Starting in the early 2000s and until the mid-2010s, compliance was a primary driver for many cybersecurity programs; as instilled by business executives, the fear of failing an audit was more worrisome than the threat of a breach. Even while it was happening, cybersecurity practitioners recognized that the compliance use case was a stopgap measure and foresaw—or at least hoped—that it would not last. Compliance was falling short on so many levels, notably, in allowing the organization to implement the right processes and controls that could mitigate cybercompromise. This was pushing security practitioners all over the world to push for compliance as, perhaps, a baseline for a security program—the underpinnings, not the entire equation— while leveraging the healthy budgets that often accompanied compliance efforts.
Frameworks such as the Center for Internet Security (CIS) Controls and the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) were being built and evangelized for this very purpose—to support security teams that needed to elevate their game from a compliance mindset. These frameworks, as such, were much more in tune with what security needed to be, that is, a component of risk management. Cyberrisk was another aspect of overall business risk, albeit a newer one, than most business executives were used to handling.
A US fast-food franchise based in the Midwest but with stores all over the country was grappling with this very problem. The company had previously been the victim of a public breach and the executive team was aware that the company needed a security program headed by an experienced cybersecurity executive to move the company toward a hardened cyberrisk posture. With more than 700 employees, three-quarters of whom were working remotely due to the franchise model, a formalized security program had to focus on risk reduction rather than a hardened perimeter with strong network detection control.
THE NEW CISO FOUND, AND HIS SYS ADMIN CORROBORATED, THAT THE MSSP LACKED UNDERSTANDING OF THE BUSINESS AND ITS REQUIREMENTS, THEREBY PUTTING THE BUSINESS AT GREATER RISK OF AN INCIDENT.
Michael Gioia was among the growing number of cybersecurity professionals who wanted to get away from compliance-focused security programs. When he joined the fast-food chain in 2017 as the information security officer (ISO), he, along with the executive team, knew the business could benefit from Gioia’s experience, in particular, the fact that he had helped various organizations formalize and build security programs based on the most effective and reliable measure: risk. Notably, several organizations for which Gioia worked lacked dedicated cybersecurity staff and often had little dedicated budget. This position was similar to that of the fast-food company, even though it was an established, successful business.
Around the same time period, security operations centers (SOCs) were being established as critical components of enterprise cybersecurity and risk mitigation programs. The SOC encompassed all the necessary components to identify and act on cyberthreats. But an enterprise SOC was not obtainable to every organization. Smaller businesses, less-resourced organizations and organizations with nascent cybersecurity programs, such as the fast-food company, needed operational intelligence to effectively manage their own cyberthreats but often did not have the resources to support an in-house effort. The idea of SOC as a Service had not yet materialized and managed security service providers (MSSPs) were not the risk-focused business practitioners that the fast-food company wanted or needed them to be.
The Challenge
Many small and medium-sized enterprises had no choice but to rely on MSSPs. And, in most cases, this was adequate. For Gioia, though, the best way to operate an effective and efficient cybersecurity program was to build it in such a way that risk mitigation was the goal. And that meant building an organic security program that went beyond compliance or what an MSSP could offer.
In a previous university role, Gioia recruited students to augment his staff. These were perfect opportunities to alleviate workforce issues, train future talent to be ready for post-college employment and build trial SOCs without the pressures of running an enterprise SOC. This method also gave him opportunities to instill risk-based and business-oriented cultures in the minds of future security talent.
Why was a university the perfect place for experimentation? For starters, university environments encourage learning and experimentation. In many ways, cybersecurity was still a new field, tackling modern and ever-changing challenges that demanded new perspectives. Like many security practitioners, Gioia was convinced a risk-based approach to operations was it.
Second, university access and security requirements have long been considered some of the most complicated: thousands of users with varying use cases, a culture of open access and a geographically dispersed staff. The small head counts and limited resources that typically accompany university cybersecurity environments make managing security operations at a technical level less effective than determining risk, setting baselines, and then aligning operations and technical controls to risk.
