The main concern is that in an SOC, teams typically work side-by-side in close quarters. As more security analysts take sick leave and work remotely, how will security issues be assessed. One potential is with automating human monitoring and decision making to increase visibility and analyst team capacity.
To discover more, Digital Journal spoke with Matt Eberhart, vice president of global sales for Respond Software.
Digital Journal: How serious is COVID-19 posing for businesses?
Matt Eberhart: Different types of businesses will experience the fallout of COVID-19 differently, based on their specific industry and many macro-economic factors. What we all share right now is a similar experience for our people. Our resources are balancing many changes at once. Many are being asked to work from home. School is suspended for many across the country, creating not only a need for childcare but an expectation of continuing education as well. Data tells us that the elderly are particularly at risk in this outbreak, complicating matter. Simultaneously, many are now at home with one eye on CNBC and Jim Cramer calling a blow-by-blow boxing match to the global economy. It’s distracting to say the least!
The current situation for all businesses is critical. Even if your business has the potential to thrive in the current conditions, your people are stressed. They need support, flexibility, and to know what is most important. Things have changed. If you lead a team, you probably had a list of top priorities for the next few months. Toss that list in the trash. Your team needs to know what must be done now. Expect 50% productivity from most team members this week. Some will give you way more, but this act of planning will help to drive focus on the most critical tasks. Communicate it. Write it down. Set office hours via Zoom (or Teams or Google or FaceTime) to answer questions. People will need support and clear direction on what is most important. For us at Respond, it’s our customers and the prospects we are already engaged with.
DJ: What is the impact on security operations centers specifically?
Eberhart: Security operations centers will face many of the same challenges that all corporate teams are facing with suddenly working remotely. Many programs have embraced remote work the last five years. Some have not. Those that haven’t will be scrambling to make technology changes to enable remote workers access to the critical security systems they need. These challenges will present short term delays, but the bigger challenge for security teams not accustomed to remote work will be the isolation.
Security operations pros are faced with complex challenges every day and the one trait the best ones I know share is they lean on each other for expertise. Maybe the lady in the cube to your right is an amazing reverse engineer while the gentleman to your left can track network footprints like no one else. Security operations is a team sport. If your team doesn’t have muscle memory with remote collaboration, they will need some help. Be creative. Script the change for them with A few simple steps.
Some ideas:
Host a 15 minute remote huddle twice a day. Make it optional (remember some folks are also now running a K-12 institution at the kitchen table). Let the team interact. Let them vent. Let them find their own remote normal and collaborate as needed.
Reduce the priority list to only those things your business requires right now. This is key. Nice to have projects can fire back up once we are on the other side of this.
Make supporting each other a priority. Talk about it. Demonstrate it.
DJ: How are businesses coping with workers self-isolating?
Eberhart: I see some examples on Twitter and LinkedIn of teams being proactive. Scheduling daily collaboration sessions and check ins. Some are not. My top two suggestions are:
Proactively communicate and updated priorities list. Make it clear what must be accomplished while also being supportive that life is not normal right now and understanding that they may have changing family needs.
Check in with your team daily in both a group setting with a collaboration call and 1:1, even if it is just a slack or a text.
DJ: How feasible is remote working?
Eberhart:Organizations that have planned for security operations remote workers are at a significant advantage. One big challenge will be Service Providers that deliver security services for many customers. MSSP’s, MDR’s, and MSP’s. Many of these providers are having to make exceptions to standard policy to allow for home based security personnel to service customers outside of the corporate offices. These teams may be particularly strained in the coming weeks and will need exceptional support from their leadership.
DJ: What types of technologies support home working?
Eberhart: Security Operators need many of the same tools corporate workers need. Communication, collaboration, sharing data, and access to corporate systems. Tools specific to security operators often require access to secure networks, which can be a challenge. All of this can be accomplished securely with a solid architecture and plan. Trying to do anything quickly invites failures.
DJ: How did you develop Respond Software?
Eberhart: Respond Software and our virtual security operations analyst grew from an understanding of how security operators work. Our founders and executives were working in the future of security operations and saw the strain and challenges put on the people. By the future, I mean that we were part of many of the largest and most advanced security programs inside of global companies and leading security providers. We saw that the people in these programs couldn’t keep up with the volume of events, which was forcing them to focus on low value tasks instead of fighting bad guys. Much of the security market is focused on technology.
We focus on the people. Our mission is to use software to automate the discovery and investigation of security incidents so that the people of security operations can focus on taking actions that reduce risk. We bring software scale and machine consistency to the fight, giving the teams we support an advantage to focus only on validated security incidents (for many teams 90% of security events investigated turn out to be false positives).
Challenges like we face today underscore how important foundational security operations are and why our people need software that can work while we are busy with other tasks.
DJ: How is Respond Software different from your competitors?
Eberhart: I believe the outcome we deliver to our customers is what sets us apart. Security operations is a challenging task. As the operator, you have to address thousand or even millions of events. As the adversary, you only need to be right once to gain access. We enable our customers to see what is happening across the alerts and data they already have – only escalating to them security incidents that require action. That is all we do. This frees them up from spending time trying to observe and orient to what is happening so they focus on taking actions. We do it with software that learns and grows overtime, just like security pros do. There are many ways our technology is different from the competitors, but the biggest difference our customers feel is we don’t require any rules or complex tuning. Most security technologies require complex implementations and significant ongoing tuning. We don’t. It’s that simple.
