Remote SecOps

The current threat landscape has pushed us as a society to a place WAY outside our comfort zone. I’m not talking just about the cyber security threat landscape. It’s March 2020 and everyone knows what is going on outside our digital bubble. Organizations have been forced into work arrangements many managers don’t feel comfortable with and it thrust workers into an unknown by working from home and having to keep their house in check while doing their job. For those of you in this new work from home setup and are concerned about noise in the background while on calls or video conference, trust me, those of who have been home desk jockeys for years are way over that sort of thing!  Most of us know our colleague’s dog’s name and can recognize the bark coming through the matrix.

This new normal, however temporary it may be, poses an interesting discussion for security operation teams. Historically, SOC personnel are considered essential and required to be onsite to do their job.  After all, cyber security is critically important to the business and their clients which makes it a top priority during budget decisions and hiring, right? 😉  Seriously though, protecting SOC personnel and their families during a global crisis is what security and risk management leaders do and concessions must be made to protect staff while still serving, and getting paid!

Now, imagine a security team working from their home, anywhere in the world around the clock and without the comforts of a windowless room littered with 50″ monitors no one looks at except during executive tours. What is this heresy I speak of? It’s 2020 and it is what all the cool kids are doing. Listen, the 1970 government intelligence agency idea of a SOC is over in most regards, and thankful it is because NSA corrupted my soul with lack of sunlight and exposure to operation centers kept at 50 degrees on 12 hour shifts. If you looked behind the curtains of some MSSP and MDR vendors, their threat hunters and many of their SOC personnel are working remote around the planet and in attire you would prefer to not see them in. Think about it, we have more availability of high bandwidth to urban and rural areas, multi-factor authentication methods, SaaS based tools, the cloud. Technology and infrastructure improvements have facilitated the ability to migrate to a new SecOps model, one that encourages and enables more remote operations. This is not a bad thing for numerous reasons, such as:

• Great perk for some staff
• Attracting more SecOps candidates to fill vacancies
• Reduced leased work space
• Allows for targeting security talent in lower cost of living areas
• Enhance BCP/DR when correctly architected
• Provides opportunity for around the clock SecOps coverage without the need for shift work

Obviously there will still be a need for SecOps personnel to be onsite occasionally for internal meetings with business unit peers, incident response engagements (let’s hope less occasionally) and the company holiday party. There are also those individuals who just prefer to be in the office versus working at home, for whatever reason. I’ve found it best not to ask why and just avoid the awkward silence after they explain their reasons. Have 1:1 discussions with your SOC personnel and see what their preference is for work arrangements. If you find yourself in a position where talent is hard to find or very expensive in your region, remote SecOps is a viable solution to solve your problem.

Collaboration. You will need to ensure it is strong and highly available if you go the remote SecOps route. Organizations tend to leverage a tool like Slack, MatterMost, Discord (handy for simultaneous WoW raids and SecOps chat) and sometimes Microsoft Teams. Many threat detection and response and SOAR tools on the market offer out of the box integration with these collaboration tools to enhance user experience. This makes complete sense if you think about the demographics and tendencies of SecOps analysts. A large portion of the Level 1-3 SecOps workforce are Millennials with some younger Xennials (never heard of this) and older Gen Z mixed in. They are all known for their heavy use of technology. Maybe the problem isn’t so much a talent shortage but rather us not presenting the opportunities in way that meets expectations and standards of 2020.

Finally, as a SecOps leader you can still maintain control even if your little patch of ground hogs are not popping up randomly in their cubicle farm. Gartner has published research notes on how to maintain control of a remote work force to help guide leaders on this journey. These require a Gartner subscription with correct entitlements:

• How to Cultivate Effective ‘Remote Work’ Programs
• Out of Sight, Out of Mind? Managing the Remote Worker
• Toolkit: Remote Work Policies
• Selecting the Right SOC Model for Your Organization