Key Strategies for Developing and Enhancing Enterprise Security OperationsApril 27th, 2018
Workforce Development: Building the Team
Attracting and retaining talent is imperative for building a capable and effective Security Operations Center (SOC). However, top cyber talent remains in high demand and low supply due to natural structural imbalances as schools work feverishly to pump out the next generation of cyber security professionals and expand current ranks. Nonetheless, there are a number of strategies hiring managers can employ in order to identify and recruit talent in even the most challenging of environments:
- Updated Job Descriptions – Although often overlooked, this is the first thing that prospective candidates will see regarding any open roles or possibly the company as a whole. As such, it’s beneficial to double check the job descriptions to ensure they clearly articulate the role, appeal to the target candidate demographic, and succinctly detail many of the benefits and finer points of the role.
- Partner with Local and National Institutions of Higher Education – Partnering with local, regional and national academic institutions can yield significant benefits and increase a company’s ability to recruit and train talent. Additionally, it provides a direct link to university leadership, educators and top prospects. Although partnering often requires a time and financial commitment, it affords the opportunity to have a hand in crafting curricular standards, program focus areas and educational scenarios to ensure they are rooted in real-world subject matter and imbue the skills necessary for on-the-job success. Consequently, this provides a direct feeder for pipeline development and talent acquisition. It’s generally a mutually beneficial arrangement providing a direct avenue for engagement, collaboration and access to top talent. Leveraging these external institutions and resources to gain access to early stage talent should yield significant benefit to the program over the long term. Additionally, I recommend evaluating options for utilizing internship programs to pursue strategic sourcing interests in key areas for SOC operations where the collegiate may have a prospective advantage over the private sector in terms of availability or compensation ranges (e.g., Tier 1 analysts, data analytics, data science, etc.).
- Community Engagement & Outreach – Depending on the area or region, take advantage of the myriad communities of interest around cyber security and related fields. Many of the associations, communities and relevant events often offer an excellent opportunity to network with local partners, identify sources of talent and garner a better understanding of the regional and local landscape.
- Public / Private Partnership – There are a wealth of programs available and public/private initiatives worth exploring or taking advantage of. For instance, the Cyber Security Information Sharing and Collaboration Program (CISCP) is subsidized by the government and provides advanced notification/analysis of pertinent cyber threats free-of-charge. Additionally, for those meeting critical infrastructure designations there are several programs available to augment and support key components of any SOC program; including advisory support, formal program assessments, vulnerability scanning services and penetrations testing on-demand. If needed, these services can help fill critical program gaps and augment the existing workforce. These examples are just a sample of the opportunities available, as well as countless other programs and like communities of interest worth considering (e.g., ISACs, Department of Homeland Security Cyber Advisor program, Automated Indicator Sharing program, etc.).
- Vendor Support / Staff augmentation / Managed services – Depending on the need, there’s a wide range of possibilities with respect to vendor support, staff augmentation or managed services options that may help to fill any program gap areas or critical needs. Considering the need, there are various options for augmenting SOC operations on a near-term or long- term basis, as warranted. In many cases, existing vendors with specialized knowledge and expertise may be a natural fit for providing expanded support in the form of professional services hours, staff augmentation or direct product support. Additionally, technical staffing firms and specialized third parties can be retained to help source and deliver the expertise needed based on the local or regional market. Depending on need, an extended contract with an accredited Managed Security Services (MSS) provider or internal/external staff augmentation model may make sense. As such, there are several small and large organizations that leverage MSS to balance and augment significant areas of their respective portfolios as it can be considerably advantageous from a resourcing and strategic outsourcing standpoint. For example, MSS’ are often employed to help support front-line security event monitoring, cursory analysis and/or immediate incident escalation activities for a range of organizations-from small to large. Depending on the need, they can be used to fill an existing internal talent gap, extend monitoring hours and coverage as well as expand collective capabilities or fuse threat intelligence into the process.In order to build an efficient and effective cyber security program, it’s essential to develop and cultivate a deep bench of cyber practitioners capable of detecting, analyzing and responding to a diverse range of ongoing and emerging threats. Furthermore, care should be taken to select candidates based on requisite skills while keeping a keen eye on maintaining a positive and cooperative holistic team culture.
In order to build an efficient and effective cyber security program, it’s essential to develop and cultivate a deep bench of cyber practitioners capable of detecting, analyzing and responding to a diverse range of ongoing and emerging threats. Furthermore, care should be taken to select candidates based on requisite skills while keeping a keen eye on maintaining a positive and cooperative holistic team culture.
Cross-functional Training and Collaboration: Musical Chairs
In order to cultivate a highly capable cyber fighting force and foster an open / collaborative team fabric, it’s important that the various components of the team work well together and have a firm understanding of what each element does. The first step toward achieving a highly integrated and high-functioning cyber team is to structurally facilitate regular and ongoing collaboration through temporary and long-term exchange mechanisms. There are myriad of approaches that may work depending on the organization, but many of the more viable options will often include job exchange programs, shadowing, physical inclusivity and workflow convergence or temporary details within other areas of the program.
Additionally, carving out scheduled time between members from complimentary teams with a mutual interest in cyber security or related fields can be mutually beneficial for both parties and yield dividends in coordinated work efforts. Some of these associated elements may be affiliated with other divergent areas of the business but share a common goal or relevant business objective. These opportunities for partnership can help to advance the enterprise cyber security mission while enhancing enterprise participation from multiple functional areas and key stakeholders across the business. Legal, IT, Governance, Fraud, Risk, Compliance, Fraud, Audit, HR, Corporate Communications as well as many other departments may have a vested interest in supporting mutual initiatives while forging strong internal alliances and advancing collective interests.
Process Framework: Enabling Effective Detection, Response & Prevention
Developing a comprehensive process framework for key cyber security activities (e.g., threat detection, incident response, intelligence, etc.) is imperative for weaving together a holistic and integrated threat management program. Furthermore, it can help to underpin the central role of the security program and cement key touchpoints within the business, creating a systematic and sustained level of interoperability and integration. As such, it can be beneficial to include input from key stakeholders across the business when designing and developing the overarching workflows and defined swim lanes. Not only is this essential for bridge building, but it helps to foster partnerships and forge alliances within the business. Additionally, it brings to bear invaluable insights and third party perspective regarding internal activities and joint ventures. These key stakeholders and advisors should be welcome to join process working groups, steering committees or other relevant groups supporting enterprise processes and procedures.
In order to take stock of the diverse and varied processes that the department may be exposed to, it’s often helpful to display the inner workings in a holistic and consistent manner. As such, drawing and mapping the various work flows into a cohesive illustration with the various interconnections- inputs, outputs, artifacts, touchpoints, etc.-provides a comprehensive overview of the collective framework. There are several key documents that can help to support the framework from a security operations perspective; these include Standard Operating Procedures (SOP), relevant policies/guidelines, Incident Response Plans (IRP), playbook libraries and/or associated documented procedures. In concert with internal and external collaboration, these can help form the bedrock for any security program or SOC.
Business Alignment and Strategic Thinking: Work Smarter, Not Harder
Cyber security is a technology-centric tradecraft that has continued to mature and retrench as an industry in order to better support the primary business and its core functions. As it stands currently, alignment with the core business is generally considered essential to bolster the standing of SOC operations within the company and further integrate security operations into supporting business lines. Furthermore, it helps to fuse the SOC within the broader business construct and advance an integrated approach to enterprise cyber security effectiveness. A healthy dialogue between the SOC and relevant business groups and respective key stakeholders helps to advance cross-party collaboration enabling the business to better operate in a security-conscious manner through open coordination, risk awareness, training/education and corporate risk management functions. Although in many cases leadership may reserve a veto for any high-risk endeavors, the SOC should strive to provide thoughtful guidance and flexible security solutions for primary constituencies in order to enable and empower key customers. To put it in other words – the security team should no longer be referred to as the ‘No’ group, and should work closely with relevant business stakeholders to formulate and implement thoughtful, effective and relatively flexible enterprise solutions.
In addition to providing an effective framework for mapping phases of the attack process, the *Cyber Kill Chain provides a viable framework for mapping and benchmarking security controls to provide valuable insight regarding the overall organizational security posture. After conducting an internal review of available controls, infrastructure and system protection measures, each relevant item can then be appended to the appropriate phase of the kill chain. Once all mechanisms have been inventoried and assigned, the list can then be reviewed and analyzed on a regular basis in order to identify gap areas and make adjustments where necessary to optimize SOC operations, enhance tool efficacy and bolster enterprise visibility. These strategies will help ensure that you are taking a strategic approach to SOC development and optimization by focusing on key elements of the organization; including People, Process and Technology. Adopting and leveraging these core tenets of SOC operations should help to advance the program within the organization at large and help to bolster it’s standing within relevant communities of interest. Additionally, it will help to enhance collective capabilities with regard to threat detection, incident response and intrusion analysis at an enterprise level.