This foundational groundwork, it turned out, served the fast food chain he worked from 2017-2019 well. It gave him the insights needed to form a security team for a business that did not have anything in place and few resources to dedicate to security even though security had become a concern for the business.
By the time he landed the role of information security officer (ISO) at the major fast-food chain, an environment that operated on the basis of remote access and disparate levels of cybersecurity requirements, Gioia had gained more than a decade of experience building out cybersecurity programs and teams centered on risk. Further, organizations’ executive teams had come to realize that enterprise risk depended on a risk-based approach to cybersecurity; too many media-worthy data breaches had hit the headlines for anyone to ignore current requirements for too long.
With more than 700 employees, more than three-quarters of whom were remote workers in franchise brick-and-mortar restaurants, the new security operations team was responsible for corporate security, but not the security of each franchise’s IT. This created a major problem. Franchise stores were required to use the corporate mandated point-of-sale (POS) from a third-party vendor (fortunately, a level-one merchant, thus alleviating Payment Card Industry Data Security Standard [PCI DSS] requirements), and that system was integrated with the corporate system, which was managed by a third party.
The security operations team lacked visibility into franchisees’ IT and did not have control over the implementation of any of the POS systems, but a breach would cause major operational problems and brand damage. Corporate understood this, as the company had experienced a breach a few years prior. This was the impetus for leadership to formalize a security program and start implementing some measurement of cyberrisk against the brand as a whole and individual stores.
Source: Center for Internet Security, CIS Controls, USA, 2021, http://www.cisecurity.org/ |
Making matters worse, at the time, no formalized security program existed. All they had was one internal system administrator who was handling technical security. Fortunately, corporate had had the foresight to supplement its internal capability by contracting an MSSP. However, the new ISO found, and his sys admin corroborated, that the MSSP lacked understanding of the business and its requirements, thereby putting the business at greater risk of an incident than was necessary.
The Solution
Armed with data from his previous roles and a detailed program management plan, the ISO convinced his management team to sunset the MSSP and use those resources to build out an internal security operations team.
The internal security operations team’s first move was implementing the CIS Controls (figure 1), a set of 18 basic cybersecurity recommendations upon which hardened security programs are built.
The team then expanded the requirements of the program to meet the NIST CSF, a significantly more rigorous framework detailing hundreds of requirements to identify, protect, detect, respond and recover from security incidents. These frameworks allowed the newly formed internal security operations team to understand and identify threats to corporate systems and learn where the business needed to improve security operations to manage threats.
As such, the next “must have” was building out a vulnerability management program. At this point, the internal security operations team had recruited two employees from the IT side of the business. While they lacked formal security experience or training, one had acted as a project manager, which was imperative to managing cybersecurity threats and risk, and the other had experience on the help desk, giving him excellent people and project management skills.
As the two new staff members were trained to work security operations, they kept their focus on risk and business requirements (figure 2). What they collectively found was that IT teams and the tools implemented, such as security information and event management (SIEM), lacked the business context on which threat and risk profiles could be built. The goal then became contextualization. The ISO asked the team to develop a model for identifying business- critical, priority alerts. Together they built a threat profile and then a strategy to fix problems.
While improvements were noticeable from the outset, the company needed more than just two analysts and IT technologies; soon after Gioia joined the company in the latter half of 2017, the executive team provided approval for a formal SOC program, including increased staff, and purchased dedicated security tools to collect and monitor logs. Once fully staffed, the small internal security operations team started to monitor logs and systems using the aforementioned business prioritization method the team had developed.
Introducing Automation and Prioritization
One key aspect of the newly formed SOC program was the deployment of JASK, then an autonomous log management and monitoring technology purpose-built for security analysts.1
JASK was chosen because it went beyond traditional or typical log management and eliminated many of the usual problems organizations faced with their security information and event management (SIEM), such as constant tuning and alert fatigue. Further, JASK incorporated elements of machine learning, which was novel at the time, and was in line with what would become the current Security Orchestration, Automation and Response (SOAR)—a system that can ingest logs from various sources, contextualize the data with threat intelligence and other system data, and then produce actionable information upon which strategic decisions can be made.
While today this process is accepted as table stakes for any SOC, at the time, most technology was focused on gathering as much data as was possible. JASK, in contrast, according to Gioia, was uniquely positioned to weed out lower-priority alerts, minimize tier-one analyst work and allow the fast-food company’s small-but-growing internal security operations team to focus on business risk areas created by cybersecurity risk.
Adding Threat Hunting
The organization watched as the number of public attacks against restaurants and retailers grew. Gioia and the executive team wanted the company’s SOC to be more proactive against modern-day threats instead of waiting to find indicators of compromise in its systems. Gioia secured approval from the CIO to purchase additional services from JASK that supplied a dedicated threat hunting team.
THE EXECUTIVE TEAM WANTED THE COMPANY’S SOC TO BE MORE PROACTIVE AGAINST MODERN-DAY THREATS INSTEAD OF WAITING TO FIND INDICATORS OF COMPROMISE IN ITS SYSTEMS.
The service included constant communication with the fast-food business’s internal security operations team. They used Slack to share information. What occurred as a result of the communication was interesting: What JASK lacked in business context, the internal security operations team could supply, and what the internal team lacked in technical skill, the JASK team could supply. It was a perfect complement, and, in the process, the internal team gained on-the-job training in what it took to identify and eliminate threats, while the JASK team learned more about the restaurant chain’s business needs.
Gioia credits his team members’ growth and skill building to their constant thirst for knowledge. He says it made an enormous difference in the efficacy of the organization’s SOC program and overall risk management.
While the internal security operations team still faced challenges at the time—most notably, pressure from franchisees’ IT teams that continued to have a “collect everything, analyze everything” mentality—the team, helmed by Gioia, made considerable progress in security operations and risk management.
Implementing its Security Operations Framework
At the beginning of the fast-food chain’s journey of building out a security program, the ISO had relied heavily on established security frameworks such as the CIS Controls and NIST CSF. But he, like many others in the field, felt more depth was needed—that more granularity and contextualization were necessary to fight modern cyberthreats.
Together, the internal security operations team built threat profiles based on risk profiles that reflected the business implication of an attack against corporate systems. What the team found after completing the first exercise was that several high- profile executives had excessive access and permissions that were putting the company at greater risk than was necessary. The team went back to revisit and adjust its then-understood baselines to reflect reality and reexamined how that impacted what the team would monitor, how it would monitor and how it would implement new controls—otherwise known as the Observe, Orient, Decide, Act (OODA) Loop (figure 3).
THE RISK-BASED OPERATIONS FRAMEWORK THAT HAD A STRONG RISK FOCUS MADE IT POSSIBLE FOR THE SOC TO BE BOTH STRATEGIC AND TACTICAL.
Through the process, the fast-food chain’s internal security operations team learned to understand risk and business profiles—not just security operations and technology—to be better equipped to support not just security and IT but the entire business. This project became a mainstay of the organization’s SOC program, and the analysts were able to execute threat profiling and analysis on their own using the tools at hand.
The documentation created via this work and the resulting process is a risk- and business needs- based cybersecurity framework for security operations that Gioia uses and continues to refine today in his current role and which is still in use at the fast-food chain.
The Benefits
The main benefit for the company was the installation of a risk-based cybersecurity program predicated on business needs and requirements. Based on this work, Gioia developed a new security operations framework that the security operations team used to reduce risk within the security operations center. The company’s internal security operations team was able to make better-informed and educated investments in tools, people and processes to support the business (figure 4).
As a consequence of this work and the deployment of JASK, the business saved more than US$200,000 by removing unneeded security tools and saved uncalculated budget on other IT systems that either duplicated efforts or were not producing business-related results. While risk management is not normally part of the work of SOC teams, the risk-based operations framework that had a strong risk focus made it possible for the SOC to be both strategic and tactical.
