Steve Schlarman

Security Operations Management: Ninjas and Windows

Blog Post created by Steve Schlarman Employee on Jan 23, 2014

Describing to a lay person how a “hack” happens is not an easy discussion.   Like many of you, I have fielded over the years multitudes of inquiries from friends and family when something big hits the news.  Since I am the “security guy”, I have to explain how a big company could be hacked and so many personal records be stolen.   At some point in the conversation – after phishing, malware, software vulnerabilities and exploits have glazed over their eyes - I turn on the “analogy” machine and simply talk about ninjas breaking into castles through an open window, absconding with the crown jewels and the night guard noticing the broken lock on the treasury’s door.  Then I tell them “update your virus software, don’t click on ANYTHING in an email, unplug your router, forget the Internet and go back to pen, paper, manual checkbooks and weekly visits to the bank to take out ONLY the money you will need for that week.”  Seriously though, the news events are no joking matter.  Like I said in my first blog in this series, these hacks are not victimless crimes.


It is hard to describe to the lay person, even a tech savvy one, about today’s threats and the bad guys.   Even IT people have trouble grasping some of the security issues that are challenging today’s security organizations.

1)   The flood of events and alerts security teams must look at is tremendousIn addition to perimeter and signature based security systems, to protect against today’s advanced threats you need network and host visibility.  You add all of that up and the security team has to deal with millions of events to try to find the alerts that actually mean something.  Too much data is flowing at them - creating noise that hides real attacks.

2)   Alerts start piling up and the incident response team, since they don’t yet know the business impact of these alerts, end up firefighting incident after incident.  The latest alert gets the most attention but it might not represent a true threat.

3)   The old ‘incident response team’ is not going to cut it against today’s adversary. A successful strategy to defend against today’s threats requires more than just ad-hoc analysts putting out fires.  Companies need skilled resources such as Level 1 and Level 2 analysts, threat analysts and security response managers working in a defined framework.

Because of the flood of alerts, the lack of context and the constant firefighting, the security team has a tremendous challenge to understand the business risk. Without the proper context around these alerts and incidents, the security team can end up chasing the wrong issues or miss the big issues simply as they struggle to keep up.   The organization then is at greater risk because the team cannot prioritize security threats.


So the people on the front line of this battle have a lot on their shoulders.   Not only is there a tremendous technical challenge, they are also faced with satisfying some critical people within the organization.  First, the CISO wants to know is this process performing the way it should be and if there are any major disasters brewing.  Next, other Risk and Compliance functions want to know where IT security risks fall into the big picture and if there are any possible compliance issues.  And finally, the business wants assurance that the most precious assets are protected.


Where to start?


This is such a recurring theme that I feel that I should just post one statement and then link every blog I write to it but I will say it again.   It has to start with understanding assets.   The more a security team understands the assets involved in a possible threat event, the more appropriate the response will be. Too often the security operations teams are disconnected from processes that identify critical business assets such as business continuity impact analyses and core compliance initiatives.  Those lists of mission critical systems and repositories of regulatory or confidential data have to get into the hands of the people looking at that flood of security alerts.


This asset understanding is only one dimension though to solving the priority problem.  Business context (what the asset means in business terms) must be coupled with threat intelligence (what the possible attack means) to determine the priority and focus security resources on the right issues.  This is what will turn an alert from ‘failed logins on’ to ‘automated attack on production database storing customer information’ or ‘malware on an laptop’ to ‘malware that can be used to launch leapfrog attacks to critical systems on a system admin’s laptop’.   The priority of security alerts depends on multiple factors and these dimensions must be quickly given to the security analyst to triage the alert properly.


No matter how hard a company tries, some ninja is going to get into some window and head straight toward the crown jewels.  The trick is to know when that ninja has crossed that window ledge, where the crown jewels are located and how soon that treasury door will be breached.  Take a look at how our new Security Operations Management module for RSA Archer tackles these, and more, challenges.