In
a
tale
seemingly
as
old
as
time,
security
teams
have
been
continuously
under
siege.
Be
it
novel
attack
paths,
lethal
adversaries,
new
technologies
—
such
as
public
cloud,
containerization,
Kubernetes,
and
serverless
computing
—
or
stringent
regulatory
requirements,
teams
have
faced
quite
the
burden.
To
help
shoulder
the
load,
the
industry
has
established
frameworks
and
pushed
out
amazing
tech,
from
SIEMs
to
CNAPPs
and
XDRs
to
CASBs.
These
processes
and
technologies
have
helped
to
keep
attackers
at
bay
and
people
protected,
but
have
created
a
new
problem
of
far
too
much
data.
To
face
off
against
this
data-driven
world,
CISOs
and
security
teams
will
need
to
embrace
the
data
and
look
outside
of
traditional
security
personas
to
adopt
a
new
model
of
working:
security
data
operations,
or
simply
(and
catchier)
SecDataOps.
SecDataOps
is
a
term
used
to
describe
the
process
of
integrating
data
into
the
entire
security
life
cycle,
whether
for
risk
management,
incident
response,
or
cyber-threat
intelligence
production.
Quantitative
data
about
your
environment,
assets,
business
domain,
and
adversaries
must
be
used.
This
also
means
security
teams
have
to
adopt
strong
data
analysis,
engineering
and
science
processes
from
data
collection
and
storage
to
dissemination
and
archiving.
The
goal
of
SecDataOps
is
to
ensure
that
data
is
always
finely
curated
and
accessible,
and
that
security
decisions
are
made
with
high-fidelity
data.
Joint
Task
Force
SecDataOps
need
not
be
a
formalized
reporting
structure
all
at
once
but
instead
can
be
a
joint
task
force
and
an
additional
horizontal
responsibility
in
a
security
program.
Occasionally,
SecDataOps
may
bleed
into
enterprise
architecture,
enterprise
IT,
and
other
teams
as
needed.
Instead
of
forcing
all
your
security
engineers
to
become
data
engineers,
consider
first
bringing
in
big
data
consultants
and
other
experts
to
help
take
account
of
how
data
moves
in
the
organizations,
where
it‘s
stored,
how
much
it
costs,
all
the
way
down
to
schema
and
formats.
Once
the
governance
and
management
of
raw
data
available
to
a
team
directly
from
security
tools
or
from
environments
(e.g.,
cloud
APIs,
configuration
management
databases,
existing
data
lakes)
is
complete,
metrics
need
to
be
defined.
Service-level
agreements
(SLAs)
are
typically
formalized
agreements
but
are
a
great
way
to
hold
your
burgeoning
SecDataOps
practices
to
high
quality
standards.
Strong
SLAs
define
the
purpose
of
setting
the
SLA
(the
why),
the
promise
and
specific
metric
(the
what
and
how),
and
any
specific
requirements
(the
when),
if
applicable.
Creating
these
SLAs
from
the
start
that
align
to
both
the
overall
SecDataOps
program
and
for
specific
datasets,
data
feeds,
or
projects
will
be
important
to
achieve
cohesion
and
long-term
SecDataOps
success.
Only
once
a
strong
baseline
is
set
can
specialized
projects
or
process
overhauls
can
be
carried
out.
This
same
contextual
approach
can
be
applied
to
cloud
security
posture
management
remediation
or
as
enrichment
for
real-time
investigatory
requirements
such
as
pulling
in
ownership
and
asset
data
into
a
security
alert
investigation.
The
leadership
decision
of
a
SecDataOps
team
is
an
important
choice
and
may
need
to
change
as
the
team
matures.
When
existing
as
an
additional
responsibility
or
joint
task
force,
it
may
make
sense
to
have
the
CISO
run
the
function
no
matter
what
their
level
of
hands-on
technical
acumen
is;
this
is
to
hold
the
cross-functional
team
together.
The
results
of
SecDataOps
will
have
a
strong
business
emphasis,
as
the
goal
is
to
rapidly
detect,
pinpoint,
and
address
various
risks.
Harnessing
data
and
building
generative
adversarial
networks
and
massive
business-intelligence
dashboards
to
quantify
cyber-risk
is
the
exciting
part
of
SecDataOps.
But
large
parts
of
the
work
will
be
formative
and
the
outcome
for
protecting
the
business
is
still
the
primary
goal.
Do
not
fear
bringing
in
outside
talent
to
build
out
the
data
piece
of
the
equation.
Having
a
team
that
is
ready
to
cross-train
and
learn
from
one
another
will
be
vastly
more
successful
than
throwing
security
engineers
to
the
data
wolves.
This
security
data
problem
is
not
going
away.
Starting
off
is
simply
an
information
gathering
operation:
meet
with
your
teams,
understand
how
they
harness
data,
what
data
they
wish
they
had,
and
start
from
there.
Do
not
get
lost
dreaming
of
what
cool
machine-learning
algorithms
you
can
deploy
when
sometimes
the
best
outcome
is
well-governed
data.
SecDataOps
is
the
way
we
win
this
data
war
and
defeat
our
adversaries.
About Author
