Tools and training: How Secret Service’s SOC answers its data challenges

One of the biggest challenges to running a security operations center (SOC) is the data. Either there’s too much for human analysts to parse, or there’s gaps in the data that create blindspots on the network. But Roy Luongo, chief information security officer for the U.S. Secret Service, said that’s where having the right tools can help, particularly artificial intelligence.

“One thing I would ask people not to do is be too afraid of AI. Embrace AI. We need to get to a place where AI can be a tool, and as any tool, it could be used for ill or good. … I think from cybersecurity, AI has the ability to pass through more data faster than a human can,” Luongo said on Federal Monthly Insights –Securing the Nation: A deep dive into federal security operations. “I envision a fully trained AI language model focusing on federal cybersecurity data. That’s what I want it to learn on. I want it to understand that. And then I want to be able to query it with native language queries versus having to know SQL or KQL or pick your query language.”

AI is especially useful when it comes to data normalization and minimization, Luongo said. It can handle the massive amounts of data that would overwhelm human analysts. And AI can reduce that data set in ways that make it more useful. It can filter out redundant data from dissociated sources, and help make indicators of compromise easier to spot.

The right tools for the workforce

But sometimes new tools can be a double-edged sword, Luongo said.

“If I bring in a new tool, I have to understand that the statement of work doesn’t say you must supply people that know X tool. I have to figure out how to integrate that. I have to provide that,” Luongo told the Federal Drive with Tom Temin. “I think a lot of times we forget that we’re bringing in the newest and greatest tool, but integration will have our productivity hit. And too many people forget that they want a turnkey solution, which is great, but that doesn’t mean all the employees — contractor or fed — are going to be as turnkey as that solution is going to be. So we have to understand that there is an integration period that incorporates the people in that skill set, not just the technology into our solution.”

While the CISO will ultimately determine what tools will get used in their SOC, Luongo said it’s important to listen to contractors, too. They’re hired as cybersecurity experts; it would be shortsighted not to take advantage of their expertise. They can be a huge resource in providing solutions outside of just filling an immediate cybersecurity need.

The right workforce for the SOC

Luongo said it’s also important to consider the certifications contractors have, even if they’re certified by the vendor itself. They’re an indicator of potential skill; whether or not they can apply them, that person at some point demonstrated knowledge, skills or abilities in that particular area.

“So when we look at certifications — and we do it both with our government employees as well as with our contracted vendors — what we’re really doing is buying down some risk. We’re saying, hey, if we start at this certification level, there’s a level of assurance that they know certain things, that I don’t have to train them, or not,” he said. “I think it’s really important to understand that that cert is just an indicator. And as part of good workforce development, I need to provide opportunities for people who may not need a cert today, but have a career path that may in the future have the opportunity to achieve that cert.”

He also said that the specific certification isn’t as important as the knowledge or skills it attests to. While some privilege levels require specific criteria, most of the time there’s no advantage in prioritizing a single certification when three or four may fit the bill.

And it’s important not to differentiate between federal employees or contractors, Luongo said, outside of the bounds of specific regulations around privileged information, of course. But generally, good privilege access management will take care of that; otherwise, it’s their role within the SOC that’s important.

“If I’m paying a SOC employee, I personally don’t want to be limited by the fact that that employee is a contractor or a federal employee,” Luongo said. “They’re doing a job. They need to have all the tools to do their job, and that includes elevated privileges. I have to provide trust in that person to do that.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.