Avoiding 7 Frequent SecOps Mistakes

As we explained in "7 Preventable Mistakes Even Top Security Teams Make," even the most seasoned security operations (SecOps) teams have bad habits that increase organizational inefficiencies, burnout, and risk.

So why does SecOps keep falling into the same traps over and over?

Two Fallacies That Enable Bad Habits

We see two main root causes for these antipatterns: technology-centric thinking and silver bullet thinking.

Technology-Centric Thinking

In technology-centric thinking, people view all attacks and solutions only through a technology lens (i.e., "these are technology problems that require technical solutions"). This is not surprising given that the cybersecurity discipline grew out of technology teams, but this framing is counterproductive. It creates blind spots where security professionals miss (or undervalue) effective people and process solutions.

For example, many security professionals may view financial scams conducted over email, called business email compromise (BEC), as a solely technical email problem. While technical controls can help, you cannot effectively mitigate this risk without compelling and clear education to help employees recognize and prevent risks, and strong financial controls over these organizational processes.

Silver Bullet Thinking

In silver bullet thinking, people believe that there are (or must be) easy and effective solutions to security problems (e.g., "this one easy trick solves all your problems"). This expression comes from the myth that there is one single magical weapon — a silver bullet — that can kill a werewolf.

Silver bullet thinking is based on the natural human instinct to seek efficiencies and shortcuts that get a job done with less effort. While this is often a useful instinct, it goes wrong in security because of the creative and intelligent adversaries who get paid to find weaknesses in your shortcuts.

While most experienced security people would never believe a claim that any product "solves all your security problems," silver bullet thinking also shows up in other subtle ways, such as:

Best Practices for Avoiding Preventable Mistakes

So how can you avoid or overcome bad habits that create risk? First, recognize that detecting and responding to attacks is an infinite game where the rules, players, and battlefield are constantly changing. This makes it critical to think strategically and continually adapt to changes.

Change Your Approach

The best practice to overcome these challenges is to take a top-down strategic approach focused on outcomes instead of a bottom-up approach centered on technology. Base your strategy on defining and measuring SecOps outcomes that align to your organization's mission and technology. Explicitly prioritize business critical assets and high-impact assets, like identity systems and IT admin accounts, that have access to most or all business-critical assets.

Focus on Dwell Time

Making attacker dwell time and mean time to remediate (MTTR) your primary success metric enables you to limit the amount of time that attackers can access your assets and explore your environment. Keeping this metric top of mind helps you focus on business risk reduction.

Even so, never use this as the sole criterion to judge SecOps performance, at it can be influenced by factors outside of SecOps' control, such as the number of attacks that occurred over the given time range.

Align SecOps

Once you understand your goals and outcomes, you can align security operations through:

Use an Asset-Centric Zero-Trust Approach

Throughout this process of strategy and execution, SecOps must look beyond the traditional network security perimeter. Attackers reliably get inside the perimeter, and many business assets now reside outside the traditional perimeter, such as on mobile devices, cloud services, and more.

Using an asset-centric zero-trust approach, such as the one defined by The Open Group Zero Trust Reference Model, helps you detect and respond to attacks wherever they happen.

Source: Microsoft

SecOps must detect and gain insights into attacks using the right tool for the job and recognize that network data alone is not enough. This often requires acquiring new tools, such as extended detection and response (XDR), and ensuring security analysts have the right skills to use them (e.g., identity authentication flows, endpoint attacks and defenses, application, data).

For more information on security antipatterns and SecOps best practices, see Microsoft's Security Adoption Framework (SAF) resources, or watch our presentation on security antipatterns from the 2024 RSA Conference.

By John Schectman, Principal Program Manager, Microsoft; and Mark Simos, Lead Cybersecurity Architect, Microsoft

About the Authors:

Jon Shectman is a principal program manager at Microsoft, who leads detection and response strategy for the Customer Success Unit. Special areas of interest include early detection, SIEM+XDR operations, SOC modernization, reducing analyst fatigue with AL/ML, and retiring technical debt. His guiding principle is: As defenders, we must apply moral ingenuity against amoral ingenuity.

Mark Simos is lead cybersecurity architect for Microsoft, where he develops cybersecurity reference architectures, best practices, reference strategies, prescriptive road maps, CISO workshops, and other guidance. Mark also chairs the Security Forum and co-chairs the Zero Trust Architecture (ZTA) working group at The Open Group.

Mark is co-author of the Zero Trust Playbook and co-host of the Azure Security Podcast. Mark actively contributes to open standards and publications including the Zero Trust Reference Model, Zero Trust Commandments, Security Principles for Architecture, and NIST publications.