"Security engineering is the process of incorporating security controls into the information system so that they become an integral part of the system's operational capabilities." -- ScienceDirect
An effective security organization requires a builder's mindset
The acceleration of digital transformation, cloud computing, and our API-driven world is driving major changes across the business and the way we approach and scale security. These changes, coupled with the lack of cybersecurity resources means that all organizations need to rethink the function and thought processes of each role on their security teams, from CISOs to practitioners.
Two roles within the security organisation worth comparing are:
- Security Operations (also known as Security Analyst, SecOps, SOC Incident Response)
- Security Engineer (also known as Security Architect, Security Device Engineer, SIEM Engineer)
Depending on your company's security maturity level, the title of these roles and responsibilities can vary. However, we've found the following to be generally true:
- Security Analysts, often part of the security operations center (SOC) team, are the first responders and frontline security experts. They are the practitioners responsible for daily detection, investigation, and responses to incidents through their vendor or custom built security tools. Oftentimes it's their job to monitor, identify, and correct any flaws in the company's security systems, solutions, and programs, as well as recommend measures that can improve the company's overall security posture. These security analysts are often focused on identifying issues within a system, but not actually building this system itself.
- Security Engineering (or security engineers/architects) on the other hand are the builders. They're focused on designing the security architecture and engineering security systems that closely align with development, engineering, and operations teams to ensure continuity and speed of business growth. Most of their work is proactive - often designing and building systems based on threat models and potential risks. Not only do they need to develop, but they also need to enforce security plans and standards.
Although the two different roles are both fundamental to any security program, what's interesting is the different mindsets each must have when tackling a security problem.
The Limitations of the Traditional Security Analyst and SOC
A compelling case can be made that a security program should be centered around security engineering ideals. Security engineering is built on the principles of visibility and ease of access. Security engineers are focused on the idea that the organization should build a holistic security ecosystem, not a system of siloed tools and technologies.
Traditionally, security analysts have been too fixated on maintaining and responding to day-to-day alerts and incident response fires. This reactive approach to security means that analysts don't understand the relationships between cyber assets within the entire ecosystem and are therefore unable to take a more strategic view of security.
Where security analysts see specific vulnerabilities and remediation tasks, a security engineer sees that issues can impact all parts of their organization's security ecosystem. Security engineers are the connectors that craft and create a close-knit fabric across the entire security program and organization, which encompasses all your cyber assets.
5 Factors to Building A Better Security Engineering Culture / Team
In order to create a highly functioning security program, organizations need to re-imagine the way they build their security organisations from the ground up. While you still need operational expertise to handle the day to day issues and tasks, you also need to cultivate and build engineers who can code and develop the glue that allows your entire technology stack to function.
The following factors need to be considered when defining your roles and culture within your security teams:
- Complementary skill sets: Both analysts and engineers are required in order to have a highly functioning security program. One is not better than the other, but instead they are culturally equal when it comes to building and operating a sustainable security model.
- Ability to design and build interoperating technology: You can't just hire security certified operators and expect them to build and create security tooling and technologies. Security engineering requires a unique skill set closer to a pure developer than a security expert. The ideal security engineer has both backgrounds.
- Asset-understanding: When building a security engineering and analyst program, both teams require visibility into what exists in the system itself. The entire team must understand the what, who, where, when, and why of active operating issues as well as the underlying security technologies in use. Teams must automate discovery, analysis, and alerting on the cyber assets in their digital universe.
- Relationship-modeling: Security engineers need to build more than just cyber asset visibility technologies. They must also collect and analyse the relationships between these assets. This is the "how" and the "why that is required for security analysts to do their job.
- Continuous and real-time data: Finally, security analysts will not be successful with a snapshot view of data. To make security truly actionable, security and operational data must be continuously updated. How analysts handle security data necessitates that the security engineering team build and design technologies that don't ever stop working.
The Vision: A Tool to Create a Holistic View for Your Entire Enterprise
As the industry moves into a new era of security management, that of having a proactive view vs a security engineering mindset, we have been working with that future vision in mind. Until recently, the ideal of having a holistic view of the security of your entire system, not just its disparate parts, was deemed impractical if not impossible. We've taken the first step to actualize that vision with the JupiterOne platform.
Asset-understanding and visibility, dynamic relationship-modeling and mapping, and continuous, real-time data are the core of our platform. We invite your team to test it out. We believe that when it comes to security, it is a basic right for every company to have the ability to build safe, secure applications and systems. Our platform offers a free, lifetime license, with no credit card required, to support the ideal of a safer, more secure world.
We look forward to hearing from you and your team as we work together to create a better security engineering culture.
Sounil Yu, CISO, JupiterOne
Resources for this article
- JupiterOne Platform: free, no credit card required
- The IT Asset Revolution
- Modern Visibility for Cybersecurity and IT Asset Managemen