Security Operations the Final Frontier

Operations Shady RAT, Operation Aurora, Operation Night Dragon sounds like names out of a WikiLeaks memo or even more a Hollywood action blockbuster. Sadly not, these are the three names that have done the rounds in the last 2 – 3 years where information security defenses of organizations were not only breached but data assets were stolen for sure. No organisation will state the extent of data lost or disclose the monetary value of the losses but if years of research, design innovation and sensitive personal data has been compromised, which I am sure it has been then the loss has a far greater impact than dollars and cents. Add to this, attacks on RSA, Lockheed Martin, Sony, PBS the list goes on and on.

Traditionally these exploits were called hacks, virus outbreaks, malware compromise, root kit exploitation, zero day attacks these days new terms like Advanced Persistent Threat or (APT) have been coined by security pundits. I think they should all be called LO or “Lazy Ops”. Now why is it that servers are not patched, or applications are running with default passwords, why is it that servers once installed never get visited or checked for current vulnerabilities? Why is it that even after spending millions of dollars on technology equipment at all layers of the stack from network through to the end point we still hear about these attacks, exploits and data leaks now more than ever. Its because security operations requires good trained security professionals using a range of fit for purpose and fit for use tools to undertake the required tasks of securing the environment. Technology or the lack of should never be used as an excuse for not patching a server or reviewing the logs of that all important mission critical server and/or application because a skilled hacker or a persistent adversary is only as good as your weakest server or end user computer.

Architects can design the most secure and industry leading solution that money can buy and requirements can specify, but if an equally robust and thought leading security operations capability does not exist within an organisation it is all worth nothing as the custodians of the end capability are required equally capable if not better than the architects and designers putting the security capability in place. There is a perception that for technical staff to get promoted and recognised they need to move away from engineering, into design and oh yes the epitome of technical success architect. Enterprise Architect, Consulting Architect and the likes, nothing wrong with that, but that leaves a very limited and a handful of skilled operatives to drive and make an impact where is matters most, within security operations and if the trend continues organisations will experience the likes of Shady RAT, Aurora and Night Dragon only more often and possibly with greater impacts.

The security technology and supporting toolsets have come a long way in the last few years and the implementation of latest technology and tools goes a long way to assist in the development and establishment of a successful security operations centre.
Tools in their various flavours assist in capability enhancement of well trained security operations staff to detect, respond and manage security operations but technology alone is not the savior or the silver bullet that will protect organisations from exploits and threats. Technology can, will and does improve the undertaking of security operations but effectiveness comes through the people operating it and the processes that have been established to run it. No security operations team will be successful if it does not have the support of its technology and business executives who are ultimately accountable for the risk of compromise if it eventuates. Historically security purists have not won may friends by issuing blanket NO and NOT POSSIBLE because SECURITY SAYS SO attitude and creating an atmosphere of fear, uncertainty and doubt.

Like every thing else in business, information security is a risk based domain and security operations an extension of an organisations operational risk framework. An effective security operations centre or security operations framework should include the classic 4 quadrants of Prevent, Detect, Respond and Investigate. I will discuss the makeup of what these contain and what a potential security operations model could look like in a follow up article, but in the interim think about security operations as a process heavy, knowledge intensive operating domain which requires rich intellectual capital to be effective and successful.

More articles from this author:

Opinion: Enterprise Security Architecture as a discipline – the three viewpoints.


Join the CSO newsletter!

Error: Please check your email address.

Tags security professionalsShadyRATsecurity operationswikileakssecurity newsopinionlockheed martinsonyrsaoperations Shady RATdata leaksexploits and vulnerabilities

More about APTetworkLockheed MartinRSASonyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts