Level Up Your SOC: Focus On People, Process, and Technology

Introduction

A Security Operations Center (SOC) is an organized and highly skilled team whose mission is to continuously monitor and improve an organization’s cybersecurity posture while preventing, detecting, analysing and responding to security incidents with the aid of technology and well-defined processes and procedures. The success of your SOC revolves around three primary components: people, process, and technology.

People

The most important asset any organization has is its people. Each day, someone is talking about the skills gap as it relates to security. But few of these conversations discuss the differentiating career paths of seasoned security pros and the junior security specialists of today, and how that contrast is responsible for many of the challenges around gaps in skills. Many of the seasoned security professionals evolved from network, architecture or system administrator roles; like me which does provide a good foundation to a holistic approach to security. Having this comprehensive foundation has allowed me to look at security from several different aspects, which is less narrowly focused.

Today, many junior security staff come out of college with a basic understanding of security concepts but do not understand the foundation which architectures are built on (e.g., OSI Model, TCP/IP Model, Kill Chain Threat Model). Organizations would benefit from focusing on a wider range of training for the junior staff members, enabling them to attain the holistic view of the security posture. Part of that is developing a career path and aligning training to specific requirements for them to achieve so they can progress to the next level. With expanded knowledge, your staff will explore new areas within the SOC. This will increase job satisfaction by providing opportunities and challenges, which will help with retention.

Do you have a documented career path? Do you have specific or loose training requirements? Is your team challenged?

Process

Whether you follow a framework (e.g., NIST, ITIL, or TOGAF) or something completely different, establishing predefined processes for your SOC operators to follow is the second critical piece to successful SOC operations. This can be as simple as a use case with a runbook for the use case. As an example, a tier one analyst who is combing through log data in your SIEM may want to correlate that information with threat intelligence. Tying those two pieces of data together to make sense of it may not be so straightforward. In this example, putting the data points into your process; now you have a log and you’ve correlated threat intelligence into it, your analyst can now answer; what next?

Understanding the implications of the event and how widespread it could be, is paramount. This is where your analyst use case and runbook will help. Analysts discern if they should continue to investigate, escalate, or drop the event. The three critical questions an analyst should ask themselves during this decision-making process are:

• Are we under attack?
• Are we impacted?
• How do we detect and respond?

How do your analysts respond to these? Do they know how? Is the process documented and repeatable?

Technology

We all know there is a myriad of technology available on the market. I have no doubt that by the time you have read this blog, you have received an email, a phone call, or text from someone trying to sell you their new and exciting technology.

So where do you begin? There are so many options in so many aspects of security. What is most pressing? Is it the endpoint? Is it your server farm and databases, or maybe the perimeter? In my experience it is more about where you get the most from your budget and what risks your executive management is willing to take. There are the must haves, nice to haves and then everything else. But even with the nice to haves, without them, are you missing something? Do you have a minimal capability, or no capability and what is your executive team willing to forgo?

Some other considerations are:

• Does it integrate with my other security products? Take for example Symantec ICDx where several companies have committed to working together using the same standard so that integration between the products is seamless. Do we not use a standardized product line and use a Security Orchestration, Automation, and Response (SOAR) platform to “make it all work”? There are a few SOAR options out there and even those are getting bought by larger organizations as they see the value and importance of integrations.
• Is the staff trained? Ensuring that the people using the tool are familiar with it and understand the intricacies of the new tool.
• What will it cost to transition? Depending on the tool, a forklift replacement may not be as simple as pulling the plug and inserting a new one. A good change control process will help ascertain what it takes to replace your SIEM, TIP, or VA tool.

Summary

No matter where you are in your security lifecycle, understanding and taking an interest in your people, developing processes, and leveraging the technologies is what will aid in becoming a successful security operations center.

To further your planning, get the Managing Threat Intelligence Playbook, where you’ll get information on what to look for and how a threat intelligence platform can help you with common security challenges.

Stay tuned for my upcoming blogs in which I dive deeper into these three critical aspects of a SOC and focus in on specific examples and use cases.