SOC it to ‘Em — The Powerful Punch of Promoting Efficiency in the Modern Security Operations Center

No industry suffers more from the over proliferation of tools and solutions than the cybersecurity space. We talk to customers in every industry who ask for guidance in how to sort through the mire of products and technologies that they hope will protect their businesses and their customers. In the security software realm there is a “Hometown Buffet” of possibilities that would give anyone option anxiety. To whittle it down, there are three areas a business needs to review when making cybersecurity decisions:

#1. I Forgot My Lunch! Identify the Organization’s Cyber Risk Appetite

Cyber risk is a real element at the center of every modern business. A cyber risk appetite plan means looking at the types of cyber risk that face the company, prioritizing the risks that can be tolerated and devising a plan to mitigate those that cannot. Understanding what is at stake monetarily is quantifiable, such as how much a bank can sustain in fraud losses or how much a retailer will decide to budget in legal fees.

C-suite leaders are also trying to assess the extent to which their companies can tolerate more intangible losses such as reputation, market position, non-compliance disruptions and a weakened competitive advantage resulting from attacks. Take the Equifax breach of 2017; Equifax is still defending themselves in the marketplace to regain trust. Lost sales because of lost customer trust is an example of an intangible, but significant, risk.

Knowing a company’s risk tolerance positions the company to make decisions that not only account for, but mitigate, the cyber risk.

#2. You Mean We Have to What? Understand Compliance Drivers

Whether it is a regulation guarding privacy, such the medical industry’s HIPPA, or preparing to meet the new GDPR standards in the EU, acknowledging known compliance parameters gives a second-layer picture of which security measures to employ and to what degree.

#3. Oh Yeah, Man, I Got This! I’ve Got Mad Skills! Assess the Organization’s Existing Capabilities

Now is the time to take inventory and assess a company’s own capabilities to protect itself. Who are the personnel dedicated to cyber risk, and what are their levels of expertise? Does the company require outsourcing for help? Scan the whole enterprise for its unique strengths and weaknesses and determine its ability to execute security protections and solutions as a whole.

Pull Up Your SOCs and Let’s Get Moving

One of the assets a company might invest in is a dedicated Security Operations Center (SOC). Although most companies have security IT professionals, the “Modern SOC” serves a slightly more nuanced purpose.

SOCs formerly gathered events from firewalls, anti-virus and two-step authentication and correlated them to find attacks in a network. As SOCs evolve and have access to more intelligent tools, such as Gigamon Insight, they began to move more along the lines of “threat hunting.”

The modern SOC combines event data with network data and delivers additional information to give the analyst a deeper view of anomalous activity happening. These centers aggregate data to understand, enrich or give context to patterns captured, so that clear pictures and courses of action emerge for stakeholders.

Whether a company is building a SOC, or improving one they already have, there are some key points to consider to create one that yields an evolved security posture:

Build Communication Between Network Operations and Security Operations

Security teams are all too often siloed in organizations. There is not necessarily an automatic flow of communication between the SOC and other aspects of the business. The work done in the SOC might be setting policy that affects other departments or, specifically, jobs. A great SOC will be proactive in finding and creating avenues for communication between the SOC and Board of Directors, executive leadership, personnel and even customers.

SOCs need to work to establish two-way communication with the network operations teams to optimize effective prevention of and response to threats. The SOC needs to have visibility in the network, and network operations need to be part of the conversation around which security measures and compliance directives are essential. Security operations cannot underestimate the amount of work that happens on the network side. Bring them flowers and cookies if necessary, but make nice.

Alexa! Secure the Network! Consolidating Tool Sprawl?

While communicating with various departments about security policies that protect the company, SOCs need to provide guidance. Setting up a range of tools that can be managed in a single interface will cost less and make solutions more efficient. A SOC can earn its keep by finding overlapping, complementary tools. A SOC needs flexibility and extendibility in the tools it acquires. Tools with robust APIs are a must.

There’s an App for That – Automating Security Related Tasks

Let’s agree that SOC teams face some of the most difficult and high-stake work in the business. Automating security-related tasks will increase efficacy, reduce costs and prevent future losses.

Knowledge

SOC teams need to have a base of knowledge they use to prevent, intercept and analyze threats. Look for applications that educate the SOC analyst at the same time that he or she is doing their job. Applications such as Gigamon Insight not only guide the analyst through the steps, but give clues for threat hunting while automating the process on a continually improving trajectory.

Processes

From the moment there is an alert of an incident to the closing of that incident, using defined, repeatable processes in the SOC builds trust and confidence throughout the organization. When there is an event, who does what? A company might decide that a first-line analyst handles triage, the second delves into a deep investigation, while a third handles malware analysis. What are the triggers that escalate the incident? How do teams hand off information between shifts or various parts of the globe? Look for software designed and tuned to establish clearly defined processes in the SOC program.

Communication and Interaction

Automatic interaction and communication with all parts of the business saves time and money, and prevents attacks. Say a confidential file was inadvertently emailed to a home email address — there may be rules and guidance from a risk team, there may be legal, HR or compliance considerations and there may be PR concerns — effective communication is essential and automated procedures put it into motion.

Metrics

Metrics are where automation earns the big bucks. Getting a picture of exactly how a security operations team is detecting, responding and recovering from attacks is crucial. CEOs and executive boards are interested in the big issues of security in their companies in a way they never have been before. The SOC needs to mine the right data to produce the key information that will prevent attacks. Most importantly, they need a way to process and manage that data in a digestible format for the non-technical executive.

And, Your Point?

The upshot of my conversations with customers in these meetings has been to look at:

• Is there two-way communication between my organization and security operations?
• Are security tools making data management effective and efficient?
• Can we automate more tool deployment and response?

The answers are harder to bullet point. There is no secret formula for an efficient SOC. Gone are the days of simply managing security tools, day in and day out. No longer is the SOC a group of technical types, huddled in a corner trying to put all of the data together and find bad guys. What is clear, is that a business must integrate and consider the SOC in every aspect of organizing, planning and working.

This is the era of the “Ascendancy of the SOC,” as it takes its rightful place in a company’s workflow. Going forward, companies will be unable to compete without prioritizing an effective SOC as one of the cornerstones of their business.