Curve-jumping" in Security Operations and SOAR Technologies

[Posted on Behalf of  Anton Chuvakin Security Strategy - chronicle  Google ] 

Lets think about this together -- can you really jump to the “next curve” in security, or do you have to travel the entire journey from the old ways to the cutting edge?

This is a harder question than it appears and there are temptations on both sides of the argument. Also, there are false answers on both sides, tempting though they may be (e.g. "always buy stuff with ‘next-gen’ in the name and you'd be at the cutting edge!" pitfall)

For example, should you try to maximize the value you can get from your traditional anti-virus or jump to some NG thing? Should you try to build a SOC circa 2002 and then evolve it to the modern SOC stage? Or should you try your hand at elite practices like threat hunting when you barely got to configuring your SIEM in a useful manner?

The main risk with the approach of incremental steps and traveling the same journey, that the top tier organizations have traveled, is that in 10 years, you'd still be 10 years behind...

The risks with curve jumping are many: you can jump and miss (wasting resources and time) or you can jump at the wrong curve or you simply have no idea where to jump and where the next curve is. After all, CRAWL-WALK-RUN is there for a reason, and there is no CRAWL-JUMP-JUMP…is there?

Intuitively, it feels that jumping to NG tools (however defined) is possible (leaving whether it's desirable aside, for now). But what about jumping to NG processes like, say, agile and DevOps (or DevSecOps, if you know what this is) - or even hunting and threat intelligence fusion? Does jumping to the next curve in terms of security processes and practices really require that your current processes are very mature - or not? In fact, can excessive current-gen process maturity make you excessively rigid, and thus less likely to jump to the next curve and to some next-gen process?

As it relates to SOAR and SOC/CIRT automation, this reduces the discussion to the following: should I implement manual processes first, refine them, refine them more and then progress to (partial) automation via a SOAR tool? Or, should you “curve-jump” to some next-gen SOAR-centric security processes, perhaps using SOAR magic?

Finally, please don't hold it against me, but if I am given no additional context and no sufficient information, I usually lean towards incremental change and not jumping. In essence, I prefer to suffer from the risks of not jumping [which are very real!] vs the risks of jumping and missing (or jumping the the wrong curve) [which are just as real]...

Views: 13

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service