In a tale seemingly as old as time, security teams have been continuously under siege. Be it novel attack paths, lethal adversaries, new technologies — such as public cloud, containerization, Kubernetes, and serverless computing — or stringent regulatory requirements, teams have faced quite the burden. To help shoulder the load, the industry has established frameworks and pushed out amazing tech, from SIEMs to CNAPPs and XDRs to CASBs. These processes and technologies have helped to keep attackers at bay and people protected, but have created a new problem of far too much data.
To face off against this data-driven world, CISOs and security teams will need to embrace the data and look outside of traditional security personas to adopt a new model of working: security data operations, or simply (and catchier) SecDataOps.
SecDataOps is a term used to describe the process of integrating data into the entire security life cycle, whether for risk management, incident response, or cyber-threat intelligence production. Quantitative data about your environment, assets, business domain, and adversaries must be used. This also means security teams have to adopt strong data analysis, engineering and science processes from data collection and storage to dissemination and archiving. The goal of SecDataOps is to ensure that data is always finely curated and accessible, and that security decisions are made with high-fidelity data.
Joint Task Force
SecDataOps need not be a formalized reporting structure all at once but instead can be a joint task force and an additional horizontal responsibility in a security program. Occasionally, SecDataOps may bleed into enterprise architecture, enterprise IT, and other teams as needed. Instead of forcing all your security engineers to become data engineers, consider first bringing in big data consultants and other experts to help take account of how data moves in the organizations, where it‘s stored, how much it costs, all the way down to schema and formats.
Once the governance and management of raw data available to a team directly from security tools or from environments (e.g., cloud APIs, configuration management databases, existing data lakes) is complete, metrics need to be defined. Service-level agreements (SLAs) are typically formalized agreements but are a great way to hold your burgeoning SecDataOps practices to high quality standards.
Strong SLAs define the purpose of setting the SLA (the why), the promise and specific metric (the what and how), and any specific requirements (the when), if applicable. Creating these SLAs from the start that align to both the overall SecDataOps program and for specific datasets, data feeds, or projects will be important to achieve cohesion and long-term SecDataOps success.
Only once a strong baseline is set can specialized projects or process overhauls can be carried out. This same contextual approach can be applied to cloud security posture management remediation or as enrichment for real-time investigatory requirements such as pulling in ownership and asset data into a security alert investigation.
The leadership decision of a SecDataOps team is an important choice and may need to change as the team matures. When existing as an additional responsibility or joint task force, it may make sense to have the CISO run the function no matter what their level of hands-on technical acumen is; this is to hold the cross-functional team together. The results of SecDataOps will have a strong business emphasis, as the goal is to rapidly detect, pinpoint, and address various risks.
Harnessing data and building generative adversarial networks and massive business-intelligence dashboards to quantify cyber-risk is the exciting part of SecDataOps. But large parts of the work will be formative and the outcome for protecting the business is still the primary goal. Do not fear bringing in outside talent to build out the data piece of the equation. Having a team that is ready to cross-train and learn from one another will be vastly more successful than throwing security engineers to the data wolves.
This security data problem is not going away. Starting off is simply an information gathering operation: meet with your teams, understand how they harness data, what data they wish they had, and start from there. Do not get lost dreaming of what cool machine-learning algorithms you can deploy when sometimes the best outcome is well-governed data. SecDataOps is the way we win this data war and defeat our adversaries.