Archive

Archive for the ‘operations’ Category

CISO Stressbusters: Post #4: 4 tips for running a highly effective security operation

August 4th, 2020 No comments

Rebecca Wynn, Global CISO & Chief Privacy Officer (CISO) of (24)7.ai, shares her advice for relieving stress in today’s CISO Stressbuster post.

In many organizations, CISO is held accountable for security breaches, yet they don’t have control over all the decisions and systems that impact cyber risks. They need to continuously prove that they are making the company safer while persuading others to change behaviors.

Building a security culture can be stressful, but it helps if people know they can count on you. As a senior information and security risk officer who has served as a CISO at several technology companies, I’ve learned that one way to increase influence is to get things done. Running a tight ship helps you prove value and gain allies. In the fourth blog in the CISO Stressbuster series, I’ve outlined four tips that will help you build a highly effective security organization.

1. Cultivate your team

The most important part of your security operation is your people. A strong team that works well together will help you deliver on your goals and prove the value of cybersecurity to the board. To ensure your team has the right skills for your organization, start by identifying your strengths and weaknesses. For example, you may need people with more experience in cloud or automation technologies. It’s also essential to think about diversity. People with different backgrounds help you avoid group-think and generate new ideas.

Training and apprenticeship programs are a great way to build skills within your existing staff. When done well, you can encourage a continuous learning culture that keeps people engaged. This is incredibly valuable because it isn’t just CISOs who are stressed. Our teams are also under a lot of pressure. Helping them grow and acquire new skills can reduce burnout.

You won’t be able to fulfill all your needs with training, but it can be challenging to find senior people with specialized backgrounds. When you do need to fill a new position, be intentional about which skills are required and which can be trained. Expand your criteria to include people with non-traditional backgrounds who can offer new insights. To encourage participation from everyone, build an inclusive culture.

2. Be a good fiduciary with your budget

Whether you work at a huge enterprise or a startup, there will always be a limit to your budget. Make smart investments to stretch those dollars farther. A great example is software and cloud services. There are many great security products available, but if they don’t work well with your current solutions, you may not get as much value out of them. Find ways to expand the usage of existing products. Make sure new tools align with your long-term strategy and that teams are well trained. Audit your technology regularly and stop paying for services that no longer meet your needs.

Strategic staffing decisions can also help you do more with your budget. For highly specialized skills or irregular tasks, it can sometimes be more efficient to outsource. On the other hand, you may need to invest in your own team to prepare for a changing business climate, such as hiring analysts with cloud expertise.

Demonstrating a proven track record of managing your budget well, builds trust with the board and other executives. This gives you more credibility when you ask for increases in the future.

3. Measure metrics that matter

Your goal as a CISO is to improve the security of the company by effectively managing cybersecurity risk. To evaluate how well you are doing, you need to track the right metrics. The number of tickets opened and closed each month won’t tell you much, but the context of those tickets can.

Set up reporting that will help you measure how well your team and tools are protecting the organization. Some possible examples include:

  • Time to remediate (TTR) an incident allows you to track how long attackers have access to your resources.
  • Number of users with privileged access will help you keep the number of people who can access sensitive information as low as possible.
  • Number of systems with vulnerabilities can help you ensure they are regularly patched.
  • Number of unidentified devices on the network.
  • Number of staff who have completed security awareness training.

4. Adapt your communication for your audience

Making things happen as a CISO requires that you influence others. Whether that is encouraging different behavior from your team, persuading the board to approve a budget increase, or convincing other business leaders to take security seriously, communication is key.

Effective communication starts with good relationships. When I first join a company, I immediately work on building partnerships with other business leaders. If they have issues with the security team, I work on getting those ironed out. This paves the way for me to have conversations about how we can work together to improve security.

As you work with colleagues to make progress on security objectives, it helps to be agile. Listen during meetings to try to understand what’s working and what’s not. Flex your language depending on who’s in the room. When people understand how they will benefit from security, they are more likely to get on board.

