Applying Lean for information security operations centre
1. Applying Lean Methodology for Cyber Security Management*
.
Over the years manufacturing industries have adopted TQM (Total Quality Management) systems such
as Lean and 6 Sigma with great deal of success. In recent times, these systems have been implemented
in service industries with varying degree of success. Lean or Toyota Way as it has come to be known, has
its roots in Toyota Production System (TPS ) which can adopted for cyber security operations by
applying same principles.
Toyota Way’s 4P model is based on Philosophy, Process, People & Partners, and Problem Solving.
Security practitioners are already familiar with people, processes and products triad which is similar to
4P principle. Let us see how these 4P principles can be applied to information security operations.
Philosophy
Principle 1-Long Term Philosophy: Articulate and evangelize mission and policy statement for
Cyber Security to ensure executive and operational staff are aware of fiduciary duties towards
2. company’s customers and employees. Develop KPI’s to measure security performance based on
parameters such as operational resilience achieved, return on security investments , people’s
awareness and compliance level achieved.
Investments in security should be strategic in nature considering ever changing threat
landscape, existing and emerging actors and effectiveness of existing defensive measures.
Security is never point-in-time solution. It needs strategic risk-based thought process rather than
quick fixes. Security should have mission statement to make customers and employees data
safe, protect organization’s intellectual property while transacting business, ensure their privacy
is maintained and ensure compliance.
Process
Principle 2-Create continuous process flow to bring problems to surface:
Create continuous process flow to bring problems to surface through two fold approach:
1) Integrating SIEM and vulnerability scanning tool with Service desk tool to generate
actionable tickets based on severity.
2) Ensuring monitoring team within SOC work closely with IT operations team to ensure that
configuration, patches, and false alarms are managed effectively. This would require
constant and ongoing communication between security operations and IT operations
Infosec practitioners can perform Value stream mapping by identifying repetitive operational
processes such as:
Running vulnerability scans, evaluating it’s value based on risk posed, remediating through
patching, pushing secure configuration settings, loading predefined images, hardening and
reflecting on results.
Tuning false positives thrown by intrusion prevention, advanced malware and breach
detection system to ensure that SOC (security operation center) operators and analyst are
not overwhelmed with alerts which do not add value.
Principle 3: Use “pull” system so as not to overwhelm staff by prioritizing tickets based on their
severity level. Similarly triage can performed by networking modelling and event enrichment in
SIEM tool for assets which might be target of attack and directing efforts to respond to it.
Principle 4: Levelling out workload. In infosec world 80% of vulnerabilities can be fixed with 20%
of efforts. These quick wins and low hanging fruits will help to level out workload (Heijunka) and
not stress the scarce security resources.
Principle 5: Building culture of stopping to fix problems to get quality right the first time.
During red team exercises create attack scenarios, identify devices which will generate logs,
alerts and notifications. Stop to fine tune IPS, anti-malware, advanced threat detection system
or co-relation rules within SIEM to ensure only impactful alerts and notification are generated.
This can go long way in continual improvement (kaizen).
Principle 6: Use standardized tasks: SOC tasks needs to be standardized through appropriate
operating manuals, minimum security baselines etc. which are based on applications, operating
and database systems. Use standards and framework like ISO 27001, CI Security and CoBIT.
Standardized tasks are the foundation for continuous improvement & employee empowerment.
Principle 7: Use visual controls so that no problems are hidden. Video walls with appropriate
dash boards and alerts identify events of interest and any action if it needs to be taken. White
boards can similarly be used for brain storming during incident investigation.
3. Dash boards with pie charts, bar charts, histogram, trending graphs and scatter diagram on
these video walls give visual view of events of interest, vulnerabilities and incidents. 5S
methodology could consist of Standardize, Scan, Sort, Straighten and Sustain
Principle 8: Use only reliable thoroughly tested technology that serves your people and
processes. Before adapting any security solution, understand skill level, organization culture and
its integration in current security processes. Decisions on implementing new and emerging
technologies versus mature and stable one needs to be thoroughly analyzed.
People & Partners
Principle 9 : Grow leaders who thoroughly understand the work, live the philosophy & teach it
to others.
Principle 10: Develop exceptional people & teams who follow your company’s philosophy.
Staff working in security operations should understand critical functions and services which they
are entrusted with to protect, articulate that mission and vision of cyber security. Leaders
should be groomed from exceptional staff within the infosec team. These leaders should
propagate the concept of managing risks, protecting customer data and privacy. Train staff on
regular basis to keep their motivational level high.
Principle 11: Respect your extended network of partners and suppliers by challenging them &
helping them improve. In cyber security, managed security services providers, partners,
suppliers and vendors play important role with timely patches and advisories. This eco system
needs to be developed and enhanced through constant communication, interaction, updates
and bug fix assistance from the vendors.
Problem Solving
Principle 12: Go and see for yourself to thoroughly understand the situation. CISOs, Infosec
managers and executive need to visit or teleconference with SOC (Security Operations Center)
Straighten & fix
technology or
processes
Sustain it by third
party reviews &
audits
Scan network
regularly, analyze
information &
events
Optimize efforts & time to reduce
& eliminate frivolous alerts
Standardize on
schedule &
methodology to
manage risks
Sort high impact
vulnerabilities
4. for outsourced or geographically dispersed locations on regular basis to review incidents and
overall operational performance.
Principle 13: Make decision slowly by consensus thoroughly considering all options &
implement decisions rapidly. Cyber strategy requires long term planning by on boarding all
business stake holders considering regulatory environment, changing business priorities, threat
scenarios, global and regional political scenarios. Get concurrence of all stakeholders on
identified risks, evaluate current technology and processes thoroughly with consensus before
implementing solutions
Principle 14: Become a learning organization through relentless reflection and continuous
improvement (kaizen). It is incumbent in ever changing cyber security field to continuously keep
learning lessons from past incidents, improve your defenses and further bolster security.
Edward Deming’s Plan-DO-Check-Act (PDCA) which Infosec professional are familiar with,
reiterates this principle.
Lean management principles can thus be applied to services industries like information security
operations to achieve greater cyber resilience and bolster the security.
*Reference-Toyota Way- 14 Management Principles by Jeffrey Liker
(The views expresses herein are author’s personal views & does not reflect the views of his
employers, their principals, affiliates or clients)