Agile Security Operations


Engineering for agility in cyber defense, detection, and response

About the author

Hinne Hettema is a practitioner in cybersecurity operations, focusing especially on enabling security capabilities through detection engineering, security monitoring, threat intelligence, incident response, operational technology, and malware research. He works in New Zealand in security operations and the establishment of cybersecurity defensive capabilities in various organizations. He is an adjunct senior fellow at the University of Queensland, researching cybersecurity operations, the security of operational technology, and the philosophy of cybersecurity. He studied theoretical chemistry and philosophy.

Who this book is for

The intended audience for this book is security leadership, especially people managing security operation centers, security engineers, and security analysts. CISO, CDO, and CIO-level decision-makers will also benefit from this book. Some intermediate-level knowledge of incident response, cybersecurity, and threat intelligence is necessary to get started with the book.

What this book covers

Chapter 1, How Security Operations Are Changing, discusses how the landscape of security operations is changing and the pressures that are forcing that change. I focus on why security is hard and why the traditional measures in use in IT are failing when it comes to security.

Chapter 2, Incident Response – A Key Capability in Security Operations, focuses on the aim and purpose of incident response, and the reasons why incident response is the key security capability.

Chapter 3, Engineering for Incident Response, discusses the engineering aspects of incident response, from the viewpoint that incident response is a continuing operational activity that defines agile security operations. We will primarily build on the incident response loop to develop an agile framework for security operations and discuss some of the engineering aspects. This will be the final chapter that builds the framework for agile security operations, and the focus will be both on the agile security operations process and how tooling needs change as a result of that process.

Chapter 4, Key Concepts in Cyber Defense, discusses some key concepts of resilience that need to be understood for the rest of the book. This chapter will introduce the key concepts that make up the culture and ethos of agile security: chaos, constraints, defensibility, strategy, and tactics, and will focus on how to apply them correctly, as well as presenting further pointers to more detailed resources easily available on the internet. This chapter will use the earlier concept of the Cynefin framework to delve deeper into these concepts and how they shape thinking during incident response.

Chapter 5, Defensible Architecture, focuses on the development of defensible architecture. The main idea of defensible architecture is that it focuses on incident response in an environment during the design stage and tries to maximize the options available to defenders.

Chapter 6, Active Defense, takes the lessons from the previous chapter to heart and integrates them into a credible defense, taking us from response activities to tactics to strategy. This chapter focuses on the tactic of active defense and how it is implemented. Active defense is the practice of intelligence-driven breach detection, containment, and purposed engineering that is capable of dealing with persistent and advanced attackers.

Chapter 7, How Secure Are You? – Measuring Security Posture, tackles the difficult problem of measuring security posture and especially measuring and communicating the value that security operations bring to the organization. Traditionally, these discussions have focused on the reduction of risk, rather than driving business value. This chapter focuses on how practitioners should have these discussions in the context of business value and strategy.

Chapter 8, Red, Blue, and Purple Teaming, covers how active defense applies the principles of blue teaming. A purple team adds a certain amount of adversity to a blue team. Purple teaming aims to give a direct answer to the question, Are we vulnerable?, in ways that can be directly communicated to the business. This chapter outlines how organizations can get the most out of threat hunting and purple teaming.

Chapter 9, Running and Operating Security Services, explains how security operations done well revolve around six different security services. This chapter expands on security operations to the complete set of services that need to be run in the context of a security program with incident response at its core. Defining precise services in the context of a business environment is very important: it allows service strategies to be developed for these services, and allows monitoring and evaluation of these services, just like any other IT service. Many organizations struggle with cyber security precisely because they do not quite understand what the essential cyber security services are and the value they deliver to the business.

Chapter 10, Implementing Agile Threat Intelligence, covers the fact that threat intelligence requires a significant amount of organizational readiness. A credible threat intelligence program consists of a number of activities that are best performed in the context of agile security operations, such as curation, threat hunting and tasking, as well as adversary simulation.