Looking ahead

Safeguarding your company against cyber threats is rewarding work, but it also comes with a lot of pressure. To help you manage the stress, the CISO Stressbusters blog series will feature advice from CISOs from a variety of different companies and industries. Stay tuned for the next CISO Stressbuster post for more advice from others in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles?  What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

The post CISO Stressbusters: Post #4: 4 tips for running a highly effective security operation appeared first on Microsoft Security.

Empower your analysts to reduce burnout in your security operations center

July 28th, 2020 No comments

Effective cybersecurity starts with a skilled and empowered team. In a world with more remote workers and an evolving threat landscape, you need creative problem solvers defending your organization. Unfortunately, many traditional security organizations operate in a way that discourages growth, leading to burnout and high turnover.

Sixty-six percent of IT professionals say they have considered finding a new job with less stress. Fifty-one percent are even willing to take a pay cut. And the average tenure of a cybersecurity analyst is only one to three years. Even if stressed employees don’t quit, they may become cynical or lose focus, putting your organization at risk. Given the huge talent shortage—estimated between one and three million cybersecurity professionals—it’s critical to understand some of the factors that lead to burnout, so you can grow and retain your team. In this blog, I’ll provide insights into what drives burnout and walk through recommendations for using automation, training, and metrics to build a more effective security organization.

Burnout in the security operations center

Burnout starts with a vicious cycle. Because management has a limited budget, they staff many of their positions with entry-level roles. Security organizations are inherently risk-averse, so managers are reticent to give low-skilled roles decision-making authority. Security professionals in such an environment have few opportunities to use creative problem-solving skills, limiting the opportunity for them to grow their skills. If their skills don’t grow, they don’t advance and neither does the organization.

This cycle was documented in 2015, when Usenix studied burnout in a security operations center (SOC). By embedding an anthropologically trained computer science graduate in a SOC for 6 months, researchers identified four key areas that interact with each other to contribute to job satisfaction:

  • Skills: To effectively do their job, people need to know how to use security tools where they work. They also need to understand the security landscape and how it is changing.
  • Empowerment: Autonomy plays a major role in boosting morale.
  • Creativity: People often confront challenges that they haven’t seen before or that don’t map onto the SOC playbook. To uncover novel approaches they need to think outside the box, but creativity suffers when there is a lack of variation in operational tasks.
  • Growth: Growth is when a security analyst gains intellectual capacity. There is a strong connection between creativity and growth.

Image of the Human Capital Cycle

Graphic from A Human Capital Model for Mitigating Security Analyst Burnout, USENIX Association, 2015.

To combat the vicious cycle of burnout, you need to create a positive connection between these four areas and turn it into a virtuous cycle. Strategic investments in growth, automation, and metrics can make a real difference without requiring you to rewrite roles. Many of these recommendations have been implemented in the Microsoft SOC, resulting in a high-performing culture. I also believe you can expand these learnings to your entire security organization, who may also be dealing with stress related to remote work and COVID-19.

Create a continuous learning culture

Managers are understandably wary about giving too much decision-making authority to junior employees with limited skills, but if you give them no opportunities to try new ideas they won’t improve. Look for lower-risk opportunities for Tier One analysts to think outside set procedures. They may periodically make mistakes, but if you foster a culture of continuous learning and a growth mindset they will gain new skills from the experience.

To advance skills on your team, it’s also important to invest in training. The threat landscape changes so rapidly that even your most senior analysts will need to dedicate time to stay up to date. The Microsoft SOC focuses its training on the following competencies:

  • Technical tools/capabilities.
  • Our organization (mission and assets being protected).
  • Attackers (motivations, tools, techniques, habits, etc.).

Not all training should be formal. Most managers hire junior employees with the hope that they will learn on the job, but you need to create an environment that facilitates that. An apprenticeship model provides growth opportunities for both junior and senior members of your team.

