For many years, security professionals have talked about the OODA loop. Devised by Colonel John Boyd, it describes a decision-making cycle that fighter pilots apply in dog fights, and when mastered, allows them to outwit adversaries. The acronym stands for Observe, Orient, Decide and Act, and if you can go through this decision cycle faster than your adversary, you can defeat them.
The same theory applies to security operations and, unfortunately, right now we are operating much slower than our adversaries. So, why do our security operations lack the agility it takes to observe, orient, decide and act faster than our adversaries?
First, it’s important to realize that agility must be grounded in a position of strength. Fighter pilots begin with a solid foundation built by learning basic combat maneuvers. On top of that, they learn how to make decisions and be creative in the heat of the moment to accelerate reaction times and thwart attacks. Security teams need to operate the same way. Good security hygiene practices go a long way to mitigating risk day in and day out. But security teams also need the flexibility to reorient themselves, so that when new threats emerge or new best practices or technologies become available, they can adapt.
Technology and process challenges
Static is the enemy of agile. And since technology and processes are inherently more static than people, let’s start with these two areas and use ransomware to illustrate their impact on security operations agility.
Incidents of ransomware have been increasing and evolving steadily for years as financially motivated adversaries shift tactics when one is no longer profitable. Yet many organizations haven’t been able to adjust their processes and technology to keep up, as demonstrated by the fact that 60% of organizations told ESG that they experienced a ransomware attack in 2019, with 29% reporting that attacks happened at least on a weekly basis.
Traditional malware was handled by sequestering the affected system, removing the malware, reimaging and reloading the system, and putting it back into operation. Then, ransomware started to change, infiltrating multiple systems and the network itself with the aim of encrypting key data. Traditional response methods no longer worked. Organizations that were quick to reorient their processes to create and maintain disconnected backups of high-value data, were safe. But most organizations took months, if not years, to shift their processes and technologies accordingly. And just as they were catching up, ransomware shifted again. Adversaries are now exfiltrating data and threatening to release it publicly unless the ransom is paid.
To overcome threats as they evolve and emerge, effective security operations teams must be empowered to change processes and bring in new technologies when warranted. However, since security is not a profit center but an overhead function, organizations tend to invest what is needed and no more.
Companies need to fund their security teams to be able to adapt. Sometimes what’s required is a process change which may not cost anything, but other times you need new technology – like threat intelligence to learn about adversaries and their tactics, techniques and procedures (TTPs), Endpoint Detection and Response (EDR) solutions, a next-generation SIEM or a managed detection and response (MDR) service. Business priorities and the corporate risk profile must align with security priorities, so teams are enabled to do what they need to do. Keep in mind that although budgeting cycles are usually yearly, attackers operate on their own schedules. Organizations must build flexibility into funding so that budget is available to address new threats.
People lead the way
The shining star when it comes to security operations agility are the people. As new concepts have emerged, security organizations and teams have demonstrated an eagerness to embrace them quickly. In the SANS 2020 Threat Hunting Survey, 85% of organizations reported they had adopted threat hunting. And, increasingly, we’re seeing the vulnerability management function move from Governance, Risk and Compliance (GRC) to security operations where teams have the skills and tools for proactive risk mitigation. What’s more, security professionals enjoy developing skills in new areas. This drives job satisfaction and contributes to retention, the value of which, in a market sector with negative unemployment, cannot be underestimated. But the fact remains, people must be supported with the right processes and technologies to drive security efficiency and effectiveness, whatever the future holds.
One way security teams can help garner support is by stepping up their regular updates and crisis communication methods with leadership. Those that engage in regular reporting with metrics that matter to the business unit and board, build a dialogue with leadership that educates and instills confidence. When an attack happens, they are ready with ad hoc communications about who is targeting them, what they know, and the steps they are taking to mitigate damage. With established relationships and trust in place, they are more effective at obtaining additional resources as needed to accelerate detection and response.
Security operations agility relies on the interplay between people, process and technology. This isn’t possible when teams have a set number of tools, outdated processes, and poor communication with business leaders. To observe, orient, decide and act faster than our adversaries, we must look at where we can infuse agility, so teams can change the way they operate, as needed.