Around RSA

Tales from the Black Hat NOC: Are We Broken?

Nov 09, 2016 | by Scott Carter |

Walking through the expo hall at Black Hat Europe was uplifting - if the vendor booths were to be believed, APT's can be stopped in their tracks, Ransomware protection can be guaranteed, and phishing can become a term applied to lake activities again. All it requires is buying this tool! It made me wonder why people like me are even in needed in the space any more...

After that, I returned to the Black Hat NOC, where I was smacked back to "security" reality. Real networks don't align with the perfect test scenarios being marketed by the vendor booths. They have business processes that cannot be impacted by security. They are complex and constantly changing. They have protocols that do not follow RFC's, users that do not follow rules, and security leaders that do not follow what's going on.

Walk through it with me...

  1. Easy Buttons: Easy buttons are for office supplies, not security. The industry HAS recognized that signature based-blocking leaves significant gaps.
  2. Limited resources: What is the most valuable resource your security team has? The practitioners themselves. Finding head count is difficult, and finding good resources to fill head count is damn near impossible.
  3. Fractured Mindshare: With so many different tool sets and so few resources - most solutions are simply being maintained, not optimized. Analysts run into the same issue with mindshare when dragged through five different tools and interfaces during a single investigation. What percentage of your existing tool's capabilities is your organization utilizing?

Previous Cycle:

Easy button + limited resources + fractured mindshare = Security Fail (As seen on TV)

After several years of incredibly public breaches, the broken mindset seemed to shift. It gave many security practitioners hope. But then something changed. Perhaps, as with long time news coverage of wars, we became numb and stopped paying attention. Perhaps, the educational lessons led to a path that simply seemed too difficult. Regardless, we ended up with this...

Current Cycle:

NextGen Easy Button + limited resources + fractured mindshare = NextGen Security Fail

Many organizations are still left with partially utilized security tool sets. Even if there are dedicated analysts doing triage, it's rare that these analysts get to take full advantage of the tool's alerting or investigation capabilities, regardless of product make, model, or vendor.

Within the Black Hat NOC, we have multiple RSA engineers configuring and utilizing the RSA NetWitness solution - a luxury to say the least. Looking around the NOC after my "slap back to security reality experience," I wondered why the types of configurations and tuning being done for the Black Hat network aren't done in all organizations. Is there a difference between the NOC members and the typical security engineer/administrator? It's not a case of individuals not having special access to internal RSA knowledge or brilliant minds. RSA Link is one of the most utilized information stores for these NOC members, and is the same RSA Link that customers can access and contribute to. So, what I came up with was pretty simple...

Future Cycle: Focus!

Your own people can become power users, too. And no, before you even think about it, there is no tool you can purchase to transform them into power users!

But, how can people focus when they are forced to wear multiple hats or manage multiple tools (very common problem)? Buying habits need to change - a more strategic approach to purchasing security solutions is required. It's not an overnight fix, but it is a necessary one.

Take the following matrix for example. No if's, and's, or but's... detection, investigation, and response capabilities are required within a SOC. And, as you add more of the products required to fill out the matrix, the less attention each of those products gets. The less focus each solution gets, the less effective it is. The organizations you are trying to protect are complex - no out-of-the-box solution is going to account for these complexities.

NOC Europe Blog 2

Matrix of Fractured Mind Share

So I challenge you, Mr. CISO, Mrs. Director of Information Security, Mr. SOC Manager, Mrs. Security Engineer, and Mr. Analyst - the next time you look to purchase that shiny, new "easy button" (aka the latest security solution), take a more strategic approach. Instead, add integration and consolidation to your evaluation forms. Is the slick UI or random unique feature of a point product worth the dilution of your engineer's mindshare? Sometimes, the answer will be yes. But how long must these differentiators remain unique to make up for the loss in product expertise from an engineer's fractured mind share? More importantly, without a power user of the product, will the team be able to effectively implement (in a real network) the unique feature?

It's time to break out of the security sales cycle and change the way we think of security. With consolidation and tighter integration points from vendors, and as organizations gain recognition and focus, we may have a chance of accomplishing that. But the first step, is recognizing that we have a problem...