Reclaiming Control: How Enterprises Can Fix Broken Security Operations – Source: www.securityweek.com

Not that long ago, say 15-20 years ago, security operations as a practice was a lot simpler. Not because it was easy to defend the enterprise, identify and investigate intrusions, or respond to and mitigate those intrusions. Those things, along with many others, were always a challenge and remain so today. Rather, 15-20 years ago, those in security operations at least had a fighting chance to be successful.

What do I mean by this? Let’s examine this idea in more depth. Back then, the enterprise infrastructure was relatively well-known and well-defined. There were most often a number of data centers, along with an enterprise network inside a fairly well-understood perimeter. Over the last two decades, however, that model began to evolve and change.

What resulted was something far more complex, far less well-defined, and far less well understood. The current state of hybrid and multi-cloud infrastructure that most organizations have in place creates a number of challenges for security organizations, and most notably for those in security operations. While there are many angles we could explore, let’s delve further into 10 ways that modern infrastructures make security operations much harder.

1. Asset management: Asset management is critical to the success of the security operations function. In order to properly defend assets, I first and foremost need to know about them and be able to manage them.  This includes applying policies, controls, and being able to identify assets and their locations when necessary, of course.  With the move to hybrid and multi-cloud, asset management is much more difficult than it used to be.  Security teams need to ensure that they have proper asset management across all environments, along with the ability to map between different fields in different data sources and the assets they correspond to.
2. Visibility: No security team can protect what they can’t see.  Proper security operations requires proper visibility.  I need to have eyes into the different environments, the traffic transiting those environments, and as noted above, the assets within that environment.  Without that, which is unfortunately a state many hybrid and multi-cloud enterprises find themselves in, I can’t begin to hope to run security operations well.
3. Telemetry: Visibility enables another key component of security operations – telemetry collection.  Without the proper logging, eventing, and alerting, I can’t detect, investigate, analyze, respond to, and mitigate security incidents.  Security operations simply cannot operate without telemetry, and the hybrid and multi-cloud world has made telemetry collection much more difficult than it used to be.
4. Security policy: Good security operations requires implementing security policy uniformly, universally, effectively, and efficiently.  If I iterate properly, take lessons learned, and work to continuously improve my security, I’ll need a way to easily implement those lessons learned and improvements across all of my environments.  Hybrid and multi-cloud environments have complicated this significantly, making security operations that much harder.
5. Preventive controls: Preventive controls that are driven, honed, and improved by risk, institutional knowledge, and lessons learned help secure the enterprise.  The security operations team relies on preventive controls as a part of its overall approach to defending the enterprise.  Modern infrastructures make this job harder for the security operations team, as the ability to efficiently and effectively implement preventive controls is often severely impeded.
6. Detective controls: Security operations teams generally spend a good deal of time and energy on continuous security monitoring, which is based largely on detective controls that have been put in place.  It is what flows naturally out of the requisite visibility and appropriate telemetry collection described above.  Unfortunately, the complexity of modern environments hurts the security operations team’s ability to properly implement the detective controls they would like to.  This is a significant challenge for security operations in modern times.
7. Investigation: When there is a security incident or issue, the security operations team will need to investigate.  This requires the ability to run sophisticated analytics and queries.  Unfortunately, this capability is not a given in the complexity of modern environments.  Security operations teams often lack the requisite investigative capability, which hinders their ability to properly investigate security incidents and issues.
8. Response: If a security incident is serious enough, there will need to be a formal incident response.  This will involve significant planning, coordination with a variety of stakeholders, regular communications, structured reporting, ongoing analysis, and a post-incident evaluation once the response is wrapped up.  All of these steps are complicated by hybrid and multi-cloud environments, if not made impossible altogether.  The security operations team will not be able to properly engage in incident response if they are lacking the above capabilities, and having a complex environment is not an excuse.
9. Remediation: Regardless of how serious or routine, when a security issue has been identified, it will need to be remediated.  This remediation requires, first and foremost, being able to see and detect the issue.  Beyond that, it also requires reach into the environment or environments where the issue exists with an ability to remediate the issue in that environment.  This reach has become significantly more complex in recent years, and it is something that hampers the security operations team’s ability to remediate security issues.
10. Lessons learned: At first, you might question what the move to hybrid and multi-cloud environments has to do with effectively taking lessons learned.  Sadly, it has everything to do with it.  Lessons learned need to be based on facts, data, and truth – not conjecture.  All of the above points are required in order for that to happen, and that is no simple feat in today’s modern environments.  It is one of the many things that makes security operations so much harder than it used to be.

It is true that the move to hybrid and multi-cloud environments has made security operations harder, rather than easier. That being said, there are steps that enterprises can take to ensure that they can run security operations properly, even with today’s complex environments. As a first step, enterprises should ensure that they have effective distributed cloud management and security policies, procedures, and technologies. This will provide the necessary baseline capability and give security operations teams back so much of what they’ve lost from the 10 essential points enumerated above. These are points that are critical for security operations, and they are things that enterprises can’t afford to have lost. The time has come to get them back.