Doing Much More With Much Less – a Security Operations Journey (Part One)

"Do more with less." This is as simple and clear as any request can get. However, the implementation in security operations is anything but… or is it? How exactly can this be accomplished in practical terms that have a net positive impact on the overall security posture of the organization and not cause issues?

When looking at organizations that have consistently and successfully been able to "do more with less" such as manufacturing, the leading approach is to focus on automation, developing core essential capabilities, exploiting them with repeatable processes that are adaptable, and reducing human interaction to only the tasks that cannot yet be automated.

"Automation", "essential capabilities", "repeatable processes that are adaptable" and "minimizing human interactions" – sounds simple enough, doesn’t it? Ok, where do we start?

The first point to realize is that not all security operations events are of the same importance today, and that while some are not important today, they can become critically so in the future. As a result, there needs to be a way to actively review everything that has ever happened, multiple times a day, every single day.

Everyone knows this, but how do you accomplish such a dauting task efficiently?

Any organization can hire an army of expensive and highly qualified people to review logs and assess the priority of each event, but that isn’t "doing more with less" – in fact, it’s actually "doing much less with much more." This bottom up approach does not bound the problem into something that can be human scaled and, as a result, events slip by unacknowledged and unactioned because of sheer volume.

A simpler and more efficient way to do this is to automate as much of this task as possible by applying actionable intelligence filters. Actionable intelligence filters are analyzed findings from different sources that can be used to create codable logic. The better the quality of the intelligence, the better its ability to clearly steer the focus of the logic.

This logic is applied to events, and as more and higher quality intelligence filters are applied, the scope of events reduces down to the most relevant ones for today.

Because this logic is automated, it can be run regularly throughout the day, as updated intelligence is made available, creating a clearly adaptable process that is always relevant to the environment even as threats evolve on a minute by minute basis.

The first part in leveraging intelligence and making it actionable in an environment is by determining which intelligence findings are applicable to the environment and which ones need to be actioned.

This is a quantifiable exercise that is bounded and limited in scope – there are only a finite amount of intelligence reports published every day. This human-scale problem does not require a doctorate level IT security expert to analyze. Rather, a trained front-line analyst can review the contents of the threat intelligence reports and quickly assess which ones are applicable to the environment and if there already exists a capability to identify and protect the organization from this threat.

For example, the security analyst would assess if this threat report describes a real or theoretical threat and if it has an active exploit or not. If it is theoretical and without any active exploit, then "do nothing and keep monitoring for any changes in the future" is a perfectly valid response. There is no need to issue an emergency patch and no need to take down production systems.

Alternatively, if a threat has an active exploit (say one that leverages malware) and it targets systems that are present in the environment, then the question becomes, "Does a malware signature already exist and is it deployed in the environment?" If there is a signature and it is deployed, then "do nothing" or "verify that the protection capability is active with the latest update on all targeted systems and update systems that have fallen behind" are valid responses for this threat intelligence finding.

Sometimes threats are entirely new or protections are not currently available, and they will not be for some time or may never be available due to a number of technical or operational factors. In this type of situation, searching for activity related to a threat finding may generate a massive number of false positives and the resulting data set would not be usable, or actioning the findings to all discovered events could itself cause disruptive issues in the environment. In these special cases, basic automation of the technical information contained in a threat report may only provide part of the answer.

This is where attribution and understanding the motives of an attacker makes a big difference – specifically: Who is the source of this threat? What are they typically after? And why?

Threat intelligence reports that include this information are worth their weight in gold because they provide additional contextual information that can be used to refine the search for the tell-tale signs of a threat, even when dissimulated within mountains of events.

For example, knowing that a threat is originating from a specific threat actor (say a financial threat group) and that the intent of this threat actor is typically to steal login credentials used for financial systems means that the scope of the investigation can be focused and include correlation with authentication logs of financial systems typically targeted. Organizations can also enact a review of financial transactions over the associated period of time to ensure nothing out of the ordinary occurred. This triangulation on a threat from multiple angles is only possible when full context is provided for each threat.

Another way to use this intelligence is to keep track of which threat actor has attacked the organization in the past and what they were after. Any new threat intelligence reports that indicate behaviors from this threat actor becomes a high priority and can be reported back to the Board of Directors to help them better understand the stresses and strains being exerted on the organization, and identify critical areas that may need additional investment to adequately protect.

This is just a starting point. In Part Two, we will discuss actual examples of clever and innovative approaches to scaling security operations to do much more with much less.

Bottom line: Organizations are always being challenged to provide better value while becoming more efficient. The key to achieving this is to be smarter about all we do, automating as much as possible and focusing the uniqueness of human capital on the activities that benefit from it the most.