Stephen Moore, Chief Security Strategist at Exabeam, discusses some of the essential components that go into making an effective modern Security Operations Centre.
Building and maintaining a modern Security Operations Centre (SOC) requires much more than simply hiring a team of analysts and purchasing the latest security equipment. It’s an ongoing effort to stay on top of emerging threats, be current with new trends, and finding (and retaining) the right talent for your business.
This article will look at four key building blocks upon which successful SOCs are founded.
Also of interest: 5 Things every CISO should know about operational technology
1) The right people
People are a core component of any SOC, but they must be the right people. Wherever possible, each member should bring something to the table that enhances the overall strength of the team. This could be a unique technical skillset, area of expertise or personal attribute. They also need to be a good fit for the organisation from a cultural perspective.
Of course, with the security industry currently in the grip of a skills shortage, finding suitable candidates externally can be extremely difficult. As such, one of the best alternative solutions is to hire from within.
For example, mentoring a member of the IT team with Active Directory skills, could open up a new career path for them whilst also bringing a much needed skillset into the SOC.
Also consider recruiting from local universities with cyber security programmes. Not only are they a direct link to some of the best and brightest young minds, but undergraduates that intern at the business will often consider returning after they finish their degrees.
Also of interest: Could veterans be the answer to the cyber skills shortage problem?
2) Robust lateral and vertical communication
Nearly every SOC is affected by some form of external resource constraint. In many cases, technical debt in other parts of the business can interfere with effective security operations. For instance, most businesses tend to score poorly when it comes to keeping system patches up to date, and even worse when it comes to asset lists.
To operate effectively, SOCs must have a strong relationship with the rest of the IT department. Doing so will create a conduit into system patching, asset management, and configuration management. Observing the exploits and problems that give adversaries the windows they need must be prioritised and tracked across the business.
Thought should also be given to how the SOC is perceived throughout the rest of the business. How can visibility be improved, particularly amongst groups like sales, who are increasingly fielding questions about the security of the products and services they’re selling?
Presenting at quarterly meetings or sales kick-offs can be a great way to raise the profile of a SOC, whilst also communicating how the work it does contributes to the overall success of the business. It’s about establishing and increasing relevance for a SOC within the wider organisation.
3) Regular measurement
The nature of the security industry means that unfortunately, SOCs are often playing catch-up. As such, taking the time to measure performance on a regular basis can often fall by the wayside.
However, measuring successes, as well as failures, is critical to the ongoing success of a SOC. If you can’t demonstrate the value you’re bringing to the business, how are you going to justify your existence, let alone future expansions or resource requests?
Metrics play a key role here, such as the number of threats discovered or the cost and time taken to investigate them. Quantifying these things and having them on hand can be extremely valuable whenever senior management comes knocking.
Also of interest: What can the cyber world learn from the medical industry?
4) Effective use of resources and technology
Time is one of the most valuable resources in any SOC and tasks must be prioritised accordingly and dealt with as efficiently as possible. However, security alerts coming in often lack context or supporting information, making it very difficult to act in a fast, decisive manner without further investigation.
Unfortunately, traditional manual investigation methods can take up significant amounts of time and resources, creating a vicious circle that forces analysts to choose between doing a job quickly and doing it properly.
Fortunately, modern security tools can now be used for many of these time consuming manual activities, easily connecting to existing systems and using machine learning and behavioural analysis to uncover suspicious behaviours.
As a result, rather than spending time investigating every alert raised, SOC analysts can focus on identifying and mitigating genuine threats. Among cyber solutions available today, the best centralise data feeds and logs across a business’s network and assets, then apply user and entity behaviour analytics (UEBA) and machine learning to surface security risks.
Using threat scores, then generating alerts only for those that exceed the predetermined threshold helps conserve analyst resources and prevent the burnout that’s so common in SOCs still using manual discovery practices.
Building and maintaining an efficient SOC can be challenging, but focusing on specific core tenets from the beginning can greatly increase the chances of long-term success. This article has laid out four of the most important building blocks needed to create a blueprint for that success in an ever-changing and evolving security landscape, but the process doesn’t stop there.
A successful SOC needs constant tuning and adjustment to operate as effectively as possible.