Again in 2015 I wrote an article, proper right here in SecurityWeek, about course of parity. It was a riff off the outdated adage “rubbish in, rubbish out”. Evidently the article from practically 5 years in the past continues to age effectively, however relatively than be enthusiastic about that, I am just a little dissatisfied. Permit me to clarify.
If you already know me, or have labored with me in any respect, you will know I am a course of nerd. I get it, that is not essentially ‘cool’ in cyber safety, but it surely’s what my mind gravitates to. Do not forget that slide that everybody had at one level of their shows (responsible…) that stated “Individuals, Course of, Expertise”? I nonetheless have it, if solely to remind people who we’re nonetheless not getting course of proper.
Expertise has superior tremendously. No person goes to dispute that. However we have not acquired whole market segments which are instruments constructed to – await it – combine and operationalize different instruments. I really feel like that is a failure someplace alongside the road should you’ve designed tech that does not work effectively with different tech. Perhaps it is simply me.
Individuals nonetheless do not scale, and now we’re brief on expertise to rent. Pay attention, even should you may rent an infinite variety of safety professionals, they do not remedy the issue we even have. The issue we’re more and more seeing in cyber safety is the house between methods. Should you’ve acquired 10 completely different screens the place alerts are being generated and screaming at you – there is not a significant strategy to make sense of these screens with out built-in know-how. People merely cannot do the job, and course of optimization is actually the one manner you will discover the true baddie in all that noise.
So now we’re again to course of. Course of, or in some circumstances it is cousin “integration”, is a needed factor you’ll be able to’t survive with out. In a world the place knowledge is measured in PETAbytes, you’ve got zero hopes of discovering the needle in a stack of hay 10 miles excessive.
So it is mid-2020, and we’re nonetheless speaking about course of parity the place the expectations of output and the truth of enter are wildly mismatched. Let’s speak by way of a particular instance or two…
In a latest dialog with a brand new buyer’s safety group we began speaking safety necessities. The client’s group indicated they had been dissatisfied with their know-how, as a result of “it wasn’t producing outcomes”. My ears at all times perk up when somebody blames the tech for lack of outcomes, so off we went. The truth was some advisor informed them to “log all the pieces” after which feed it right into a SIEM and that SIEM would discover all of the badness. So the tech wasn’t doing its job, or so the shopper believed, and so they had been searching for alternate options.
Effectively, my first questions had been round what they had been logging, how typically it was reviewed, and the way optimized for to the “issues they had been looking for” their logging was. As you’ll be able to think about I obtained a bunch of clean stares, even over a Groups assembly. It is loopy to me how many individuals nonetheless see their SIEM as some magic field that takes lead and turns it into gold. That is not how any of this works.
So after the dialogue of log enter into their system, I began asking questions on knowledge enrichment, triage course of, workflow, and automatic response. Extra clean stares. I may see that know-how seemingly wasn’t the issue right here.
One other instance offers with vulnerability scanning and administration. To summarize that one, it is not productive to scan repeatedly and wave your arms when the post-scan course of entails spreadsheets, electronic mail, and hopes. Course of is required, and if you would like outcomes it is sturdy, refined, and optimized course of that is required.
So safety remains to be affected by an elephant within the doggy door. We’re shoving ugly issues into methods and anticipating magic out the opposite aspect. We’re anticipating that knowledge turns into automated motion with no human interplay – that is simply not practical. I’ve stated it earlier than, I’ve seen the film of how that world appears to be like, and I do not like the way it ends.
Let’s get actual, we’d like course of optimization. At present greater than after I wrote that article again in 2015. I feel we proceed to be offered magic packing containers (albeit now they’re digital) and snake oil that is going to unravel our folks downside. We’re informed we needn’t deal with course of is we solely purchase this newest widget. I promise you, should you’re not allocating time to develop sturdy operational course of – integrations and workflows – you are by no means going to unravel the issue you are attempting to unravel.
Associated: CISOs Struggling From More and more Advanced Workload
Associated: Are Overlapping Safety Instruments Adversely Impacting Your Safety Posture?