal devices such as smartphones or tablets.
Alongside ingesting data from all these new endpoints, different data types should be combined to improve the overall picture of threats; this might involve, for example, merging behavioural analysis with other threat-related data, such as vetted threat intelligence and intel from threat hunters.
Skilled security analysts are not about to become extinct, however, using machines to ease the load can make them more efficient in the new hybrid working environment. Machine learning (ML) is already perfectly capable of understanding the data it is fed and reporting anomalies without any human intervention. So, for example, an automated ML approach could spot that a user who hasn't worked in the early hours of the morning during the previous 60 days is now doing so. That's an anomaly worth flagging up.
This is the kind of valuable insight that ML can provide to the security team without them having to do anything but feed it data. Along similar lines, automated workflow processes should be embraced to help handle some of the day-to-day tasks such as incident reporting.
Focus on what’s really important
The next normals of security operations will require security analysts to be able to focus on what's truly important. Their time should be spent looking at the unusual; anomalies and incidents that are challenging, unique or that require an experienced, human, analytical mind to be dealt with effectively.
Analysts shouldn’t be tied up dealing with an employee clicking on phishing links – that can be handled pretty seamlessly by an automated workflow. It’s essential that security leaders take the time now to plan for the new challenges the SOC will face in the coming months and years. In doing so, they will be able to embrace the changes that lie ahead, and avoid creating a hamstrung SOC team who face an ever-increasing volume of incidents.
Spencer Lichtenstein is Product Strategist at RSA Security.