For organizations with fragmented security operations, for example with one unit managing operations of perimeter network security another unit managing operations of end-point security and identities and third unit managing operations of applications and databases security, coordination of these functions is critical for effective and efficient Information Security Management System (ISMS). It is not only important for security incident detection and response (tactical risk management), but more importantly for longer term security decision making (strategic risk management) that requires broad vision on organizational risk postures and availability of relevant risk metrics.
To achieve this objective organization has to integrate all security operations processes and their escalation workflows, reporting functions, data flows and other aspects into central command and coordination function. This requires creation of new organizational processes, human resources and decision support technologies.
My presentation at CISO 360 Congress focuses on security process innovation where highly customizable open-source and open-architecture technologies are used to design and implement security coordination decision support system. Development process for such a system requires combined development and security skills, intense coordination with managed security operation centers and risk management functions, and agile approach to accommodate ongoing security processes.
As it is not possible to cover all aspects of this complex project in twenty minutes long presentation I have selected to cover integration of perimeter security operations and end-point security operations using Internet traffic data flow analysis and related coordination processes. The core technology used is Apache Metron and Nifi. Development and integration challenges are unstructured data formats, high data velocity, disparate security data enrichment sources, distinct incident response processes on end-points and network perimeter for organizations with global geographic operations.
Additional challenge is organizational cloud computing strategy which requires that security coordination function becomes early cloud computing adopter. I have dedicated a part of my presentation to cover planning and testing for migration of security coordination center support technologies from on-premise to the cloud.
Key takeaways are:
- There are no out-of the box solutions on the market for security coordination center decision support systems, but there are mature open-source technologies that could effectively be integrated into organizational existing security processes and their underlying technologies.
- Security coordination functions is vital to bridge the gap between tactical and strategic risk management.
- Be an early adopter of the cloud computing for security functions so that all its contractual, procedural and technological aspects are already covered when organizational crown jewels migrate to the cloud.
- The main challenge and critical success factor for such a project is finding and retaining people with right skills. Get ready to be a leader, a coach, and to continuously learn.
Presentation slides could be downloaded from this link: Viktor Polic CISO360 Lisbon 2018.