Further, the fast -food company developed mature security analysts who were risk- and process-focused, thereby creating a culture of security and risk at the organization. By the time Gioia left the company in late 2019, the security program, which began in 2017 with an ISO (Gioia) and two IT recruits sourced from within the organization, was staffed with eight full-time employees—six of whom were security operations staff and one who was focused on governance, risk and compliance (GRC).
This dedicated security team was clearly in a better position to protect the company from cyberthreats and to mitigate any damage in the face of security incidents than it had been prior to the establishment of a formal program.
And although the initial collaboration with the IT teams was rocky, Gioia said that over time, the internal security operations team created an amicable and collaborative relationship with the network team. As a result of their work, the internal security operations team could provide better, more actionable network data and investigations requests, which improved its working environment.
The Results
In late 2019, the business was absorbed into a larger, well-known fast-food restaurant brand and the SOC analysts became part of the greater cybersecurity program. The analysts remaining at the company are now the most advanced and skilled staff among all security employees and are carrying on a culture of risk. The analysts are providing hardening guidelines to the greater organization and continue to find ways to make the company’s IT more resilient to cyberattack using the framework developed under Gioia’s tenure as their guide.
The combination of a GRC function within the security operations team allowed the SOC team, and the business, to focus on business risk and processes. It did so by bridging the gaps in the company’s cyberrisk function based on deployed assets and asset criticality and developing human analysts who had broader mindsets than security operations.
Prior to 2017, IT auditing was not implemented at the fast-food company. Following the implementation of the vulnerability management program, the team was able to gain insight into what was happening in its systems and create guidelines and processes for hardening systems and processes and meeting compliance mandates.
Beyond security, the internal security operations team formalized a risk management program based on a business impact analysis (figure 5), which identified continuous process improvements for the company. The analysis resulted in greater automation, where possible, allowing the team to place efforts in higher-level strategy work and processes. The entire program moved the organization toward risk management because the goal was not to improve cybersecurity, but to decrease cyberrisk as a means to control business risk. Putting risk management at the core resulted in operations and network teams’ abilities to handle alerts more efficiently, create playbooks for incident handling and reduce analyst fatigue.
RELYING ON INDUSTRY-LEADING FRAMEWORKS AND GUIDANCE, THE INTERNAL SECURITY OPERATIONS TEAM DEVELOPED NEW, ITERATIVE PROCESSES TO IDENTIFY MAJOR ROADBLOCKS TO BUSINESS OPERATIONS.
Relying on industry-leading frameworks and guidance, the internal security operations team developed new, iterative processes to identify major roadblocks to business operations. They used these to work backward and find cybersecurity and technology risk areas such as shadow IT, which results in greater and unnecessary organizational risk, and then mitigating the risk by overseeing their performance. The OODA Loop created from the continuous process improvements allowed the team to surface IT and security risk quickly and to implement measures to handle this risk.
This work of identifying risk areas resulted in a clear, always-up-to-date risk register that fed into the business risk profile; the company could, consequently, identify targeted threats and indicators of compromise because the team had taken the time to develop and understand accurate baselines and threat profiles that related to their business.
The bigger picture, however, was the highly trained analyst team centered around business processes rather than tools management. This risk-focused program has helped the business operate decisively and effectively, because the SOC operators truly understood what they needed to protect—which is to say, mission- and business-critical people, processes and technology. The investment the executive team made in building a security program resulted in decreased business risk.
Endnotes
1 JASK was acquired by Sumo Logic in 2019 and is marketed as an autonomous security operations center (ASOC) with cloud-native and threat intelligence capabilities.
Katie Teitler
Is a senior product marketing manager for a leading cybersecurity vendor. She has been researching and publishing security content for more than a decade. Her past roles include cybersecurity analyst, content director, research director and event content executive. In addition, Teitler has published with leading industry associations and media outlets including ISACA®, Security Intelligence and Security Weekly. She is a coauthor of Zero Trust Security for Dummies.