Support operational efficiency with automation

At Microsoft, we believe the best use of artificial intelligence and automation is to support humans—not replace them. In the SOC, technology can reduce repetitive tasks so that people can focus on more complex threats and analysis. This allows defenders to use human intelligence to proactively hunt for adversaries that got past the first line of defense. Your organization will be more secure, and analysts can engage in interesting challenges.

Solutions like Microsoft Threat Protection can reduce some of the tedium involved in correlating threats across domains. Microsoft Threat Protection orchestrates across emails, endpoints, identity, and applications to automatically block attacks or prioritize incidents for analysts to pursue.

Azure Sentinel, a cloud-native SIEM, uses machine learning algorithms to reduce alert fatigue. Azure Sentinel can help identify complex, multi-stage attacks by using a probabilistic kill chain to combine low fidelity signals into a few actionable alerts.

It isn’t enough to apply machine learning to today’s monotonous challenges. Engage your team in active reflection and continuous improvement so they can finetune automation, playbooks, and other operations as circumstances change.

Track metrics that encourage growth

Every good SOC needs to track its progress to prove its value to the organization, make necessary improvements, and build the case for budgets. But don’t let your metrics become just another checklist. Measure data that is motivational to analysts and reflects the successes of the SOC. It’s also important to allocate the tracking of metrics to the right team members. For example, managers rather than analysts should be responsible for mapping metrics to budgets.

The Microsoft SOC tracks the following metrics:

Time to acknowledgment: For any alert that has a track record of 90 percent true positive, Microsoft tracks how long between when an alert starts “blinking” and when an analyst starts the investigation.

Time to remediate: Microsoft tracks how long it takes to remediate an incident, so we can determine if we are reducing the time that attackers have access to our environment.

Incidents remediated manually and via automation: To evaluate the effectiveness of our automation technology and to ensure we are appropriately staffed, we track how many incidents we remediate via automation versus manual effort.

Escalations between tiers: We also track issues that are remediated through tiers to accurately capture the amount of work that is happening at each tier. For example, if an incident gets escalated from Tier One to Tier Two, we don’t want to fully attribute the work to Tier Two or we may end up understaffing Tier One.

As organizations continue to confront the COVID-19 pandemic and eventually move beyond it, many security teams will be asked to do more with less. A continuous learning culture that uses automation and metrics to encourage growth will help you build a creative, problem-solving culture that is able to master new skills.

Read more about Microsoft Threat Protection.

Find out about Azure Sentinel.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Empower your analysts to reduce burnout in your security operations center appeared first on Microsoft Security.

Network Access Protection Troubleshooting Guide is live!

December 22nd, 2008 Comments off

Hey citizens of New NAP City!


The Network Access Protection Troubleshooting Guide, authored by our very own technical writer and NAP Forum hero Greg Lindsay, is now live! This completes the product documentation set for NAP in Windows Server 2008.


http://technet.microsoft.com/en-us/library/dd348515.aspx


The NAP Troubleshooting Guide provides provides task-oriented information to help you identify and resolve NAP-related problems quickly for the Windows Server  2008, Windows Vista, and Windows XP with Service Pack 3 operating systems. This guide can assist you when performing root-cause analysis of incidents and problems with the components of a NAP infrastructure.


This guide contains the following sections:


·         Introduction to Troubleshooting NAP


·         A-Z List of Problem Topics for NAP


·         Things to Check Before Troubleshooting NAP


·         Quick Fixes for NAP


·         Tools for Troubleshooting NAP


·         Troubleshooting NAP Problems


You can provide feedback on individual pages of the NAP Troubleshooting Guide by clicking “Click to Rate and Give Feedback” just above the content pane.


A big thank you to Greg for his authoring efforts and to NAP product team reviewers.


Enjoy!


