From grunt to glory -- the evolution of the government security analyst
- By Joel Fulton
- Sep 26, 2018
What a time to be alive (as a security analyst)!
For years, the security operations center (SOC) was slandered as the dark room where wannabe white hats were forced to cut their teeth on mind-numbing grunt work before graduating to the interesting, “glorious” security work of red-team hacking. But times, they are a changin’.
Today’s SOCs not only defend the enterprise but also interdict and shut down attackers. Better yet, they do so with the choreography of a conducted symphony.
The fantasy of an ideal SOC has tantalized security wonks for years. This dream SOC is omniscient across the enterprise, uses machine learning to understand, predict and take action on data at machine scale and speed, and self-improves from its infrequent missteps.
In this vision, SOCs use common operating models so data flow seamlessly into a central point so that no single vendor’s “stone” gets left unturned. There, analysts actively hunt down threats and foil them in a game of cat and mouse analogous to old Tom and Jerry cartoons -- every time the cat thinks he’s about to win… the mouse drops the hammer.
That vision is, with no hyperbole, right around the corner.
Honesty is good for the soul
Why now? Why are these changes occurring today when they have been talked about for years?
Confession time: For years, vendors failed to actualize this vision for government agencies.
However, in the past few years, technology and inter-vendor cooperation has advanced to the point where the vision outlined above is now within realm of possibility.
For example, open and high-quality APIs now make data ingestion, visibility and cross-platform collaboration possible. With access to greater levels of data, you can finally start to alleviate some of the burdens normally placed the shoulders of SOC analysts. When you introduce machine learning technologies to the SOC, this effect and benefit is amplified.
The increased access to quality data in turn creates a positive feedback loop to strengthen security. The more data that security analysts ingest, the better they may become at understanding, categorizing and correlating those data. That loop enables SOCs to take action on their data via Security, Orchestration, Automation and Response (SOAR).
A SOC strategy centered around data analytics, powered by machine learning, helps accelerate threat detection, analysis and response by providing analysts with deeper insights faster. The most advanced SOAR solutions will carry out responses with minimal to no analyst input and will enable defenders to have full visibility into their operations.
Building a better cat trap
Why did your analyst join the agency? If mission, challenge, and impact were high on their list, do they view their role as a human-operated script? When machine learning and SOAR are taking over of the SOC, where does that leave the analyst and the work they traditionally carry out? The answer is out of the boring, grunt work and with time to pursue the deeply interesting, meaningful, invigorating work of threat hunting and actively tracking and stopping adversaries.
There’s a common misconception that threat hunting is primarily executed by red teams, but the reality is that in more agencies than not, this responsibility has shifted to the SOC, where the data resides to properly investigate security risks. For too long, SOC analysts’ efficacy were limited by poor visibility into the IT environment resulting in blindness to assets on the network and what adversaries are doing within it. Modern SOCs give analysts a metaphorical flashlight to illuminate the darkest corners of today’s IT ecosystems.
With that new visibility, SOC analysts mature and become far more strategic, transitioning from roles dominated by forensic research and reactive alert response to those of threat investigation and cyber-counter-insurgency.
Remember our familiar cat/mouse duo? One example of this shift is exemplified by leading-edge research at Sandia National Laboratory. There cyber experts are using machine learning and threat detection along with software defined networking to create high-fidelity deception environments in which adversaries waste time and effort while revealing their strategies and tactics to defenders. In essence, Sandia sends adversaries on the cyber equivalent of a “snipe hunt” while watching and learning how they stalk, track, and trap. Already, this experimental “HADES” platform is proving that the future of security is bright.
SOC analysts also finally have the tools to prove to senior leadership, more empirically than ever, security’s value to the organization. Empowered by data, analysts will be able to show which adversaries are attempting to penetrate an environment, how they are doing so, what data they are after and how the defenders are preventing them from doing so.
Holding us accountable
So how can government agencies realize this future vision of the SOC? Drive towards this mission by emphasizing it in your priorities and strategic plans. Hold us, the vendor community, accountable to deliver the operations and tactics that support those plans. Don’t settle, insist.
Demand higher-quality APIs from your vendors. Don’t let the bad actors among us sell you on the benefits of proprietary solutions and closed ecosystems. The security industry is shifting towards a recognition that best-of-breed technologies, combined with a common nerve center and operating framework, enables the best, most agile and progressive security capabilities.
I’m excited about the future of the SOC and optimistic about the future of security. Yes, there will be breaches. Yes, threats will continue to evolve. In a few years, we may even see adversaries begin using ML and AI for their own purposes. But for now, the advantage is shifting to our courts. Let’s seize it.
Joel Fulton is Splunk's chief information security officer.