5 Security Questions to Consider this Holiday Season

From Hallmark Movies to Hallmark Questions, Five Questions Security Professionals aren’t Asking (or don’t have the answers to).

Hi, my name is Chris, and I like Hallmark Christmas movies. There, I said it. And ya know what? I’m not even ashamed of it. Yes, I know it’s the same cheesy storyline where families are reunited or true love is found after a little lovebird conflict. But I don’t care; I like ‘em. I like that every movie uses the same set and many of the same actors. I like that the girl’s names are typically Carol or Holly. And I like that every one of them is so darned predictable. 

I’ve worked in the cybersecurity space long before cybersecurity was cool. And unlike a Hallmark Christmas Movie, cybersecurity is anything but predictable; in fact, it’s ever changing, fast moving, and hard. Really hard. As security professionals, we have to be right all the time and the bad guys only have to be right once. And with no thanks at all to the Grinch who dropped a Log4J PoC exploit code on a public site one recent Friday afternoon, it’s clear that security is going to remain a career growth industry for years to come. 

But for the practitioner there are a few questions I’ve run into while talking to clients that very few seem to want to face head on. So for the beginner CISO who is coming down off their first Sev1 emergency, I’d like for you to consider these five questions (I know there are more, but I have movies to watch) which you ought to be asking your team and your vendors alike. 

1. How does my next security purchase integrate with my existing security portfolio?

Everyone has a stack. These days when you consider how security wraps from architecture to monitoring to DevOps, the tool stack gets bigger with every problem. With every problem there comes a vendor with a new shiny toy. If you’re not sure, start with questions like: Do all these products play together in happy harmony? Can your SAML/SSO reach every cloud business tool? Can your SIEM see everything, and do you have one interface with decent analytics on what your users are doing, or twelve?

2. Is my path to identifying important alerts repeatable?

Twenty years ago, SIEM technologies literally took the criticality of the source (like a Firewall or Intrusion Detection System) and passed it to the analyst without thought. This led SOC analysts down the rabbit hole of, “What is that IP address? What does it do? Who owns it? Is it supposed to be doing that? Ah, it’s a penetration testing machine. Should we disregard all events from it? What if that box gets compromised?” And each SOC analyst approached this voyage of discovery differently, depending on their own knowledge and experience. These days, bigger global and cloud networks require even more knowledge and experience – or the capability to have repeatable processes built in. 

But what do you do when an escalation is required? Is it a phone call? An email? A trouble ticket? Is it turning off someone’s access or enabling multi-factor authentication? Will every shift perform the same actions in response to alerts and threats, or are you at the mercy of seniority and experience, and suffering competition with other attention-grabbing issues? 

3. How do I establish what is normal behavior within my environment (and is that really important?)

Chris the sales guy travels a lot. We should know that when we see him logging in from another country, or at an airport. We should know he spends most of his time on Salesforce, with a few pokes here and there into the team Wiki or Confluence pages just to see what’s going on. It’s important to know that two people at once are attempting to log in with Chris’ credentials on either side of the planet? As the cool kids would say, “that’s more than a little “sus, bruh”. But how do we know what is normal for Chris vs what is normal for Krysta in IT, who basically lives and breathes at headquarters keeping everything alive and running? They’ll have different usage profiles, different access patterns, different behavior. And one of your systems should be able to tell you what normal is for when Chris’ or Krysta’s logins get compromised. (Oh, and spoiler alert…the answer to whether knowing normal is important or not is yes!). 

4. Is my next security purchase adding more to my team’s workload or helping me automate?

CapEx and OpEx are two different budgets, so I get it, sometimes adding products (CapEx) is easier than increasing headcount (OpEx). Is your team already working overtime and frustrated with the constant stream of work that zero-days are creating for them? Are they annoyed by constantly recreating logins to security systems they don’t use that often – not to mention keeping them all running in the first place? We know the answer is yes. There’s a limit to how many systems, how many events per day, how many fires even the most expert team can put out and take care of. Search Ninja’s are rare and expensive, it’s time to demand automation out of your security stack and tools. Find ways for fewer logins needed, fewer hours covering repeatable, tedious tasks that – despite being boring – are necessary for the security of the ecosystem.

5. Am I still doing things manually that can be automated?

Ah, this is the rub. Anyone who has ever cut and pasted from one spreadsheet to another, from one screen into a trouble ticket, from one login to another virtual machine to check a blacklist – manual effort is the worst, least efficient path. Why are we still creating manual paths, manual tickets, manual escalations for basic, repetitive tasks? Where’s the love for the humans who have to operate your security stack? 

Believe it or not, security – like the movie “Gingerbread Miracle” – is about love. You didn’t sign up for a high-stress job where you get blamed for everything without having a lot of love for the industry, for your job, and a belief that you’re helping make the world a safer place. So show a little love for your team, for your colleagues, for your customers, and ask these hard questions of your security vendors pitching their next cure for the current afflictions. 

Now, if you’ll excuse me I’ve got a date with a nice bourbon, a great cigar, and a Hallmark Christmas movie on the back patio.