Is SecOps Really Security Work?
Do we need to redefine our focus?
It's no secret that I view security operations as not a security function. While this may be controversial, I aim to challenge the conventional wisdom of security operations within modern organisations. There are numerous misconceptions about security from individuals who fail to grasp its origins and evolution. Understanding where "security" comes from and its historical context is crucial to appreciating its relevance today. The word "security" originates from the Latin "securitas," which derives from "securus." "Securus" combines "se-" (without) and "cura" (care or concern), translating to "without care" or "free from care," indicating a state free from danger or anxiety. Over time, "securitas" evolved into "security" in English, retaining the essence of safety and protection.
Delving deeper, we find that 'care' and 'concern' are rooted in emotions. Consider locking your door at night, feeling secure until a news report mentions burglars breaking windows to enter homes. That lock provides protection but not true security: security is a perception relative to perceived threats and what protections we have. Human emotions influence this perception and can change when threat actors alter their tactics. The protections that once gave you a sense of security no longer offer the same level of protection relative to the adaptive state threats; they are conducted by other humans, after all.
To dive deeper into this topic, exploring philosophical articles and research on the psychology of security is valuable. Understanding these concepts is crucial because they directly influence our language when communicating with those who trust us to protect their organisations. In Bruce Schneier's 2008 paper, “The Psychology of Security Part 1,” he discusses the relationship between the reality and psychology of security. He explains how security is built upon personal perceptions of risk. This idea highlights that security is about protection and how individuals perceive and react to potential threats and protection.
For a more profound exploration, Monique Wonderly’s 2019 article, “On the Affect of Security,” delves into how human emotions influence security. This level of thinking is not typically covered in conventional security courses, but it is essential. In business, we interact with humans with the same attributes that shape perceptions of risk and the sense of security relative to threats.
So, how can we measure security? More bluntly, how can we measure feelings? Psychologists often debate this because measuring feelings is subjective and relative, influenced by many variables. This makes it nearly impossible to measure security in a way that's universally useful accurately. Instead, we can measure protection, specifically, how well we are protected against relative threats.
In practice, we see this in the dashboards of the security solutions used in organisations. These dashboards provide metrics such as the number of blocked threats, stopped intrusions, quarantined files, and sandboxed elements. These measurable indicators tell us how much protection we are currently applying and give us an idea of the threats that have been mitigated relative to our protective measures. By focusing on these tangible metrics, we can better assess our security posture and make informed decisions to enhance our defences. This approach provides a more transparent, more actionable understanding of our security effectiveness (or Protection effectiveness) than trying to quantify the subjective feeling of security.
What Is Security Operations?
Now that we've covered the basics, let's delve deeper into the philosophy behind organisational issues. At a high level, poor governance (Not the cyber nonsense) is the root cause, while tactically, it's the lack of quality control and commitment to the integrity of IT systems.
Consider this: poor programming practices lead to glaring weaknesses, and subpar system implementations result in misconfigurations, thus increasing exposure to threats. In security operations, we monitor for threats that exploit these weaknesses. However, we should monitor for misconfigurations, process failures, bottlenecks, and poor implementations. Separate from the immediate security concerns, we inherently reduce our exposure to threats if we promote a focus on quality. This is because higher-quality systems and platforms inherently have fewer vulnerabilities and a higher standard of integrity.
One approach I always advocate for analysts is this: when reviewing alerts and incidents, ask, “Given what you see and have analysed, what do you recommend to the asset owners to reduce or eliminate this vulnerability from the organisation?” This shifts the discussion to root cause analysis, addressing the core issues, such as poor processes or insufficiently trained staff, rather than just fixing surface-level problems.
Stripping it back, security operations should fundamentally identify weaknesses in poor-quality systems. With this understanding, we can improve the organisation's security posture by helping various teams appreciate the importance of building robust, high-quality systems. Ironically, many security operations centres suffer from poor quality and fail to deliver on their promises. This is particularly true for many MSSPs, where outcomes judge quality. The key is to assess how much the organisation benefits from a process or system relative to the exposure and vulnerabilities it introduces. Reducing the latter puts us in a much stronger position. This focus will leave detection and response the last resort (still important), not the main line of defence.
When you examine alerts, consider what they reveal about your environment and how you can improve it. Many miss the mark by viewing security operations as merely blocking threats and protecting the organisation. Instead, it's about understanding how the organisation can protect itself through better operational practices.
In essence, security operations are about protecting assets against threats relative to the organisation. The focus is on identifying operational bottlenecks from a technical perspective, aiding the technical arm of the business in operating in a way that minimises threat exposure. Focusing on protection encompasses the reactive and proactive steps taken within security operations.
SOC is not security work in the literal sense; it is the protection of assets in the rawest form; vagueness is the enemy of progress; our current language is used in a very abstract and vague sense; such language can diminish trust and erode communication effectiveness. Protection is our focus; we can measure performance against a relative threat through security controls, and protection through better processes leads to higher-quality infrastructure and outcomes.
