I served in the US Army – specifically, in the Military Intelligence branch. When I share that fact with new acquaintances, some are impressed, some remind me that “Military Intelligence” is an oxymoron, but most believe that the work must have been very exciting – especially during the Cold War.
My response is always: “The work was exciting – at times.” However, the truth is the majority of intelligence work is incredibly boring. Analysts spend hours or days poring over data, looking for vital pieces of information. Some days, there is no vital information; some days, there is no data to analyze.
However, the mission of Military Intelligence is critical to battlefield commanders: Military Intelligence helps commanders make critical decisions with the best information available. In other words, Military Intelligence helps provide situational awareness of the battlefield.
Now that I work in information security, the question and response is no different. Dealing with new attack vectors, vulnerabilities and threat sources can be exciting – at times. But mostly, the wide field of information security is tasked with the incredibly boring work of analyzing mountains of data to keep our IT environments safe.
And that safety has far-reaching implications in protecting our customer data and critical information, enabling critical business processes, and ensuring our employees and business partners can conduct business without fear.
In many organisations, much of the data analysis work falls to a group called Security Operations. The problem, however, is that this group is often – maybe because of the name – seen in the same light as Network Operations.
Don’t both groups monitor the availability of the organisation’s network and systems? Network Operations performs their mission using data from routers and switches and Security Operations monitors using firewalls, intrusion detection, and other security devices.
I believe Security Operations should be built more in the mold of Military Intelligence.
Done right, Security Operations is tasked with collecting data on user activity, attacks, compliance information, and application, system, and network activity.
The team then analyzes this information for vital intelligence and then passes this intelligence to the other business teams that need it – whether that is the application owner, system admin, incident response teams, Legal department, or business leaders. In other words, Security Operations must be used to provide the organisation a critical level of situational awareness of their IT environment.
How can we hope to protect our IT environments if we have no idea what is occurring, on what systems, when, and by whom? This situational awareness helps us make critical decisions with the best information available.
Getting to this level of situational awareness requires a shift in perspective, the right support, and, of course, funding. It can only be delivered by hiring, training, and retaining skilled security professionals who know what do look for in the data. It can only be maintained and standardised by having a mature, repeatable set of processes and procedures.
And this level of situational awareness can only be achieved by having a powerful Security Information and Event Management (SIEM) tool to do the bulk of the heavy lifting in collecting and sorting the data. These elements of people, process, and technology form the supporting pillars of Security Operations and the eventual data hub for the relevant security intelligence.
If you find yourself in an organisation that has a Security Operations group that is just collecting basic availability information, perhaps you have been caught in the same trap. Consider the importance of military intelligence to the military and ask yourself whether your organisation could benefit from the same level of situation awareness. And maybe when you put together that business case, you should call the group Security Intelligence instead.