This multi-part article is focused on selecting the right skills for your SA&O project. In part one, we identified eight skills that you’ll need to be successful. They are:
- Strategy Development and Delivery
- IT and Business Process Engineering
- Systems Integration
- Operations Experience
- Risk Management
- Data Engineering
- Python coding; and
- Project Management.
We covered the first four skills in part one of this article. If you missed part one, you can read it here.
Business Risk Appreciation – Risk Management
We are in the business of delivering security services and solutions that protect people, places, and businesses. It’s logical, then, that applying a business risk mindset when building a security solution can help in many ways.
It helps you develop metrics that demonstrate the value of your security team and the effectiveness of the solutions that your team asks other business stakeholders to invest in. It also ensures that you are accounting for regulatory compliance and industry standards when handling sensitive data. Finally, it helps prioritize which security orchestration and automation workflows provide the greatest value to the business. Yes, it might be nice to get an automated severe weather alert message, but surely it is more important to process an alert, from say a honeypot solution, to automatically hunt across your infrastructure for other related signs of infiltration.
Data Engineer – Data Engineering
Bad data in, bad data out. Yes, I know you probably know the more popular phrasing of that saying but it is true. If you can’t trust the data, why would you use it? Here is the great thing about security orchestration and automation, it enables you to automatically validate if the data is trustworthy!
There are two factors that affect your ability to validate data automatically: data formats and data capacity. Do you really want to do a total image capture of a remote workstation across your wide area network? What format is the data ingested? XML, STIX, JSON, EBCDIC? How are the fields mapped? In Phantom, we use CEF (Common Event Format) as a foundation that can be extended with extra fields, but you need to normalize all data from your various data sources. Unfortunately, the one thing we are not really good at in the IT industry is standardization.
To be successful, you need to ensure that all data sources are mapped to a common set of dictionary keys. For example, do you use sourceDest or srcDest for an IP address?
The data engineer role takes this work on and gives the security team a consistent foundation of data fields, capacity, and capability.
The Pythonista – Python Coding
Pythonista—Another Paul term I’m afraid. This is the skill set I use to describe a level of proficiency with the Python language.
I’m not looking for a developer, but more of someone that could take a Python file and extend it, or use it as the foundation for another app or playbook.
Yes, you can build a playbook in Phantom without touching Python code. Eventually, however, you’re likely to need (or want) to touch the code.
Pythonistas need to write product-grade Python. What is product grade Python, you might ask? It is code that adheres to programming best practices. Checking inputs to ensure that they are valid, catching exceptions, sound programming logic, good error and debug messages. This is code I can trust to run in production, and if it and when it crashes, provides the right information to quickly identify the source of the problem. This also includes documenting the code.
A Pythonista also needs to be disciplined in:
- Not writing on a production system
- Using a good testing methodology
The Coordinator – Project Management
On the surface, a Security Orchestration and Automation project is a simple rollout. Just stand up the platform, add a few assets, draw out a playbook, et voila, done.
In reality, there is more to it. The breakdown of work for building a playbook might look like this:
- Use case definition
- Security operations validation
- Asset integration (yes, you need user ids, passwords, network access and API keys)
- Playbook definition
- Security Operations training
- Process Improvement
- Playbook reuse opportunity identification
An important thing to appreciate is that a successful SA&O project is going to take time, involve multiple people, and require a high degree of coordination.
This is why it’s important to apply some level of project management—just to keep track of everything. It doesn’t have to be extremely detailed, but some level of project management will help immensely.
A Call To Action
Hopefully you have not been dissuaded from starting getting started with an SA&O project. I challenge you to view a project like this as a growth opportunity. I firmly believe that security warriors of tomorrow will need all of the skills I’ve outlined.
Embrace the challenge and start applying your and other’s skills to launch a successful security automation and orchestration program.
About the author:
Paul Davis is the Vice President of Delivery for Phantom. Paul has held the role of CISO for several high-profile companies, managing their security teams and building out Security Operations Centers. You can connect with Paul via LinkedIn.