One of the most common complaints I hear from folks working in information security is that they are overwhelmed with data, alerts, log files and all of the other information sources they deal with on a daily basis. Often, this is a problem that can be solved with an adjustment to the level of data they are looking at and investment in some processes and tools to help gain some leverage. You may not need or be able to afford a full SEIM implementation, but with a couple of basic tools and a little bit of creativity, you can likely get a bit more leverage than you are today.
The first thing I often advise folks to do is to embrace a scripting language. You don’t need to become a master coder, but to get some leverage from systematizing your work, you will have to create some tools that are specific to your work. These scripts or tools should replicate much of the repetitive work you are doing today and can be a simple front end to handle the most common issues without your personal interaction, thus saving you time and resources.
Specifically, let’s say you have to comb log entries for a specific message that is pretty routine and then email the help desk when you see that message with the relevant details. In our example, with some basic scripting skills in python/ruby/perl, this becomes an easy to automate task. Pull the data in, parse through it with some scripting logic, segregate out the events you need and then drop them into an email and send it out. A quick script that runs in a scheduler or cron and your new virtual assistant just took over one of your daily tasks.
Do this enough, and you knock out much of the repetitive work you face today. That frees up your cycles to dive deeper, do additional research or grow your skills.
Scripting helps in other ways too. Understanding programming logic basics is a huge plus for security folks who might have a more network/systems-centric background. It will help you understand a lot more about how applications work in your environment and how to best interact with them in ways to protect them. It also gives you some empathy when working with developers and other folks who are heads down in code. Scripting can also be a very valuable skill in just solving complex problems and the security world is full of those.
How to get started in mastering the basics of a scripting language? Well, identify how you learn best. Are you a classroom learner, then take a class or use online universities and training that are common today. Learn by reading? Then get yourself a good book from Amazon or the mall and get started. Learn by doing? This is the easiest on of all. Just do it. Choose one language. Stick with it. Learn the basics. Looping, variables, basic syntax, file access, etc. Then grow your skills over time by actually scripting your tasks.
I challenge you to try this for 90 days. Give it a shot. If, after 90 days, this is not helping you free up more time at work, learn more about things you don’t know today and making your job in security easier, then write me a nasty email and stop doing it. I have made this challenge before and haven’t gotten one email in more than a decade that said it was horrible and that it didn’t help. 90 days. Give it, and yourself, a break and make it happen. The first step is committing to actually do it. Make the commitment and follow through. You won’t be sorry.