Automate, reskill and optimize are the three steps to a better SOC

Few, if any, are left at the U.S. Citizenship and Immigration Services’ security operations center who just stare at screens looking for cyber anomalies.

Instead of using people, USCIS automated those basic functions in order to free up valuable people to work on more complex cybersecurity challenge.

Shane Barney, the chief Information Security Officer at USCIS at the Department of Homeland Security, said automation opens the door to other possibilities and that too will change what a security operations is or could be.

“If you are cloud heavy like USCIS is — we are 80%-90% cloud at this point — your SOC better reflect that. That means if your infrastructure is code, then your security is code too. Your SOC floor better have development teams on it. If you don’t, you’ve already lost the battle and probably the war,” Barney said at the recent AFCEA Bethesda breakfast, which was featured on Ask the CIO. “We’ve had several instances in cloud and every single time, it’s the development teams that rode the show on it. They helped us resolve it; they helped us fix it; they helped us determine it and they helped us develop mitigation solutions going forward.”

Barney said the CISO must know their agency’s data, assets and environment to move the security operations center into this century.

Federal News Network’s Jason Miller (seated left), Togi Andrews, FEMA’s CISO , and Shane Barney, USCIS’s CISO, kick off a panel on security operations optimization. (Photo courtesy AFCEA Bethesda).

Togi Andrews, the CISO at FEMA, said he has a similar strategy for his SOC with a focus on fusing people, process and technology.

“For FEMA, we’ve tried to automate most of our workflows to become more streamlined and effected,” he said on the panel. “To automate, you have to have the right data. We get a lot of data, but what data do we really need to have an effective automated process? That is what my team is doing, figuring what data is right for an automated process.”

Andrews said to understand what data is right starts by understanding the devices on the network in the first place and tagging them.

“We are integrating technologies that will help us orchestrate some of the workflows that our tier 1 and tier 2 analysts sitting in the SOCs and staring at screens,” he said. “If you can automate that piece also, then we can rely on the expertise of the people at the tier 2 or tier 3 level who sit at the end of the workflow to bring in the human factor in the analysis of an incident. At the end of the day what I really want out of my SOC and optimization strategy is to really reduce the time it takes to detect and respond to an incident in FEMA.”

Reskill, upskill cyber analysts

As for the people part of the equation, Andrews said he wants to reskill the current workforce to respond to more complex challenges as well as depend on contractors for support.

“As part of our retooling, we are ensuring our contractors and our federal staff are performing at a tier 3 level, which means we have folks who aren’t necessarily just looking at alerts, but really doing that in-depth analysis and doing that intelligence and threat analysis on the network rather than just monitoring basic alerts,” he said.

Barney said it’s not just the people who work in the SOC, but all the information security staff must upskill or reskill.

“USCIS is a heavy, heavy dev/ops shop. We have almost 3,500 to 4,000 developers now. We are moving at lightening speeds. If the people you a rely on to be your eyes and ears as a CISO are not up to speed on the latest cloud technologies or latest development pathways or pipelines, then you are blind,” Barney said. “We are changing that. We released a contract that does that. I know have cloud experts who are information system security officers. I’ll have a development pipeline ISSO. That means they have experience being a developer. They know what code looks like. They know what bad code looks like. They know what a security problem is in code. The same for cloud. The same for infrastructure. You have to diversity and the SOC is no different.”

Barney added he has almost 100 developers sitting on the SOC floor, which is new for security.

“Cloud is different. I say that all the time because people love to think about cloud as an extension of our on-premise. It’s so not. There are different languages, different access points, different ways of authentication, different access groups and controls, and then the vendors between the different cloud providers are all different,” he said. “We have AWS presence, a Google presence and an Azure presence and they are all different. You have an expert who sits in one aren’t necessarily going to be an expert in the other so having a subject matter expert built into your SOC are critical as well especially for incident and incident response.”

Barney and Andrews say they will follow DHS headquarters lead to ensure their individual SOCs and the agencywide cyber center are sharing data and optimized.

DHS-wide consolidation in process

DHS released a request for information in August on SOC staffing and support services. Former CIO John Zangardi said in September that they have spent a lot of time over the last two years reviewing their options to possibly consolidate down from 17.

“How do we consolidate what we have today and take an enterprise SOC view,” he said at the Billington Cybersecurity Summit. “We are looking at other alternatives to shrink our footprint.”

Barney said that means DHS has to understand which directorates have the best capabilities. For instance, USCIS is good at SOC automation so they likely will become a center of excellence for that capability.

“If optimization is occurring, you have to focus on risk,” he said.

The Office of Management and Budget recognized the risk of having too many SOCs or not having ones that are good enough in the 2018 governmentwide risk determination report. In that, OMB and DHS found only 27% of agencies reported they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually.

The report recommends creating a security-operations center as-a-service for those agencies that need help.

Barney said one way to make all security operations center better is through machine learning. He said it makes the automation processes smarter and presents decision points for analysts.

“I don’t want just a bunch of raw data that doesn’t do me any good. I want the automation to make some decisions for us, and that’s what we’ve already started building,” he said. “If you aren’t doing that, then you aren’t automating.”