With nation-states, hacktivists, and other rogue actors steadily increasing the pace and sophistication of cyberattacks, many organizations cross a threshold when they find they can no longer adequately monitor, detect, and respond to threats. Over time, they create a centralized way for security teams to share information and collaborate on defense and response, often called a security operations center (SOC).
Centralizing security speeds up an organization’s ability to detect and respond to cyberattacks, but creating a SOC doesn’t come without thought and effort.
To scale security operations and build an agile SOC quickly and efficiently, final point spoke to a trio of experts.
Identify and contain adversaries before they can spread through your network.
“SOCs are not turnkey,” says Wim Remes, CEO and founder of the consulting firm Wire Security. “It’s not about buying a bunch of technology, putting a bunch of people at keyboards, and then expecting the SOC to work,” he says. “It’s about building the essential capabilities first, and then increasingly improving and expanding the capabilities of the SOC over time.”
set your goals
SOCs don’t always have the same initial initial goals, says Gal Shpantzer, co-founder of virtual consultancy CISO Security Outliers. To find out what the goal of an organization is, he recommends asking a few questions:
- Who are the initial clients of the SOC?
- Is the goal to provide executive dashboards, compliance, or incident response?
- What are the expectations around monitoring, alerts, analysis, and response?
The answer to these types of questions is best left to the collective wisdom of the organization at large. That’s why multi-stakeholder interviews can help uncover targets.
It’s not about… putting a bunch of people at keyboards and then expecting the SOC to work.
“Security architects and engineers should interview the various business units to identify how they want to interact and communicate with security operations teams,” says Michael Lyborg, senior vice president of global security and enterprise IT at Swimlane, which advises companies on the automation of security operations. .
“Then work backwards by acknowledging desired outcomes, user experience goals, response actions, and notification trees.”
Conduct a gap analysis
Your organization may already have some of the necessary capabilities in-house to achieve your goals, says Remes. The next step is to identify the areas where your organization is strong and the areas that need improvement.
Perhaps the organization is already effective at managing vulnerabilities and has an efficient security dashboard that provides insight into ongoing events. On the other hand, it may lack threat hunting and incident response capabilities. Once you identify the gaps, you can create a plan to address them internally or externally.
Get the right talent on board
Some of the essential capabilities of a SOC include security monitoring and testing, alert prioritization, incident response, security management, remediation, threat hunting, investigation, and more. These competitions are more than just sets of tools: they engage the brains behind the keyboard.
The people you need might already be within your organization but working in fields related to system administration or security.
Hiring internally can often be a good option. “Understanding the environment is essential because you can’t respond in an environment you don’t know,” says Remes. “It won’t be as efficient as people who are less security trained but really know the organization.”
Depending on the nature of the enterprise technology environment, the SOC will need to have team members with a variety of skills. Experience could be needed in everything from modern operating systems to mainframes and legacy systems to cloud architecture.
Incorporate essential data sources
A SOC is basically a way of analyzing and responding to the flow of data from across the organization. For a new SOC, the initial data sources should come from the most sensitive and business-critical systems.
Swimlane’s Lyborg advises executives creating a newly minted SOC to consider data type and taxonomy. It is also important to create a common data model to speed up the integration of tools and simplify the mapping of information. Data typically flows not only from security toolsets, but also from servers and endpoints, multiple cloud environments, on-premises systems, network and infrastructure operations, and identity management systems.
[Read also: 5 steps to securing your organization’s ‘crown jewels’ of data]
To map data sources, Shpantzer advises considering where they are physically located: “Are they on premises? Are they in cloud systems? And do I have the data engineering skill set, either in-house or consulted, to essentially create what some people would call a data pipeline, to get those logs from various modern and old-school methods?
Adopt the latest tools
The sensible thing to do is to get a solid set of core capabilities running first and build from there. For a new SOC, first build security monitoring and event detection into your response capabilities. Once the essentials are in place, it’s time to consider adding more advanced capabilities, such as threat hunting, red teaming, forensics, and threat intelligence, among other specialties.
In a 2021 survey, the SANS Institute found that SOCs most frequently use tools and tactics, such as virtual private networks (VPNs), security information and event management (SIEM), email security, anti-malware, vulnerability remediation , host-based detection and response. , firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). This suite of tools demonstrates that the majority of respondents were interested in keeping their SOC communications secure while also providing threat monitoring, attack prevention, and incident response.
Decide what to outsource
With millions of unfilled information security positions unfilled, it may be more practical and profitable for organizations to outsource tasks that cannot be easily assigned in-house.
Security architects and engineers should interview the various business units to identify how they want to interact and communicate with the security operations teams.
The SANS survey found that 38% of respondents operate their SOC in-house 24 hours a day; 15% fully outsource their SOC; and 31% use a combination of internal and outsourced monitoring. To control costs, 16% do not operate their SOC 24/7.
Organizations often do not have enough work to keep dedicated specialists busy. Therefore, many outsource specialized skills as needed. The most frequently outsourced jobs include penetration testing, red teams, forensics and threat intelligence, according to the SANS survey.
Strive for continued maturity
Once a SOC is up and running, the priority shifts to adding capabilities, maturing existing capabilities, and optimizing operations over time. A best practice framework can help immediately identify essential capabilities and measure maturity. Common frameworks include the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), Miter’s ATT&CK Framework, and the SOC Maturity and Capability Model (SOC-CMM).
[Read also: 5 charts that show why it’s better to prevent a cyberattack than fight one]
In general, a SOC will mature as more capabilities are added, more operations can be automated, security covers an increasing share of an organization’s critical assets, and threats are prioritized and mitigated based on business risk. .
“It’s important not to expect too much too quickly,” says Remes. “It’s not going to be a switch that flips. It will start basic and very manual and become more operational and automated over time.”
In short: Don’t let the perfect be the enemy of the good. After all, building an agile security operations team is a marathon after the initial sprint.
