4 Habits of Highly Effective Security Operators
For many of us, a habit is all too often construed as an undesirable behavior that we are trying to disrupt. Smoking cigarettes, biting your fingernails, drinking too many Diet Cokes — these are the types of behaviors that often leap to mind when someone is asked to consider their own personal habits.
However, just as we are subject to habits we might find unhealthy, we can also promote those that engender greater productivity and efficiency. Through repetition, commitment, and a constant drive to learn and improve, we can intentionally stimulate constructive habits that can transform both our personal and professional lives. For cybersecurity operators who spend their days putting out fires large and small, these habits can make all the difference in advancing your career.
To get a better understanding of how we as cybersecurity professionals can cultivate and embed positive habits into our daily work lives, I recently sat down with two industry veterans who have put these habits into practice: SANS instructorJorge Orchilles, CTO of SCYTHE and co-creator of the C2 Matrix project, and Evgeniy Kharam, VP, Cybersecurity Solution Architecture at Herjavec Group, and from that conversation, have compiled this top four list of good security habits.
Habit #1: Operationalize Existing Frameworks into Your Daily Routine
According to researchers at Duke University, habits account for about 40% of our behaviors on any given day. Though I would argue that number is considerably higher when it comes to the daily life of a cybersecurity professional. Perhaps the most challenging aspect is the simple fact that no day in the security operations center (SOC) is ever the same.
With so much uncertainty present in our daily schedule, it becomes all the more imperative that we not only leverage existing frameworks and learn from others in the industry who are facing similar challenges but also operationalize these frameworks into our everyday routine. One resource that Jorge urges security operators to embrace is MITRE ATT&CK, the globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
As Jorge points out, “MITRE provides a common language that we can all understand allows the cyber threat intelligence team to understand how adversaries work, share that information with incident responders and the security operations center.”
Habit #2: Leverage Internal Security Signals First
Anyone who has spent time in the enterprise trenches can relate to the saying, “Swimming in data, drowning in wisdom.” And modern security teams are no exception. Organizations have dozens of intelligence sources that feed their security operations center and this surfeit of data all too often leads to an inability to take decisive action.
As Jorge observes, “You have all this data already inside that we need to do a better job of leveraging and internal signals are a natural place to start.” Evgeniy also emphasizes the key role that internal data can provide adding that “there’s so much information available internally that security teams can use for threat intelligence — for instance, they can use the data from DNS and from their firewalls to better understand what’s happening inside the network.”
Habit #3: Cultivate a Proactive Threat Hunting Posture
The top performing cybersecurity teams understand they can’t just wait until they are under attack. Rather, they must dedicate a portion of their time to proactively hunting out new and evolving threats before an alert is sounded.
In terms of developing solid threat hunting capabilities, Evgeniy and Jorge offer some tips based on their own experience. Says Evgeniy, “You need to allocate a set amount of time each day to do threat hunting. The idea of doing this activity on a continuous basis is what really makes it an effective habit.”
Jorge meanwhile suggests turning to books, such as the free Threat Hunter playbook developed by Roberto Rodriguez as a way to codify this practice into a daily habit. What are the top things most likely to attack you? See if you can create a playbook for that and go hunting. If you’re a SOC analyst, work with your manager and see if you can get at least an hour a day to do this, Jorge suggests.
Habit #4: Make Threat Intelligence Actionable
As we all know, there’s no shortage of threat intelligence to work with in the modern SOC. The real challenge for cybersecurity operators is learning how to prioritize the intelligence that matters most and making it actionable. Enabling this into a habit requires a combination of machine automation and human supervision.
To facilitate this habit, Evgeniy underscores the importance of automation. “Humans are simply not capable of looking at so many different locations. We need tools to help automate and aggregate the information so we can correlate it across different areas and sources.”
Of course, what works for one individual or team might not work for you. The unifying theme is that by investing the time upfront to objectively deconstruct how you spend your time, you can cultivate smarter and more beneficial habits that will help you become both a more effective and valued member of your security team.