Operations Shady RAT, Operation Aurora, Operation Night Dragon sounds like names out of a WikiLeaks memo or even more a Hollywood action blockbuster. Sadly not, these are the three names that have done the rounds in the last 2 – 3 years where information security defenses of organizations were not only breached but data assets were stolen for sure. No organisation will state the extent of data lost or disclose the monetary value of the losses but if years of research, design innovation and sensitive personal data has been compromised, which I am sure it has been then the loss has a far greater impact than dollars and cents. Add to this, attacks on RSA, Lockheed Martin, Sony, PBS the list goes on and on.
Traditionally these exploits were called hacks, virus outbreaks, malware compromise, root kit exploitation, zero day attacks these days new terms like Advanced Persistent Threat or (APT) have been coined by security pundits. I think they should all be called LO or “Lazy Ops”. Now why is it that servers are not patched, or applications are running with default passwords, why is it that servers once installed never get visited or checked for current vulnerabilities? Why is it that even after spending millions of dollars on technology equipment at all layers of the stack from network through to the end point we still hear about these attacks, exploits and data leaks now more than ever. Its because security operations requires good trained security professionals using a range of fit for purpose and fit for use tools to undertake the required tasks of securing the environment. Technology or the lack of should never be used as an excuse for not patching a server or reviewing the logs of that all important mission critical server and/or application because a skilled hacker or a persistent adversary is only as good as your weakest server or end user computer.
Architects can design the most secure and industry leading solution that money can buy and requirements can specify, but if an equally robust and thought leading security operations capability does not exist within an organisation it is all worth nothing as the custodians of the end capability are required equally capable if not better than the architects and designers putting the security capability in place. There is a perception that for technical staff to get promoted and recognised they need to move away from engineering, into design and oh yes the epitome of technical success architect. Enterprise Architect, Consulting Architect and the likes, nothing wrong with that, but that leaves a very limited and a handful of skilled operatives to drive and make an impact where is matters most, within security operations and if the trend continues organisations will experience the likes of Shady RAT, Aurora and Night Dragon only more often and possibly with greater impacts.
The security technology and supporting toolsets have come a long way in the last few years and the implementation of latest technology and tools goes a long way to assist in the development and establishment of a successful security operations centre.
Tools in their various flavours assist in capability enhancement of well trained security operations staff to detect, respond and manage security operations but technology alone is not the savior or the silver bullet that will protect organisations from exploits and threats. Technology can, will and does improve the undertaking of security operations but effectiveness comes through the people operating it and the processes that have been established to run it. No security operations team will be successful if it does not have the support of its technology and business executives who are ultimately accountable for the risk of compromise if it eventuates. Historically security purists have not won may friends by issuing blanket NO and NOT POSSIBLE because SECURITY SAYS SO attitude and creating an atmosphere of fear, uncertainty and doubt.
Like every thing else in business, information security is a risk based domain and security operations an extension of an organisations operational risk framework. An effective security operations centre or security operations framework should include the classic 4 quadrants of Prevent, Detect, Respond and Investigate. I will discuss the makeup of what these contain and what a potential security operations model could look like in a follow up article, but in the interim think about security operations as a process heavy, knowledge intensive operating domain which requires rich intellectual capital to be effective and successful.
More articles from this author:
Opinion: Enterprise Security Architecture as a discipline – the three viewpoints.