A day in the life of a SOC (part 2)

In the second of two articles, Richard Orange at Exabeam makes the case for modernising the security operations centre

 

Organisations need to rethink the way that their security operations centres (SOCs) are operating. In my first article on this subject, we looked at the key challenges facing many contemporary SOCs and why there is now a compelling case for modernising both the processes and technology that sit at the heart of their work.

 

This time, we look at why it’s crucial to consider how SOCs should be working from the key contributing perspectives. In particular, answering questions specific to each persona provides the basis for building SOC strategies that address the increasingly difficult cyber-security challenges facing every single digitally-dependent organisation.

 

The technology perspective

The core element of SOC modernisation is consolidation, not least because many organisations need something to tie data points and technology solutions together. In effect, they need a central nervous system for their SOC that sits as the presentation layer to everything – regardless of individual circumstances – that falls underneath it.

 

We know that in the current situation, SOC teams can’t deliver this level of modernisation unaided. As a result, achieving this objective means adding a level of semi-supervised or unsupervised machine learning. Security teams also need a holistic view of their entire domain – both on-premises and in the cloud – with a single point of view across everything.

 

The mindset perspective

Before making any decisions on how to modernise the SOC, security leaders must first ask why. Starting with ‘why’ is the key to making the right decisions and, ultimately, achieving the outcome they need.

 

Unfortunately, security decision-makers often don’t think about this. Instead, they think about the result first: ‘I need a SIEM’, ‘I need correlation rules’ and ‘I need visualisations’. Ask them why, and the answer is often along the lines of “because that’s just what you do”. The impact of this mindset is that SIEM has become the answer to the wrong question.

 

Starting with the why means asking some different questions, such as why do you have security and why do you have a SOC? Moving on from the core definition that the SOC exists to answer critical security questions, these questions become more granular the deeper the process goes.

 

At the highest level, organisations want to know ‘Am I breached?’ or ‘Is there a business risk?’  Going to the next level down creates more questions, such as ‘Is there a threat adversary in my environment?’ From there, it’s logical to ask: ‘Do I have the right visibility and logs to know if there’s a threat in my environment?’

 

The point is, if the SOC is about asking and answering questions, then SOC modernisation means asking and answering those questions faster alongside asking and answering the questions SOC leaders and their teams don’t even know to ask.

 

Stakeholder perspectives

Across the various SOC stakeholders and their personas, there is a range of priorities and key questions that determine how a SOC functions; from the granular to the high level, these questions and answers are connected.

 

But typically, each SOC stakeholder has been arriving at the answer to their set of questions without working out if they’re answering the right ones in the first place, and for each, there is a distinct set of ‘why’ questions they are not currently asking. For instance:

 

CISOs: A CISO is asking the business-level questions around risk – fundamentally, is there a risk to the business? They may be able to answer this question based on the information given to them by the SOC management team via the analysts, but if the SOC does not have the ability to understand the bigger picture, the questions asked further down are not producing the right answers. 

 

SOC Management: SOC management is asking if a threat is contained. If so, this leads up to the CISO to help answer the question of business risk.

 

SOC Analysts: A SOC analyst is answering the tactical, granular questions about what is happening in their environment. Where has malware gone, has data been exfiltrated? This feeds up to SOC management’s question about threat containment. But to be effective, the analyst needs visibility across all the data points – they may spend 30 hours removing a piece of malware to answer the question they think needs answering, but not containing the threat, which has spread to another part of the network they can’t see.

 

Without full and inclusive consideration of each of these perspectives, organisations will remain hamstrung by legacy processes and technologies that can’t hope to keep pace with their adversaries. In contrast, those that do will be ideally placed to draw on the skills, expertise and experience of their teams to focus their efforts more effectively and re-establish the inherent agility SOCs are there to deliver.

 

---

 

Richard Orange is VP of EMEA at Exabeam

 

Main image courtesy of iStockPhoto.com