Get more secure!
The Security Operations function is now, more than ever before, the most important part of the survival of a growing business. As businesses enter into the public eye, they immediately become a target. I have seen this in my career as businesses I have been a part of have been acquired by larger, more established and well-known companies. Suddenly security tightens, VPNs are set up, anti-phishing alerts get sent, mandatory training takes over half your life every quarter; all because you are working for a now-well-known company. (Perhaps the best security would be to fire your marketing department, but that probably wouldn’t be a very popular move.)
ITSM tools have long been ensuring stability in organisations that are now wholly reliant on IT services. The solution of choice, ServiceNow®, has been enabling workflows to streamline that stability, and now offers the solution to respond when a potential security threat is identified ‘before they impact the business.’ After you’ve integrated ServiceNow® with all those threat intelligence tools, what next?
Are they still incidents?
At some point, someone thought it would be a good idea to write down security-esque issues that were happening. IT logs them as incidents, but we should probably have ‘Security Incidents’. I used to work in an organisation that would simply add a ‘Security’ flag to the record, and it would disappear into the ‘Security Ops’ bucket for them to do whatever it is they do with that kind of thing.
The reality was that, after some helpful discussions with them, it turned out just how on top of their data they were. They would reclassify the records as they understood the cause of what was happening and address any potential vulnerabilities as well as plugging holes that had been discovered. After being led to believe the incident process in this particular organisation was ‘very mature’ and ‘textbook ITIL’ I saw a process that didn’t do any song and dance, but actually got on with its task.
Well done, SecOps.
What is considered a successful security operation?
‘Successful’ can often mean, ‘nothing’s happening; let’s stay alert so that nothing keeps happening’. The issue with this negative reporting (checking that nothing is still happening: “Did nothing happen? Yes!”) is that it is impossible to quantify. Like a properly successful incident operation should be full of problem records (rather than Problem Management being a glorified Major Incident Management add-on), a successful security operation is, in fact, a proactive one. It’s time to augment the use case for SecOps.
The vulnerability management suite is already a step in the right direction. It identifies actual things within the organisation that are vulnerable to weaknesses in the firmware they are running. This can be servers in a datacenter, or laptops in the office.
Out-of-the-box, ServiceNow® provides some excellent dashboards that measure volumes of security incidents and vulnerabilities. This gets you off to a great start so you’re not waiting for something else to happen. The downside is the sudden change in visibility (for a privileged sub-section of your operation).
If the data is not as tightly maintained as is now required, you’re simply not going to achieve the security you’re hoping for. If silos still exist your organisation is inherently vulnerable. Security Operations needs to bleed into all the surrounding processes to make an enterprise genuinely secure. That will lead to greater awareness of potential vulnerabilities, which will drive up the need for quality in your data. Without warning your great initiative to get more secure has blown open gaps in data integrity in established processes (and it should!). The best thing to do is embrace the need for better, more accurate data and allow every moving part within your organisation to benefit from what can now be achieved.
The next step, once you’ve settled in this updated view of security, is to get the vulnerable items as low as possible. And you do that by reviewing and changing analytics.1 What you will realise is the actual analytics that would ensure security is tight is not, necessarily, the Security Operations’ responsibility. This would fall on the owners of the hardware, software, or cloud infrastructure to ensure everything is up to date. Patching is down to the owners of what needs patching, right?
The standard ITIL/ITSM controls that make this more onerous is good for stability, but arguably the real risk to security. There is an argument for this holistic view to ensure the enterprise is not put at risk because of bad planning or procrastination.
Should you just skip to the end and focus on data quality?
By no means!
By which, I mean the massive downfall in every organisation is to waste valuable time and effort in making data super clean, without really knowing why, and failing to take appropriate action before then. The journey of Security Operations means that, quite rightly, you are responding ‘before the impact to the business’. And while that is going on, you can begin to identify the data that really matters and get ahead of the issue arising.
Performance Analytics will bring these two divergent disciplines back into that desirable holistic view. Implementing this view properly will mean you get secure, maintain stability, and drive performance simultaneously.
It is possible. Just make sure you’re talking to the right people.2
1This is something you should be doing at least every quarter.