'SEIMs and SOCs can be very dangerous' - N Brown's Mike Koss on effective cybersecurity

SOCs can be effective but only if introduced properly

In a previous article Mike Koss, head of IT security & risk at e-retailer N Brown, spoke about the ways in which attitudes to data security had changed since the 1990s, and how the C-Suite has failed to keep up with the new threats and the thought processes of those that propagate them.

See: Most CISOs just don't understand the hacker mentality says security chief

One of the big changes that′s coming down the line is the arrival of AI. Malware is code, and pretty soon it will be possible for attackers to train robot coders to write better code than their human counterparts, code than learns from its environment and adapts its behaviour in order to stay out of sight. At the same time though, defenders can also use AI to watch for and act upon anomalies. So it's going to be bots vs bots.

"In that short space of time, in 20 years you've gone from password cracking to machine learning and training AI. And industrialisation of the hacking process as well," Koss commented. Little wonder people find it hard to keep up.

At N Brown he has implemented Darktrace, a defensive solution that uses machine learning (ML) to recognise what ′normal′ looks like.

"The beauty of machine learning is that it will learn your dataset over time and the more volume it has the better itself teaches, so long as the models are good. So it's a drop in, a plug′n′play."

Increasingly, such tools will intervene rather than simply reporting. Like any tool, though, the defensive effectiveness of ML-based defence depends on how it′s used.

"So if you drop in a Darktrace appliance and you're only monitoring incoming and outgoing internet pipe you're blind across the rest of the organisation. Darktrace is only as good as the data you give it."

Although active ML defence could help ease the skills gap it will be some time before autonomous systems are trusted to keep the network safe, he said. In the meantime a range of skills will be necessary.

"Until we get to a point where we have consistent success with these things people are going to be very nervous about turning them onto block mode unsupervised."

It's the guys with the passion

The education system churns out too many practitioners with narrow skillsets, because specialisation is where the money is. Like tools that only monitor certain parts of the system though, too much specialisation can lead to a lack of coverage. And remember, gaps in defences are what attackers seek out.

More important for an effective team are generalists with enthusiasm, an engineering mindset and a can-do attitude, Koss explained.

"If you don't train them to be a generalist across all domains, to be able to write malware, to be able to analyse malware, to be able to look at a network package and figure out why that connection's coming from that location, you′ll leave gaps," Koss said, explaining what he looks for when filling a security role.

If your security guys are going home at 5pm on the dot then you're screwed - Mike Koss

"It′s the guys with the passion. They′re the ones you need for the truly effective cybersecurity team. If your security guys are going home at 5pm on the dot then you're screwed."

Koss expanded on his theme: "Having a passion doesn't mean you have to be a hacker. Having a passion means that there's some guy that spends all night writing rules for SNORT - which is an IDS tool. I want that guy. I want the kid who says ′I've done a lot of C programming, I debug a lot of code, I've created XYZ."

Good candidates needn't always be hugely technical he added.

"I'm looking for somebody who's got that passion, even if it's just somebody who says ′before this interview I Googled the top 25 IT security talks are and I watched those, and actually I found this and this interesting and I'd like to develop my knowledge in this'."

Of NOCs and SOCs

As well as your generalists with a passion for learning and your more specialised analysts you need a good leader. These are also hard to find, and they don′t come cheap. And you need some sort of structure. Koss is enthusiastic about Security Operations Centres (SOCs), provided the data is good, and it's something he'd like to explore at N Brown.

"Oh God, that's literally what I've been trying to do since I got there," he said when asked about the topic. Like specialist security solutions, though, there is a danger that they will create a false sense of confidence.

"A SEIM [security event and information management] and a SOC is again only as good as the log sources. And a lot of organisations don't know what the data is, where it's coming from, how much they've got and what they actually need to put in to get any results out.

Don't go to the NOC guy and ask for a SOC

"SEIMs and SOCs can be very dangerous. You can get so much noise that your analysts and your team ignore alerts because they're getting 5,000 tickets a day around failed password logins or port 22 access from an unknown source. So you've got to tune the crap out of it, which yet again comes down to the quality of your team."

Instead of trying to do this in-house, Koss recommends that most firms look outside of the organisation for SOC expertise.

"So I think my advice to most organisations would be: don't do it yourself, outsource it and find a company that is a security company, don't just go to a network team, don't go to the NOC guy and ask for a SOC as they are two very different things."

Mike Koss is a keynote speaker at Computing Enterprise Security & Risk Management Live 2018. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At this event you'll hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.