There are real issues in the security operations space but buying more tools won’t help
This 2021 survey from TrendMicro (“Security Operations on the Backfoot: How poor tooling is taking its toll on security analysts” – October 2021) paints a slightly frightening picture of the state of security operations in large firms: 29 monitoring solutions in place on average… analysts stressed out, unhappy, drowning in alerts, spending 27% of their time dealing with false positives and ending up ignoring or turning off alerts…
All to be taken with a reasonable dose of caution coming from a tech vendor active in that space, but also matching anecdotal evidence we see in the field regularly. As always with those, the conclusion of the survey is that you need to buy more tools to solve all highlighted problems (those sold by the people who commissioned the survey, of course). Nobody in the cybersecurity tech industry seems to see the irony behind that type of report… Still, they put in perspective some real issues in the security operations space.
The tool proliferation problem is real and ancient, aggravated by the COVID crisis which has accentuated short-term and tactical tendencies and engineered countless knee-jerk reactions around cyber security which have just created the more technical debt in that space. Security operational processes are intrinsically inefficient because they have been – almost always – reversely-engineered around the capabilities of specific tools selected on a whim, under pressure, just to close down audit observations, or because the CISO “used them elsewhere” … Nothing is joined up because there was never any overarching vision beyond the immediate need (to close an audit point, to react to an incident). So operational tasks mushroom in all directions and become overlapping, repetitive and poorly managed.
Meanwhile, analysts are burning out at the receiving end of those excessively manual processes, and end up leaving the cybersecurity industry to get out of boring jobs where they spend their day cutting and pasting data into Excel spreadsheets to produce useless reports designed to put ticks in compliance boxes… The whole thing becomes attritive and simply alienates talent at all levels. At the heart of the problem, lies – conveniently put there by the tech industry – the constant confusion between tool and process. Just to take a few examples, the acronyms DLP (Data Loss Prevention) or IAM (Identity and Access Management) – by themselves – do not refer to tools or sets of tools; they refer literally to the description of processes.
Any DLP implementation project, for example, must start with an identification of key stakeholders, the sensitive data to protect, the way it is currently exchanged, the way it is currently tagged or labelled (or not), the objectives and constraints of the stakeholders around the protection of the data, the internal or external threats susceptible to steal or leak the data, finally leading to building up a way to engineer DLP (as a process) to make it work across the firm; it should include process elements such as the handling of anomalies and alerts, and the granting of temporary or permanent exceptions, themselves probably subject to some form of approval workflow (or the interfacing of the DLP process with pre-existing processes in that space).
It’s only once you have gone through that phase of analysis and process design that you should start looking for tools to enable your DLP initiative to succeed. Starting the other way round – i.e. starting with tool selection and defining the process around the capabilities of the selected tool – is bound to create friction with pre-existing practices and the expectations or capabilities of stakeholders, leading to poor deployment, poor acceptance or both. As CISOs, I am sure we have all done it under pressure at some stage of our careers (I know I have), but it remains a mistake, and probably one of the most costly for a CISO to make. Because it creates distrust with stakeholders, and over time with senior management who can’t help but see escalating financial demands from CISOs in return for poor execution and continuing breaches.
The solution to the broader security operations problem lies in the decluttering of the cyber security estates, through the re-engineering and the smart automation of operational processes. I like the suggestion from Greg Day (VP & CSO, EMEA, Palo Alto Networks):
“For every one new solution, remove two legacy solutions”
But once again, to achieve this, you have to start from the process-end of your practice: The one-new-solution you add, has to be added from a perspective of process re-alignment and simplification; and the 2 you remove, have to be removed from the same perspective.
Not forgetting that processes are enacted by people who are creatures of habits and have to be trained and led on the path of change, not just expected to go with the flow. In all cases, the process has to come first, then people, then technology. The cyber security industry – listening to the sirens of tech vendors – has been doing it the other way round for the best part of the last 20 years. Now the accumulated burden becomes too much to carry in the face of unrelenting threats.
Things need to change but buying more tools won’t help unless they truly have estate decluttering and smart process automation at their heart.