The New Modus Operandi for Security Operations
31 January 2014





The security profession has never been winning the war on cyber crime. However, for many years it has been able to keep pace with it and provide a reasonable level of defense that allowed most of us to sleep soundly. Unfortunately times have changed and security teams have been pushed back. The emerging modus operandi will be to focus on security operations; monitoring, detection and response to inevitable compromise. In 2012 93% of large organisations had a security breach as did 83% of small organisations. Early detection, damage limitation and rapid response will be key in 2014 and for some time beyond. No commercial enterprise will be immune from cyber crime and intrusion in 2014. Compromising corporate networks has become easier due to the way companies do business these days. This is compounded by the sophistication and stealth of emerging malware. Moving forward the primary goal of security will be the ability to detect early and respond fast.

Organisations can apply good security practice to help minimise the risk of becoming another corporate breach statistic but it cannot completely prevent it. It is analagous to the common cold in humans. We may take vitamins and try to avoid talking directly to people with a common cold but at some point at some time we will catch a cold. Often we will take some cold remedy, rest and recover to work another day. The same is true for business; there will be a security breach [catch a cold], issues will be remediated [take the remedy], possibly some down time [rest], then normal service restored [back to work]. The key factors in this process from now on will be the speed and efficiency of the identification and response process.

Investment to implement the above mentioned process must focus on acquiring the right skills and the professional training to build and maintain a robust operational and security incident response team. The organisations that will gain a competitive edge in 2014 will be those business who can effectively monitor, quickly detect and rapidly respond to intrusions while maintaining uptime and business continuity. The end-to-end process must become a BAU exercise with the efficiency of making the coffee. Planning to defend has been for a long time the priority aspect of cyber security but the balance is tipping. The news of a large corporate website being offline for a day is currently good food for the media. Inevitably this has an effect on public perception of an organisation. The ability for an organisation to identify, react and rapidly recover needs to be a priority, at least from a brand and reputation perspective.

So, it all sounds straight forward. Times are changing and focus is needed on monitoring, identifying and responding to all forms of intrusion. But, it's not so straight forward, there is a problem, there is a skills shortage! Most intrusions go undetected for months because the focus has traditionally been on defense. Security monitoring and detailed analysis is dependant on experienced security people who know what to look for and are well practiced in the response process. Every organisation is different so security tools and third party services can rarely substitute skilled internal operational analysis and response teams. This is because internal staff understand normal network behaviour and internal business process. The security skills shortage is compounded as more security people are needed by large organisations. Also, smaller business now realise the need for security professionals and therefore compete for the available talent.

Staff must be equiped, qualified and if necessary certified to undertake specific security operational tasks; monitoring, analysis and incident response activities. It is no longer good enough for an organisation to rely on best efforts and general security skills to monitor, identify and respond to security intrusions. The stakes are too high and the adversaries too clever for an enterprise to operate without the dedicated skills and experience needed to develop and build a robust security operations, analysis and response team.

Fortunately the challenges highlighted come with a gold plated business driver to present to the board. The 2012 proposal for the 'EU General Data Protection Regulation' legislation, to be enforced in 2016, increases the 500,000 GBP maximum fine to 100,000,000 Euro or 5% of worldwide turnover. That's not a misprint, it is one hundred million Euro. The regulation essentially requires that once discovered a data breach must be disclosed within 72 hours irrespective of size. The new legislation will put an emphasis on businesses to explain how a breach happened and how the response plan and its execution was deemed to be adequate.

Businesses are still using an operational security model developed 20 years ago by using security tools to detect an attack as it happens. This model is not appropriate today. Legislation will soon enforce this change in behavior whether we like it or not.

12-13-2014 Decision by Parliament, 1st reading-single reading
25-01-2012 Legislative proposal

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution