teissTalk: How do you know if your SOC is relevant?

teissTalk host Geoff White was joined by Stefan Treloar, CISO at IG Group; Sajeed Naseem, CISO, New Jersey Courts; and Stephen Moore, Vice President and Chief Security Strategist, Exabeam.

 

Views on news

 

In a blogpost Microsoft warned that the actor behind the SolarWinds attack belonging to Russia’s foreign intelligence service known as the SVR is expected to stick with its former strategy of attacking cloud and other technology service providers which deploy and manage services on behalf of their customers. Since May, Microsoft has notified more than 140 resellers and technology service providers that have been targeted by Nobelium, 14 of which are thought to have been actually breached.

 

Attackers seem to have raised their game by attacking ecosystems rather than individual organisations. Due diligence on third parties and transparency are key to tackling this threat. Service providers have a liability to report a breach to partners that have been affected. However, considering the number of suppliers that may call on a provider at the same time when a breach occurs, automated interfaces doing the communications on company’s behalf may be a better way forward.

 

Although the main dilemma about SOC teams is whether an organisation should have an internal or an external SOC team, an ad hoc survey on teissTalk, as well as experts’ opinion suggest that internal SOC teams can be more effective, and the only case for using an external one is cost saving. Internal SOC teams can get better at sharing information, and they can also get easily informed by internal teams such as developers’, I&AM and HR.

 

The questions an organisation must ask itself are: “Am I adversary-aligned? Do I know what my adversaries are likely to do? In order to achieve the alignment, there are three things that organisations need to examine. Firstly, the MITRE pyramid that is a list of adversarial tactics, techniques and common knowledge. Secondly, the lessons the organisation could learn from previous incidents. Thirdly, storytelling has a major role to play too, including on interfaces where victims of identical or similar attacks can share information. It’s not just individual organisations but industries and ecosystems that need protection.

 

Ideally, the SOC team of a larger organisation has 2-3 layers, while for smaller ones that complexity is not affordable. Getting visibility of what attacks and lateral movements you can detect and respond to is only the first step but  not an indicator of the actual efficacy of your defences.

 

The panel’s advice

 

SOC teams are not created overnight. Prior to creating one it’s key to have an understanding of the context of a particular industry, as well as the size, scale and financial resources it takes to build a SOC.

 

To assess your internal SOC, you need to go through the checklist of 17 lateral movements that cybercriminals typically make and see how many you can see – whether you have the tools to detect hops, credential shifts, precursor malware or ransomware? How fast can your organisation create an incident-response artefact?