Ideas For Detecting Poor Quality
1. Collection of Alerts Indicating Exposed Data
I. Indicator: Misconfiguration.
II. Action: Ensure proper configuration management to prevent data exposure. (What processes brought this system into the environment?)
2. Systems Running Out-of-Date Software or Services
I. Indicator: Process bottlenecks or unsuitable processes.
II. Action: Implement or refine update and patch management processes.
3. Unauthorised Access Attempts or Suspicious Login Patterns
I. Indicator: Potential security breaches or weak access controls.
II. Action: Enhance access control mechanisms and conduct regular audits.
4. Unusual Network Traffic Patterns
I. Indicator: Malware infections or data exfiltration attempts.
II. Action: Use advanced network monitoring and anomaly detection tools.
5. Elevated Application Error Rates
I. Indicator: Potential software bugs or performance issues.
II. Action: Conduct thorough testing and performance tuning of applications.
6. Inconsistent or Incomplete Logging
I. Indicator: Hindered effective monitoring and incident response.
II. Action: Standardise logging practices to ensure comprehensive data capture.
7. Configuration Drift
I. Indicator: Systems deviating from established security baselines.
II. Action: Implement continuous configuration monitoring and management.
8. Ineffective or Failing Backup Processes
I. Indicator: Compromised data recovery efforts.
II. Action: Regularly test backup and recovery procedures.
9. Insider Threats or Anomalous Behaviour from Privileged Accounts
I. Indicator: Potential misuse or insider attacks.
II. Action: Strengthen access controls and monitor privileged accounts closely. (JIT, PAM)
10. Misconfigured or Outdated Security Controls
I. Indicator: Vulnerable firewalls, IDS/IPS, EDR, etc.
II. Action: Regularly review and update security control configurations.
11. Weak Encryption Practices
I. Indicator: Exposure of sensitive data (e.g., cleartext PAN/Credentials).
II. Action: Enforce strong encryption standards for all sensitive data.
12. Vulnerabilities in Third-Party Integrations or Services
I. Indicator: Potential exploitation by attackers.
II. Action: Conduct rigorous third-party security assessments and monitoring.
13. Performance Bottlenecks or Resource Constraints
I. Indicator: System reliability and process issues.
II. Action: Optimise resource allocation and address performance issues promptly. (Measure processes for performance)
14. Gaps in User Training and Awareness
I. Indicator: Increased probability of successful phishing or social engineering attacks.
II. Action: Implement comprehensive and ongoing security awareness training.
15. Anomalies in Endpoint Behaviour
I. Indicator: Potential compromise or misuse.
II. Action: Utilise EDR, golden images, and better endpoint policies and control.
Security Operations are often perceived as merely blocking threats and responding to them. A deeper understanding reveals that their core mission extends into helping support the improvement of the overall operational quality, thereby reducing weaknesses caused by poor operations and leading to a better technical environment. What we do leads to a sense or feeling of security relative to the senior stakeholder and the risk in question. Still, our primary focus is protection, measurement of safety (Safety related to the condition of being protected), quality, and reduction of threat exposure in the technical environment.
Redefining Our Focus
As we face increasing threats, we must address our current challenges. We are struggling to define our value, to be taken seriously, and to get our voices heard by critical stakeholders in the business. This has led to a culture of finger-pointing and fear-mongering. However, there is a more effective way to operate.
Instead of focusing solely on our current view, which is a narrow and often weak focus (mainly detection and response), we should focus on defining and measuring protection. We can achieve significant positive outcomes by evaluating the effectiveness of our protection measures, identifying process bottlenecks, and helping the business operate more quality-focused. This approach will instil a sense of security in business leaders because we can prove the value of our work and demonstrate tangible results.
We need to move beyond simply monitoring and detecting threats. By focusing on supporting the business and improving processes, we change our language and enhance relationships with other stakeholders. By helping them develop better ways of working and reducing their burdens, we can shift from reactive to proactive problem-solving. We can identify and address issues across the environment before they become significant problems requiring a response.
Senior leaders need to perceive (that sense of security) that we are effectively meeting deliverables and goals. We can measure our protection efforts and showcase our value by helping other teams produce quality outputs and identify and resolve bottlenecks. This way, we demonstrate our worth through security measures and overall contribution to the business's success, increasing the perception of whether a SOC is worth the continued investment.
My Definition of the SOC Goal has been revised again. As I continue down this line of research, my view on our overall goal is ever-changing, but I believe this to be the most accurate statement thus far.
“To enhance technical security by improving overall effectiveness while increasing control, operational quality, and efficiency. Increase the quality of threat detection and response capabilities while reducing vulnerability, threat exposure, and SOC-related costs.''