Sometimes things progress slowly, and then suddenly, they move fast. Such has been the case with the evolution of our Security Operation Centre (SOC) during the global pandemic.
All financial services companies have a higher threat profile than many other industries. We are often targeted by insiders, activists, and financially motivated actors, and our prime threats include data theft, fraud, espionage, and splash damage by nation-state attacks on others. For years, threat actors have been getting more sophisticated, and nowadays most threats are automated; actors will set up an instance of a server in the cloud and the code will do the attacking.
To combat these infrastructure-based attacks, we need to develop our automation and orchestration capabilities. Practically, this means our SOC, the team responsible for cybersecurity strategy and defence, has expanded its remit from traditional threat intelligence, incident response, cyber analytics, and forensic investigation to include a greater focus on software engineering, data science, math and statistics. We need to fight algorithms with algorithms.
We had been on this journey for a few years, but it was a gradual change, mainly because the culture of traditional information security differs so radically from that of modern software development. Information security people tend to be very focused on one thing: keeping the bad guys out. We are deliberate, thorough, task and outcome-oriented, and risk-averse. We concentrate on what works; new ideas need a firm business rationale to secure resources.
Data science-driven software development not only moves fast, it changes all the time. Perfection is not the goal, because fixes and patches are continuously deployed. Code is always being improved, tweaked, and adapted to respond to changing conditions. Experiments can be quickly delivered and tested, and if they do not work, you move on to the next one. These two mindsets do not necessarily gel well together; the security folks thought of the agile methodologies used by the computer science teams as kind of a tech hippie philosophy. The engineers thought of the security people as rigid and behind the times.
The pandemic changed everything, compressing a process that might have taken years into effectively one business quarter. We faced new security challenges of shifting our workforce to working from home and the corresponding different ways employees and partners were working with data, rapidly digitising all of our customer services, catering for our business and technology partners’ own changes and speeding up our transition to the cloud. All this meant our SOC needed to plan and react in record time. In order to keep our operational effectiveness at maximum capacity to serve our customers in this highly stressful period, we needed to shift some of the emphasis from preventive controls to detection and response.
This meant we needed to speed up our internal cycle for assessing and developing detection methodologies and our multi-layer defence strategy. Some of our controls were based on baselining behaviours that had completely changed or no longer even existed. We were getting too many alerts, or none at all. Wide scale working from home meant we had to rethink our conception of the perimeter. The new primacy of digital customer channels meant we needed to shift some controls closer to identities and the cloud environment. All these require applying the continuous improvement and continuous delivery approach not just to software development, but to our SOC’s entire way of working. This approach in turn requires the adoption of an agile culture that can quickly adapt to ever-changing technologies and operating models.
As has happened with so many other companies, this was all going on at the same time our own team, used to working together closely in secured office settings with 24/7 capabilities, also had to adjust to working remotely. We decided that if everything was changing so quickly anyway, we should just run with it. I got an agile expert and we adopted the philosophy of the agile sprint cycle, including experimentation and failing fast. We increased our use of agile practices like stand-ups (which helped connect everyone working from home) and time-boxing set amounts of work in sprints. It was a total culture change that might have gotten more resistance if we had tried to enforce it in our usual office setting. But given the need we had to shorten our development cycles and react faster, everyone jumped on board.
Our new SOC culture mirrors the constant evolution of our business’ cybersecurity needs. The threat landscape is not going to de-escalate anytime soon. Threat actors are at the bleeding edge of technological sophistication; we need to be able to keep up to defend against them. Political and economic tensions in our region and around the world are increasing, and nation-states are going to continue to develop cyber capabilities. There is an increase in demand for good risk management practice, and more regulatory pressure to demonstrate operational resilience.
In practical terms, when discussing this matter, the narrative is about continuous investment as opposed to the discrete transformation programs of yesteryear. If we continue to develop our cyber resilience, we will not need significant new funding to maintain our capabilities to combat threat actors. But if we stop, the short-term cost saving will expose us to significant risks that could end up costing us far more in the long run.
To keep up with increasingly sophisticated threat actors, many organisations are on the journey of becoming more data science and software engineering focused. However, the agile culture of experimentation and continuous improvement used in modern software development is often at odds with traditional information security’s laser focus on preventing and responding to threats. With the rapid changes in digitisation and distributed working brought about by the pandemic, we have found that agile ways of working help teams adapt quickly and continuously to changing conditions and coordinate more closely with developers who play an increasing role in cyber defence. Businesses must continue to invest in these capabilities in order to thrive in an ever-changing world.
© 2020 FS-ISAC, Inc. All rights reserved.
Fabio is a technology, risk and security executive with over 23 years of international experience working for private companies and large multinationals, in a variety of management, technical and advisory roles. Currently...Read More
Fabio is the Executive Manager and Group Head of the Cyber Threat Detection and Response at IAG, accountable for the detection and response of cyber threats, as well as cyber defence strategy, engineering and analytics initiatives. Prior to this role, Fabio was the Chief Security Officer at HP Australia for the Commonwealth Bank of Australia account, and has also held senior roles at Westpac Banking Corporation, UBS Group and Banca Intesa Sanpaolo in Australia and in Italy. He is a member of the Australian Institute of Company Directors and a mentor for the Business Information Technology Student Association at the UNSW Australian School of Business, where he mentors young talents with an interest in cybersecurity. He is part of the Financial Sharing and Analysis Center (FS-ISAC) APJ Strategic Committee and an Advisor to the BSides Sydney hacking conference. Fabio holds a Master of Management in Information Technology from Charles Sturt University, Australia and several security and technical certifications, including CISSP, SABSA and CRISC.