Discussing security operations: Security 7 awards videoDate: Jul 15, 2008
The industry's best and brightest security officers discuss key issues and answer questions during the Security 7 awards at the 2007 Information Security Decisions conference.
Featured speakers include:
- Michael K. Daly, Dir. of Enterprise Security, Raytheon Company
- Simon Riggs, Global Head of IT Security, Reuters
- Sasan Hamidi, CISO, Interval International
- Michael Assante, Infrastructure Protection Strategist, National & Homeland Security, Idaho National Lab
- Timothy S. McKnight, VP & CISO, Northrop Grumman
- Kirk Bailey, CISO, University of Washington
- Mark Olson, Manager, IS Security & Disaster Recovery, Beth Israel Deaconess Medical Center
Read the full transcript from this video below:
2007 Security 7 Awards
Questioner 1: I have the first question for our panel. Some of your organizations have merged operations and security, and I want to throw this one to Mike Daly first. That trend, that merge is gaining some interest; it's gaining some attention especially around integration of networking and security. Mike, can you talk about some of the challenges you've experienced or you've heard from some of your peers in aligning these disciplines, in particular projects and overall in the organization?
Mike Daly: For me, the merger of operations with the security services is critical to the success of the organization. It was very deliberate from the beginning. It's the only way that our organization grew. If by operations we're talking about service delivery and so on. The reason my budget grew year-over-year and I was able to expand the organization is because we delivered a service. The reason I was able to implement policy is because I delivered the Internet service, the antivirus service, the spam filtering, so on and so forth. So I was able to change the policy, and then change the tools to match the policy. So I found that it's absolutely critical to the success of the organization instead of always just being a policy shop chasing after [it] with auditing and trying to beat people with a club.
Questioner 2: And Simon you have done similar type of thing. What kind of benefits have you seen in terms of integration?
Simon Riggs: For us, integration doesn't exclusively just mean putting the security function into the operation teams, but it means aligning the way you think, act, do, and talk about stuff. Often I use the analogy of the hype cycle, to say that stuff which is really the commoditized right hand end of the graph, that sort of stuff you should since put into ops. The stuff which is newer you may well want to retain within a [inaudible] security organization. And I think one of the things you really need to be careful of is like mixing sort of church and state. You need to make sure that you don't put all of the operational security activities in with the ops guys. You do run the risk if the system goes slightly wrong the first thing an ops guy or a coms guy will do is just turn off anything that's going to get in the way of his data getting there. So it is important to separate those two. But by having security and the ops guy speak with a common language, we see far greater process discipline, the guys understand each other’s priorities and our much more sensitive to their respective needs. And we get far higher performance as a result of that.
More resources about data security issues
Learn about security issues in the cloud
Read about the top data security issues
Discover why HTML 5 security issues are a problem
Questioner 1: So Sasan, you've managed to distribute and roll up security operations into a SIM. Talk about how SIMs play a role in the integration, especially of networking and security.
Sasan Hamidi: Well my plan was, with such a short staff, to someday see a security operations center, one that was either integrated with our enterprise operation center or one that was operating as a standalone. The problem I had was resources. That was a huge tremendous problem for me. So I decided to tackle the problem from another angle. Instead of developing an elaborate security operation center project, I decided to bring in a technology that I could build on later on to leverage my SOC against. So that was SIM, security information management. We brought a simple technology that allowed us to simplify a lot of the incident reporting and security event processing. And that helped me to build a proposal that would simplify that original security operation center from a cost perspective. Now that we have the SIM. Now that we have consolidated all of the alerts. Now that we had built and integrated the SIM with a ticketing system. Now that we had built an escalation process around the SIM. With the help of the SIM and automating those procedures, now I can go to my boss with a revised plan and say “Now we can do the security operations guess what? We don't have to have additional resources to man it. We could train the enterprise operation center folks to act as a first-level support and escalate the procedures that way.” So it made it a lot easier for me to justify security operations center.
Questioner 1: If we're talking about this integration, and this is for anyone on the panel. How difficult is it, what are the political struggles like internally? I imagine that you have to be careful not to step on other people’s toes. Who initiates this merge? Can you guys talk about that from that perspective?
Simon Riggs: Some of the things we've really had to be really sensitive about in this space, we certainly haven't cracked it yet, is how much first line resolution do you really want happening? As you described at your enterprise SOC or you NOC. All too often we see guys, particularly those who sat there in the middle of the night wanting to watch the latest TV show just get the alert come up on the screen. Can't be bothered to properly sort it out and just escalate it straight up the tree. So we've really had to work through some of those implications about, are they taking this seriously? Do we have to write work instructions in place? Do they really feel its part of their job? Do they understand? Are they qualified to interpret some of these, even the most basic security type issues we see? And how do we stop it from just being a straight pass through straight to us, and they are adding value at the earlier stages? It's not been an easy journey I have to say, getting those guys motivated to deal with some of them.
Questioner 1: Any others?
Sasan Hamidi: I think you hit one of the big important things to think through. Especially when you have multiple operations groups. If you have different business lines, or let's say IT has server operations. It's really critical to make sure you have work process integration. So the key is to actually spend a lot of time, sit down and say, “This is how we expect to execute on security when we hit these thresholds.” Then you find out how they're able to the implement and execute on their mission or role, and you make sure the two dovetails together. This way you can make sure it's done as more of a routine and less escalation required for, hey this is a security operation center just initiate these actions. And you need to understand what that's going to do, those other operations. Specifically when you're responding to an incident at 3:00 in the morning and there's the big escalate and resolve issues between the organizations don't exist. So if you don't want to get bad messages when you walk in the morning from the CIO of the head of a business unit, doing all that work up front is really critical to being able to get a good flow and a good operations that will integrate into the company.