Getting Your SOC Aligned with Your Business

Having the right tool for the right job is obviously important, but knowing the subtleties of how to properly use the tool is what separates the reactives from those who always seem to be one step ahead. While being one step ahead is clearly the desired state, it is particularly challenging when dealing with something as complex and dynamic as a Security Operations Center (SOC). SOCs are pretty much front and center in the endless dynamic with threat actors, and there is a highly competitive market of vendors who offer a myriad of SOC solutions to enterprises that are at risk of cyber attacks. The core premise (and this is not limited to cyber security) is that any technology implementation should be driven by business requirements first, rather than technical requirements. This is particularly relevant for SOCs, as any attack that gets by the SOC can have a significant impact across the entire business (as we see—sadly—every day). SOCs by their nature are enormously complex and are often the result of a range of technology solutions cobbled together by technical teams who are deep in the weeds of security and IT infrastructure requirements. The reality is the SOC is there to serve the business and should be optimized around business requirements. In this model, there is not a one size fits all approach; security requirements need to be an integral part of business workflows. This is the "we all sink or we all swim" approach to securing the business: when one function is breached, everyone suffers. Different functions (operations vs. marketing) will have very different security needs (since they use different workflows), and the SOC team needs to factor that into the implementation of their security mandates. The workflow variable is particularly important since many SOC issues are not subject to technology fixes. Vulnerabilities can often be a function of improper governance, lax security protocols at the employee level, or a lack of alignment between business functions. For SOCs to reach an optimal level of effectiveness, business stakeholders need to be part of the security framework. SOC analysts need to engage with business stakeholders at the executive, operational, and tactical levels (similar to how intelligence requirements are scoped). When security analysts understand the business needs and associated workflows, they are in a much stronger position to deliver intelligence and threat assessments that will make sense to business stakeholders. Identifying the right stakeholders and understanding their process requirements and potential attack surface early in the process is critical. Equally important is ensuring clear communication; non-technical stakeholders (who will have valid concerns) need to be educated by SOC staff to understand what is at stake and why security now needs to be integral to how their functions operate. This means part of the SOC team's purview will be end-user education at multiple levels. Creating a narrative that describes the risk associated with security exposures in terms of a business function's day-to-day operation is a great way to add context and increase alignment between technical and business staff. Creating an effective threat intelligence program means the right resources are allocated properly (security resources focused on maximizing business value), agreed-upon metrics are in place and updated continuously, and there is a security roadmap that everyone understands and has bought into. This also means operating at three levels: <ul> <li>Strategically: what are longer-term security requirements that need to be addressed at the executive level?</li> <li>Operationally: looks at SOC-specific drivers such as threat actor TTPs (tactics, techniques, and procedures) and the correlation of attack surfaces to external threat data</li> <li>Tactically: dealing with specific incidents of concern (IoCs), along with threat detection</li> </ul> This also means security governance requirements and their associated protocols need to be managed on multiple levels, updated continuously, and kept contextually relevant to all stakeholders. To get a more detailed walkthrough of how to align your security and business needs, please check out this <a href="https://www.anomali.com/resources/whitepapers/tips-for-selecting-the-right-tools-for-your-security-operations-center?publisher_status=draft&publisher_key=O3iCzsSu">Gartner report</a>.