 

Joe Davies

Categories: operations, Resources, Troubleshooting Tags:

Network Access Protection Troubleshooting Guide is live!

December 22nd, 2008 No comments

Hey citizens of New NAP City!


The Network Access Protection Troubleshooting Guide, authored by our very own technical writer and NAP Forum hero Greg Lindsay, is now live! This completes the product documentation set for NAP in Windows Server 2008.


http://technet.microsoft.com/en-us/library/dd348515.aspx


The NAP Troubleshooting Guide provides provides task-oriented information to help you identify and resolve NAP-related problems quickly for the Windows Server  2008, Windows Vista, and Windows XP with Service Pack 3 operating systems. This guide can assist you when performing root-cause analysis of incidents and problems with the components of a NAP infrastructure.


This guide contains the following sections:


·         Introduction to Troubleshooting NAP


·         A-Z List of Problem Topics for NAP


·         Things to Check Before Troubleshooting NAP


·         Quick Fixes for NAP


·         Tools for Troubleshooting NAP


·         Troubleshooting NAP Problems


You can provide feedback on individual pages of the NAP Troubleshooting Guide by clicking “Click to Rate and Give Feedback” just above the content pane.


A big thank you to Greg for his authoring efforts and to NAP product team reviewers.


Enjoy!


 

Joe Davies

Categories: operations, Resources, Troubleshooting Tags:

Network Access Protection Troubleshooting Guide is live!

December 22nd, 2008 No comments

Hey citizens of New NAP City!


The Network Access Protection Troubleshooting Guide, authored by our very own technical writer and NAP Forum hero Greg Lindsay, is now live! This completes the product documentation set for NAP in Windows Server 2008.


http://technet.microsoft.com/en-us/library/dd348515.aspx


The NAP Troubleshooting Guide provides provides task-oriented information to help you identify and resolve NAP-related problems quickly for the Windows Server  2008, Windows Vista, and Windows XP with Service Pack 3 operating systems. This guide can assist you when performing root-cause analysis of incidents and problems with the components of a NAP infrastructure.


This guide contains the following sections:


·         Introduction to Troubleshooting NAP


·         A-Z List of Problem Topics for NAP


·         Things to Check Before Troubleshooting NAP


·         Quick Fixes for NAP


·         Tools for Troubleshooting NAP


·         Troubleshooting NAP Problems


You can provide feedback on individual pages of the NAP Troubleshooting Guide by clicking “Click to Rate and Give Feedback” just above the content pane.


A big thank you to Greg for his authoring efforts and to NAP product team reviewers.


Enjoy!


 

Joe Davies

Categories: operations, Resources, Troubleshooting Tags:

Network Access Protection Troubleshooting Guide is live!

December 22nd, 2008 No comments

Hey citizens of New NAP City!


The Network Access Protection Troubleshooting Guide, authored by our very own technical writer and NAP Forum hero Greg Lindsay, is now live! This completes the product documentation set for NAP in Windows Server 2008.


http://technet.microsoft.com/en-us/library/dd348515.aspx


The NAP Troubleshooting Guide provides provides task-oriented information to help you identify and resolve NAP-related problems quickly for the Windows Server  2008, Windows Vista, and Windows XP with Service Pack 3 operating systems. This guide can assist you when performing root-cause analysis of incidents and problems with the components of a NAP infrastructure.


This guide contains the following sections:


·         Introduction to Troubleshooting NAP


·         A-Z List of Problem Topics for NAP


·         Things to Check Before Troubleshooting NAP


·         Quick Fixes for NAP


·         Tools for Troubleshooting NAP


·         Troubleshooting NAP Problems


You can provide feedback on individual pages of the NAP Troubleshooting Guide by clicking “Click to Rate and Give Feedback” just above the content pane.


A big thank you to Greg for his authoring efforts and to NAP product team reviewers.


Enjoy!


 

Joe Davies

Categories: operations, Resources, Troubleshooting Tags: