I would love to tell you that there was a more formal origin behind the core tenets of the Security Situation Center (SSC), but the truth is, the concept originated from my watching too much Star Trek. I am a huge Star Trek fan, and while watching an episode of the “Next Generation” series, I started thinking about the parallels between navigating hostile cyberspace and the efficiency behind the bridge operations of the Starship Enterprise. While the series is 30 years old, it still captures our imagination, and in this case, gives us some original, innovative ideas we can implement today.
So turn to my day job, when I have Star Trek turned off. My team and I understand in the very near future, that the tedious SOC monitoring and analysis tasks, now performed by analysts, will be managed and processed by AI-based expert systems. In other words, soon there will be the day when it is no longer necessary to put human eyes on glass to monitor security alerts. The transformational possibilities for an operational cybersecurity team of this future reality is extraordinary!
On the bridge of the Enterprise, all personnel have a distinct role and ownership of duties, backed up by team members elsewhere on the ship. They also have many people trained for each role. When you consider the many different situations they expect to encounter, you can quickly see this team is well-prepared, well-trained and confident. They have navigation, engineering, communications, science, medical, tactical, command, and of course, counselor Troy for diplomacy and a little espionage. They are prepared for the unexpected, so they have all options covered. The organizational structure and preparation allow them to hightail it at warp 9 when running from hostile situations, hide, fight, discover, fix, or talk their way out of anything. This feels exactly like what I want my security defenses to be able to do!
The basic Security Operations Center template has many junior people doing the same job. There might be some level of rotation, but that job puts human “eyes on glass” watching alerts or events then deciding which require action and at what level of urgency. This model typically leaves security situation management to an ad-hoc team of incident responders, senior architects, and the management chain. This ad-hoc SOC analysis team occasionally convenes to respond to high profile incidents, which in reality is an additional duty.
The hostility level and risk that organizations expose themselves to by conducting business on the Internet now appear more like a low-level information war than just the occasional malware infection or credit card breach. We know the economics are too powerful not do business on the Internet. However, as the world becomes more digital, perhaps it is time we acknowledge this new reality, leave status quo behind and reorganize to actively defend our companies on the Internet.
Fortunately, there is also some organizational experience, beyond Star Trek to this idea. When I ran an MSSP in the early 2000’s, on a quarterly basis we were able to practice with every new Internet worm. These War Rooms were fueled by sleep deprivation, caffeine, hundreds of millions of dollars in financial losses and lots of grumpy IT and IT security guys and gals. It was management by exception at its worst. When it worked, we managed to recover in reasonable time frames, but we never fixed the root of the problem.
With a Security Situation Center, you have a small team of experienced security personnel whose full-time job is to actively defend the business and then proactively prepare to defend the business. This includes an immediate grasp of all of the network security monitoring controls deployed and their current status, the vulnerability status of the entire enterprise, and intelligence on the capability and intentions of bad actors. Just like on the bridge of the Starship Enterprise, these folks are at once leaders and coordinators with the IT and IT security teams that actually make the ship fly.
I’ll surely have more ideas of what a future Security Situation Center will look like. More importantly, I invite you all to comment and provide feedback about how you imagine our industry can push operational security into managing, not only monitoring, situations.
As Captain Picard said so well, “Engage!”
Chris has over 30 years of experience in defensive information security; 14 years in the defense and intelligence community and 17 years in commercial industry. He has designed, built and managed global security operations centers and incident response teams for eight of the global fortune-50. As he often says, if you have complaints about today’s security operations model, you can partially blame him. It’s from his first-hand experience in learning the limitations of the man vs. data SecOps model that Chris leads product design and strategy for Respond Software.View all posts by Chris Calvert