Here is a reflection on the similarities between making music, say in a rock band, and a cybersecurity operations orchestration team responding to an incident.
Although it’s been some time since I played on stage, I still jam with friends, and yes, you can grab any instrument and play chord progressions or well-known songs even if you’ve never played before as a band. But nothing compares to a competent band playing well-rehearsed songs on instruments and equipment they know well.
In the same way you can have your security operations team run around responding to an incident, using whatever tools you have at your disposal. It's a better and more satisfying performance if everyone has proper tools and knows what they are doing and understands their part in the process. Here are some tips for making that happen!
First, everyone should play in tune.
Tools should be properly set up and configured before the incident. In the same way you don’t start tuning your guitar after the song has begun, it’s a recipe for disaster if security solutions need configuring or fine-tuning during an incident.
Whether you are collecting information, enriching the ingested telemetry with threat intelligence, triaging or taking containment and response actions, know your tools.
Also, you need the minimum set of instruments to achieve the sound you want. Throwing more technology (and people) at the problem has a positive effect initially, but you hit the asymptotic wall of diminishing returns quickly. Just because you have something lying around doesn’t mean it will contribute to the sound.
Knowing your tools intimately is the key to effective security operations orchestration. Tools shouldn’t surprise you in the middle of something cr ..