Steve Schlarman

Security Operations Management: The White Hatfields and the McCriminals

Blog Post created by Steve Schlarman Employee on Jan 6, 2014

Over the holidays between frantic last minute shopping, eggnog and family get-togethers, I caught up on some of my NetFlix queue and watched the TV mini-series “Hatfields and McCoys”.   I am not sure of its complete historical accuracy but the series was a deep inspection on how a conflict can spiral into complete and utter insanity very quickly.  By the end, I felt sorry for all of the characters – there were no winners in the feud.  There were only people who threw away their lives (or parts of their lives) based on the fundamental disagreement of two men – each making a decision based on his own principles.  The resulting conflict was of devastating proportions.


Last year at this time, I opened 2013 with a blog series on “Next Generation Security Operations”.  I highlighted some of the major issues we saw in 2012 with the rising sophistication of the adversaries, the increase of malware and the resulting serious data breaches.  I spoke of the need for “Telescopes for the Lookouts” on the castle wall, the evolving security incident response needs, all of the adjacent security processes that should be part of the picture and the need to fuse proactive and reactive measures together for a more coordinated approach to the security defense cycle.  I sure wish I could start this year off with a different story but the feud rages on between the “White Hat-fields and the McCriminals”.


The White Hat-fields have, over the years, deployed many different technologies that either protect or monitor systems against security threats.  All of these systems generate system logs tracking security events.  The incident response team whose responsibility it is to monitor these events and respond to security threats then tracks these individual incidents and investigates.  Incidents can vary wildly from an individual infected machine to a major data breach.  Through diligence and the tenacity of a Kentucky coon hound, the White Hat-fields track down each incident, determine its cause and resolve the issue. The McCriminals have the same tenacity in finding new ways to craft attacks, new avenues to exploit and new targets to assault.   I won’t go into the details – there is much already said about this – and any research into the latest malware attacks highlights this.   Just like the Hatfield/McCoy feud, the conflict storms on.


2013 was a year of tough questions for security.  Between the Snowden controversies and the massive data breaches reported over the year, the debate on what is necessary to maintain security came to the forefront of ordinary people's conversations.  I have heard in the past that computer crime was a victimless crime.   But that notion is woefully wrong.  Those who, with great angst and anxiety, watch their bank and credit card statements because of a hack are victims.  The countless security people who spent time away from their families wrestling against attacks are victims.  When one looks at the financial and personal costs associated with these data breaches to real people – not just the financial institutions - it is not a victimless crime anymore.


There is a growing sentiment in security that the White Hat-fields need to rethink how they go about this feud.  I cite our latest SBIC (Security Business Innovation Council) report – “Transforming Information Security: Future-Proofing Processes” - as simple evidence.   When have you seen a paper on improving IT security include the word “Business” in 3 of the 5 main points?  Not one of the main points includes "firewall", "Intrusion Detection" or even the word "Technology".

  • Shift focus from technical assets to critical business processes
  • Institute business estimates of Cybersecurity risks
  • Establish a Business-centric Risk Assessment process
  • Set a course for evidence-based controls assurance
  • Develop informed data-collection methods

This report, and many others like it, represents a tipping point in the world of technical security.  The clarity with which security must understand the business today is beyond paramount importance.  It is part of survival.


My next series of blogs will talk about changes we need to undertake within Security Operations to arm the White Hat-fields with something other than tenacity.  As the McCriminals prepare for this coming year, so must the White Hat-fields. The feud continues.