SECOPS Instead of Red vs. Blue Team
Red, white, blue. Combined together and you get the elite interdisciplinary and outcome-focused team you need to combat cyber threats.
When we were kids, most people wanted to be the heroes. The good guys. Somewhere along the line, we sexed up the nature of “red-teaming” to the point that the “blue-team” thinks that they aren’t as cool. And that is completely not true. Unless you run your blue team like a call center. Then you should fire yourself and free them up to be the awesome team they can be without you stunting their capabilities and regulating them to phone service order taking and routing.
Standardization is good!
A few years back, our team had grown and specialization followed suit. Standardization, process, workflow, metrics of course were part of the way of life. Somewhere along the way, we lost site of how we were pigeon-holing some incredibly talented minds into an assembly line. The assembly line is a great idea, and critical to success… if and only if it leads to increased automation for tasks that are repeatable and consistent, and free up the talented analysts to focus on higher value activities.
Assembly line is good! Call center? Bad.
Our assembly line had facilitated that for some but not all. Some became call center operators. They answered calls, filled out tickets, routed them to the next tier, and went on to the next. Interestingly, this was discovered through our 15fives and the SOC leader brought this to the leadership team meeting to discuss.
We rapidly adjusted course, but not without realizing that there were other symptoms of the problem that we had — finally- identified. SOC team members were grumbling. They wanted to do pen-tests. They wanted to “be cooler” and red-team. They viewed “blue team” as call center and boring. Not good. Not good at all. Here we have some of the best and brightest actively seeking and eliminating threats, stopping attacks cold, and they didn’t feel like they were the rockstars they were!
Whats in a name?
The name mattered. The name reflects ethos. Brand. Vision. Finally, we understood that.
What does it change?
I want SECOPS pros like Garcia. Cyber ninjas who do hand-to-hand combat… when they need to… and do it better than their opponent.
What do ninjas want? They want to be valued. They want to do challenging work. If it can be automated, its not as challenging as someone would like because it doesn’t stimulate their frontal lobe. They get bored. Then its natural to wonder why, and look across the room and see the reason.
So what did we do? We did what we always knew we should do and combined skill sets into an initiative we called hydra. And it didn’t solve the problem. Why? We just moved the problem and gave it a new name. The changes in duties and operational skills didn’t follow suit fast enough.
Changing the way we operated led to realization of why “SECOPS” mattered. The term meant something to our team. They understood that it was comprehensive. It changed the game for how they operated, how they communicated, collaborated, and teamed up to solve the issue, not just swatting down symptoms.
Don’t be a call center or a help desk. Make sure your team is SECOPS.
