These are notes from a great talk I heard on Vimeo about cloud infrastructure, distributed teams, AI, ML and the future of security. I hope you find them as inspiring and positive as I did.
2020 is on its way out and distributed, cloud-based operations are here to stay. As every financial investor and lottery winner can tell you: past performance is no guarantee of future results. That said, looking back on 2020, there are some things we can reasonably expect to look forward to in 2021.
Much like the demise of the travel agency and of Pokémon GO, the pandemic has accelerated the inevitable changes already in progress. The surge in remote work and subsequent cloud operations is a challenge, requiring security over fragmented environments with many owners. Gone are the days of security operation centers (SOCs) cramming a team into cozy, windowless rooms. SOCs are now dispersed but not dispensable. In fact, their work is extremely spensible… or perhaps “critical.” For example, breach prevention can save $682,000 in a typical case.
So how should SOCs go about adapting to this brave new world? John Velisaris of IBM argued in his recent keynote at IBM that future SOCs will show four key characteristics:
Whether you hate working next to your cat or love it, personnel have to be distributed right now. But it’s no great loss; the “nuclear model” of a few specialists in a room was already on its way out. Distributed operations are a net advantage and are the way of the future.
A distributed team can cover operational gaps. Perhaps you can tell from the name but people dislike having to work the “graveyard shift.” But a team spread across time zones never has to have a “night shift.” Remote workers can cover skills that are hard to find in your area. The sun never sets on a distributed operations empire.
On the technical side: On the cloud, you no longer have unilateral control over the tech stack that runs your SOC. The good news is that cloud tools like AWS Inspector can do forensics better than almost any in-house tool. When possible, use open standards like DXL and STIX/TAXII to make sure your tools can talk to each other.
“Alarm fatigue” is a widely discussed problem in many industries. Too many alerts overwhelm people. Ignoring alerts becomes a habit, then a disaster. When Facebook starts to notify you each time your great aunt posts a picture of her cat, you may start to disregard Facebook notifications and miss something important: like being tagged in a super flattering photo. The same problem happens in security. You can tune your settings, but you can’t totally eliminate noise.
AI-powered analysis can greatly address this problem. Some tools can automatically enforce policies without even involving humans. In other cases, machine learning can compare incoming alerts to past alerts, and decide which to escalate to human attention. The kind of comparative analysis required to manually set up these rules wouldn’t be feasible for most teams. Big tech companies can’t replace humans yet, but their algorithms compare ~60 parameters across 2 years of alerts.
The mission of SOCs gets continually redefined and expands to fill the demands of the current day. To meet the present demands: the next-generation of security experts must get closer to their businesses and to the cloud. To put it in non-expert language: we’re gonna need expertise.
Getting closer to business operations is tremendously useful for security to learn to speak their language. But it means security experts need to pick up domain knowledge that they might not have had before. No matter what business you support, everyone in security needs to get to know cloud platforms.
Security on the cloud is far from standardized yet but there are some serious developments underway. “AWS re:Invent” is a virtual conference happening now and will launch many new cloud-native security controls. Microsoft already has over 1,000 cloud-native security controls for Azure.
The lack of standardization means you should use open standards wherever you can, such as the DXL data exchange format. Open standards tend to become the general standard.
Airplanes are heavily automated, capable of flying themselves between takeoff and landing. Modern pilots don’t constantly adjust the controls, they monitor the plane and intervene when necessary. Security is becoming automated in a similar way.
Humans evolved to be managers. First we managed animals and other humans, now we manage machines. But only the latest generation of security tools are “born with” the kind of automation that can easily enforce policies without human involvement, such as automatically deleting a hazardous file in a container. Fully automated SOCs won’t come next year. But they’re on the horizon.
To avoid the costs of moving and reformatting a lot of data:
When pioneering new processes:
So in summary, there are so many lessons from 2020 to put into practice for 2021. If you’re a human reading this, make sure to take full advantage of automation and skip carrying out the repetitive tasks. Where you are automating, consider machine learning to monitor the automation and filter out excessive notifications. Cloud platforms aren’t standardized yet so use open standards where you can and consider bringing in just-in-time expertise.
And if you’re a robot reading this, remember I said such flattering things about you when you carry out the singularity.
Article originally published on Medium: READ HERE