By following a four step process teams are can liberate themselves from the industry devotion to "traditional approaches" and begin to tackle, and overcome, the security challenges that matter to them. Each organization is different and using proscriptive frameworks that ignore differentiators and individuality is a recipe for failure. A team that follows this simple fours step cycle can not only ensure scale and effectiveness, they can also become transparent to leadership, stakeholders, and themselves.
There are a number of extremely difficult challenges in running a successful Blue Team, or security operations defensive team. These range in magnitude from simply keeping track of everything that is going on to building better soft skills and relationships with interdependent teams (think networking, infrastructure, etc.) all the way to the fact that one missed clue could lead to a serious breach. Added to these challenges are the fact that most blue teams are designed to be comprised of zombie console jockeys with "eyeballs on glass" staring at mind numbing alerts for their entire shift. These twin factors combine to create a toxic soup of stress, ineffectiveness, and ultimately failure.
Rather than rely on an ad hoc process or concede that all security events are different and have to be addressed individually, mature organizations develop written procedures for how to handle security event in the same way that they have procedures for IT operational procedures. By having a written procedure it becomes possible to leverage the power of a checklist to ensure that process is consistent.
Unfortunately it is far too common for information security (IS) staff to become embroiled in human resources (HR) investigations. Ask anyone who has worked in security and they'll tell you about a time they were asked for a report of browsing habits for a certain user, for a forensic investigation of a hard drive of an employee who is being disciplined or fired, or to perform a search of an employee's e-mail. There are a variety of reasons that HR might make such requests from IS but security leadership need to do a better job of rebuffing these requests. It is not only distracting, but also demoralizing and potentially damaging to an IS group to engage in these activities. For some, having IS perform HR investigations may seem like a routine part of IS operations. I think this is an unfortunate state of affairs and firmly believe that IS should have little, if any, invovlement in HR investigations. This article will seek to lay out the reasons I believe having IS perform HR support functions is an extremely bad idea, in hopes that it will empower organizations to better articulate resistance to such integration. Having IS perform HR investigations is a deviation from IS purpose, requires training IS is not given, and fails to deliver positive outcomes for IS in all but limited circumstances.