Applying Lean for information security operations centre
- 1. Applying Lean Methodology for Cyber Security Management* . Over the years manufacturing industries have adopted TQM (Total Quality Management) systems such as Lean and 6 Sigma with great deal of success. In recent times, these systems have been implemented in service industries with varying degree of success. Lean or Toyota Way as it has come to be known, has its roots in Toyota Production System (TPS ) which can adopted for cyber security operations by applying same principles. Toyota Way’s 4P model is based on Philosophy, Process, People & Partners, and Problem Solving. Security practitioners are already familiar with people, processes and products triad which is similar to 4P principle. Let us see how these 4P principles can be applied to information security operations. Philosophy Principle 1-Long Term Philosophy: Articulate and evangelize mission and policy statement for Cyber Security to ensure executive and operational staff are aware of fiduciary duties towards
- 2. company’s customers and employees. Develop KPI’s to measure security performance based on parameters such as operational resilience achieved, return on security investments , people’s awareness and compliance level achieved. Investments in security should be strategic in nature considering ever changing threat landscape, existing and emerging actors and effectiveness of existing defensive measures. Security is never point-in-time solution. It needs strategic risk-based thought process rather than quick fixes. Security should have mission statement to make customers and employees data safe, protect organization’s intellectual property while transacting business, ensure their privacy is maintained and ensure compliance. Process Principle 2-Create continuous process flow to bring problems to surface: Create continuous process flow to bring problems to surface through two fold approach: 1) Integrating SIEM and vulnerability scanning tool with Service desk tool to generate actionable tickets based on severity. 2) Ensuring monitoring team within SOC work closely with IT operations team to ensure that configuration, patches, and false alarms are managed effectively. This would require constant and ongoing communication between security operations and IT operations Infosec practitioners can perform Value stream mapping by identifying repetitive operational processes such as: Running vulnerability scans, evaluating it’s value based on risk posed, remediating through patching, pushing secure configuration settings, loading predefined images, hardening and reflecting on results. Tuning false positives thrown by intrusion prevention, advanced malware and breach detection system to ensure that SOC (security operation center) operators and analyst are not overwhelmed with alerts which do not add value. Principle 3: Use “pull” system so as not to overwhelm staff by prioritizing tickets based on their severity level. Similarly triage can performed by networking modelling and event enrichment in SIEM tool for assets which might be target of attack and directing efforts to respond to it. Principle 4: Levelling out workload. In infosec world 80% of vulnerabilities can be fixed with 20% of efforts. These quick wins and low hanging fruits will help to level out workload (Heijunka) and not stress the scarce security resources. Principle 5: Building culture of stopping to fix problems to get quality right the first time. During red team exercises create attack scenarios, identify devices which will generate logs, alerts and notifications. Stop to fine tune IPS, anti-malware, advanced threat detection system or co-relation rules within SIEM to ensure only impactful alerts and notification are generated. This can go long way in continual improvement (kaizen). Principle 6: Use standardized tasks: SOC tasks needs to be standardized through appropriate operating manuals, minimum security baselines etc. which are based on applications, operating and database systems. Use standards and framework like ISO 27001, CI Security and CoBIT. Standardized tasks are the foundation for continuous improvement & employee empowerment. Principle 7: Use visual controls so that no problems are hidden. Video walls with appropriate dash boards and alerts identify events of interest and any action if it needs to be taken. White boards can similarly be used for brain storming during incident investigation.
- 3. Dash boards with pie charts, bar charts, histogram, trending graphs and scatter diagram on these video walls give visual view of events of interest, vulnerabilities and incidents. 5S methodology could consist of Standardize, Scan, Sort, Straighten and Sustain Principle 8: Use only reliable thoroughly tested technology that serves your people and processes. Before adapting any security solution, understand skill level, organization culture and its integration in current security processes. Decisions on implementing new and emerging technologies versus mature and stable one needs to be thoroughly analyzed. People & Partners Principle 9 : Grow leaders who thoroughly understand the work, live the philosophy & teach it to others. Principle 10: Develop exceptional people & teams who follow your company’s philosophy. Staff working in security operations should understand critical functions and services which they are entrusted with to protect, articulate that mission and vision of cyber security. Leaders should be groomed from exceptional staff within the infosec team. These leaders should propagate the concept of managing risks, protecting customer data and privacy. Train staff on regular basis to keep their motivational level high. Principle 11: Respect your extended network of partners and suppliers by challenging them & helping them improve. In cyber security, managed security services providers, partners, suppliers and vendors play important role with timely patches and advisories. This eco system needs to be developed and enhanced through constant communication, interaction, updates and bug fix assistance from the vendors. Problem Solving Principle 12: Go and see for yourself to thoroughly understand the situation. CISOs, Infosec managers and executive need to visit or teleconference with SOC (Security Operations Center) Straighten & fix technology or processes Sustain it by third party reviews & audits Scan network regularly, analyze information & events Optimize efforts & time to reduce & eliminate frivolous alerts Standardize on schedule & methodology to manage risks Sort high impact vulnerabilities
- 4. for outsourced or geographically dispersed locations on regular basis to review incidents and overall operational performance. Principle 13: Make decision slowly by consensus thoroughly considering all options & implement decisions rapidly. Cyber strategy requires long term planning by on boarding all business stake holders considering regulatory environment, changing business priorities, threat scenarios, global and regional political scenarios. Get concurrence of all stakeholders on identified risks, evaluate current technology and processes thoroughly with consensus before implementing solutions Principle 14: Become a learning organization through relentless reflection and continuous improvement (kaizen). It is incumbent in ever changing cyber security field to continuously keep learning lessons from past incidents, improve your defenses and further bolster security. Edward Deming’s Plan-DO-Check-Act (PDCA) which Infosec professional are familiar with, reiterates this principle. Lean management principles can thus be applied to services industries like information security operations to achieve greater cyber resilience and bolster the security. *Reference-Toyota Way- 14 Management Principles by Jeffrey Liker (The views expresses herein are author’s personal views & does not reflect the views of his employers, their principals, affiliates or clients)