What Is Cybersecurity Operations and Why Is It So Complex?
So far we’ve defined five important words that I will use in a very specific and very particular ways:
If you missed any of the posts above, do not pass Go, do not collect $200. Check them out now!
Security
When I talk about security, I’m almost always talking about Information Security.
Information Security is the Confidentiality, Integrity, and Availability of data.
- Confidentiality. Only the owner of the data can access their data; the owner of the data can share it with designated recipients, and only those recipients.
- Integrity. Only the owner of the data can make changes to their data and no one else can make changes to the data. Integrity is sometimes strengthened to include non-repudiation, which essentially means that a sender cannot refute that he or she sent certain data and it is not possible for anyone to masquerade as a different sender.
- Availability. The owner of the data can access it when they want to access it.
This is sometimes called “The CIA Triangle” or “The CIA Triad”. It is a simple and fundamental tenet of Information Security.
Network Security Monitoring
Network Security Monitoring (NSM) is a network defense strategy based on the premise that getting hacked is inevitable. The upshot is that an attacker needs some amount of time, after compromising its victim, in order to achieve its objectives.
NSM is not new, and it has been described in detail elsewhere. For example, Richard Bejtlich describes NSM in detail, most recently in his book, “The Practice of Network Security Monitoring”.
In NSM, Timing Is Everything
A key part of NSM is that network defenders do not measure success based on whether or not an attacker can exploit a vulnerability or gain unauthorized access to the network. Instead, they measure success based on whether they detect and respond to the adversary before it can carry out its objectives.
NSM & The CIA Triangle
Under NSM, network defenders tend to care the most about the Confidentiality and Integrity of the devices that hold the Crown Jewels. Other devices are still important, but NSM has the side effect of forcing network defenders to prioritize.
Of course network defenders care about Availability. It is a fundamental part of security, after all.
So, for example, network defenders do consume information from DDoS Protection Services, although it is uncommon for most enterprises to architect and operate their own in-house anti-DDoS capability.
And network defenders are on the front lines in detecting and responding to ransomware attacks. (Although I think it’s likely, in most cases, that network defenders have the opportunity to detect and respond to the Confidentiality and Integrity issues that make a full blown ransomware attack viable, before ransomware has the chance to degrade or destroy Availability.)
However, organizations usually delegate the primary responsibility of monitoring the Availability of data and network devices to IT departments — not security.
NSM Is Reactive
I think it is worth noting that, almost by definition, NSM is reactive. There are other types of proactive cybersecurity activities, such as vulnerability management, patching, secure coding, system hardening, compliance, etc. That kind of proactive security work is outside the scope of NSM.
Cybersecurity Operations
An operation is the combination of people, process, and technology, working together to achieve a common mission. World class operations tend to prioritize people, process, and technology in that order.
A Cybersecurity Operation is the combination of people, process, and technology working together as a team to reliably perform NSM.
Simplicity is the prerequisite for reliability.
— Edsger W. Dikstra
Roles in a Cybersecurity Operation
Every job in a Cybersecurity Operation, from Executive Leadership to the most junior analyst or engineer, essentially comes down to taking something that has been complected together and attempting to make it as simple as possible.
Security Analysts and Engineers
To conduct NSM successfully, security analysts and engineers usually start with extremely complected technical information and transform its simplest possible form.
Security issues tend to reveal themselves in more and more obvious ways as complected information is made simple.
It turns out that making this kind of transformation is usually hard work.
But it is doubly important security analysts and engineers transform the complex to simple, because in addition to helping themselves in the process, their ultimate end goal is to provide simple, straightforward information to help inform and guide Executive Leadership.
Executive Leadership
Executive Leadership in a Cybersecurity Operation is responsible for creating the conditions within an organization so that security analysts and engineers can be successful.
The relative newness of Information Security as a field is what makes this objective challenging. Other parts of a business, such as finance, sales, marketing, manufacturing, operations and law all have the benefit of having developed over the course of hundreds of years.
In contrast, the concept of the role of a Chief Information Officer (CIO) didn’t come along until the late 1980s.
Information Security’s maturity and acceptance within a business lagged behind that of general IT, with which a typical CIO is generally concerned.
Consider Cliff Stoll, who is something of a NSM pioneer. His book, The Cuckoo’s Egg, is his personal narrative about his pursuits in how he stumbled into detecting, observing, and chasing down Russian hackers during the mid-1980s. His efforts were almost more of an academic pursuit at the time.
It’s hard to imagine what the professional world would be like if finance, sales, marketing, manufacturing, operations or law were mere “academic pursuits” that people just started stumbling into for the first time in the 1980s.
The point is that Information Security is still a young field, relative to other very well established parts of business. Information Security is just now growing out of its adolescence, but many times business leaders still aren’t sure what its going to be when it grows up.
The challenge for Executive Leadership in a Cybersecurity Operation is that very often they need to simultaneously provide simple definitions that describe what it is and what it does, sell those definition to other business leaders, and untangle resources tied up in other parts of the organization in order to bring it to life. Those are unique challenges that generally don’t exist for other parts of the business.
Why Is Everything So Complected?
Information Technology is a Means to an End
Corporate IT exists to support the people of the enterprise. The people of every organization have their own missions to execute, and the technology that corporate IT provides to them is a means to the end. This is always true. In instances where this is not the case, corporate IT is a self-licking ice cream cone.
People always want the best technology to help make their jobs easier, or to help them do their jobs better, faster, or smarter. If corporate IT does not keep up with the demand to provide that technology, people will figure out how to get it themselves in the name of supporting their missions.
The IT Department’s Mission: Make It Work
So corporate IT has an incentive to make things work quickly. If the people of the enterprise are happy with their technology, the IT department is happy. This scenario causes IT to rapidly complect together all kinds of different technologies at a breakneck pace.
There isn’t a huge incentive for IT to ensure the tech of an organization gets implemented correctly or securely. Does it work? Are people happy with their technology? The answers to those questions matter to IT.
Since technology rapidly evolves, keeping up with people’s demand for the best technology to support the missions of the organization is hard work. Because of this, there are big incentives for IT to find technology that is easy to implement. But, just because technology is easy to implement doesn’t mean it will be simple to understand, later on. In fact, this confluence of requirements and incentives tends to ultimately lead to very complex technical situations.
Adversaries Exploit Complexity
Cybersecurity Operations has the mission of observing and simplifying their understanding of amazingly complex corporate IT so that it can find things that are out of the ordinary.
That is complicated, and it gets worse.
Attackers intentionally design their hacking tools to be more complex than legitimate software. Attackers do this to better hide from network defenders. The additional complexity that attackers bake into their malware is designed to prevent, or at least slow down, a network defender from unraveling the malware enough to understand what it is actually doing.
Why Would Anyone Sign Up For This?
Despite the fact that Cybersecurity Operations is hard work, the work gets done as a part of some of the coolest jobs available right now.
And there is good news. With a little bit of mindfulness about what makes Cybersecurity Operations complex, it is possible to start working towards making it simple. I have ideas on how to do just that, and hope to cover some of them in future posts.
