Building a modern security operations center (SOC) is much more than assembling the latest equipment and then hiring a team of analysts. It’s an ongoing effort to stay on top of threats, be current with emerging technology and trends, and hire and keep the right talent.
At Exabeam’s Spotlight18 user conference, Stephen Moore, Exabeam Chief Security Strategist, led the panel discussion, “Building a Modern SOC” with SOC leaders from a number of high-profile enterprises.
Click for the Exabeam Spotlight18 video
The key takeaways from their discussions include a list of six essential steps that you’ll need to build a modern SOC.
1. Measure your successes… and your failures
SOCs are always playing catch-up—struggling to keep up with continuous alerts, while prioritizing those that matter. Often teams don’t have the time or the tools to measure their performance. But measuring successes, as well as failures, is critical to be a modern SOC. If you can’t demonstrate the value you’re adding to an organization, how are you going to justify your existence, let alone the need to expand your operation? And if you can’t show—even through failure—where the gaps exist in your operation, how can you ask for additional money or people to fill those gaps?
An effective SOC needs good metrics such as the number of threats, how issues were discovered and remediated, and the cost and time to investigate them. If your operation has legacy technology—with analysts jumping between multiple screens or waiting for answers from within your organization—then it’s likely there will be more failures than successes. After all, the average time it takes for a threat actor to move from one machine to another (breakout time) is just under two hours.
Do you have the right people, systems, and procedures in place that can mitigate a threat within this short timespan? Unless you have already adopted modern SOC technology and methods, it’s likely you’ll be reporting on the wrong things.
2. Hire the right people
It’s essential to hire the right people for your SOC. Of course, each person needs to have the right skill set and be a good fit for your organization. Do they also have the people skills and emotional intelligence?
Try hiring from within. For example, you might start by mentoring someone in IT who has Active Directory skills, enlisting them to help you with one of your projects. In doing so, you’ve opened a new career path for those who already have some of the skills you need. Also, consider a job shadowing program; without putting their current role at risk, staff can discover if they have the aptitude to work on your security team.
Consider using people with cybersecurity skills who are coming off of active military duty. Those who have served can be an excellent match. Also, consider local schools and universities that have cybersecurity programs. Undergraduates might serve as interns and often will consider returning to your organization after they finish their degree. And if your team is recovering from a breach, there could be new headcount to expand the security program. Having relationships with local schools and universities with cybersecurity programs (before the breach) can be an excellent source of help.
3. Be relevant
Stay current with technology and be on top of emerging threats. This is an ongoing effort that requires you to pay attention to many things:
- Get visibility into all of your assets. Where are they? Who is using them? Where are identities being used across your network landscape? What are common—as well as unusual—usage patterns?
- Keep in front of your management team while promoting your team’s abilities—including to sales, marketing, legal, and product development.
- Keep up with emerging tech in business and consumer trends. Make sure you’re involved when your company is researching new technologies and systems. If it’s developing a new product or service based on new technology stacks and operating environments such as the cloud, you’ll need to be involved early on to assess the risk profile.
- Stay ahead of your business, as well as the bad actors. Know your organization’s products and services. Don’t be an outsider to the business and understand those who are bringing in revenue for the company. Raise issues when you see potential risks that should be addressed.
- Promote your role. Be sure everyone knows how you can help and protect them. Maybe it’s through newsletters, demonstrations, presentations, meeting participation, and informal discussions. Make sure you’re perceived as someone who can help before, during, and after a security event.
4. Communicate laterally as well as vertically
SOCs are all affected by external resource constraints. Technical debt in other parts of your organization can interfere with your operations. Most organizations score poorly when it comes to keeping up with system patches, and even worse when it comes to asset lists.
Technical solutions such as central configuration managers are commonly used, but also commonly misconfigured or mismanaged. Your SOC requires help from the rest of IT. They should have a strong conduit into system patching, asset management, and configuration management. Observing the exploits and problems that allow the adversary success must be prioritized and tracked across the organization.
Consider how you can improve the perception of your SOC. You might focus on improving visibility within your sales group. Sales teams are increasingly fielding questions about the security of the products and services they’re selling, especially as offerings are moving to hosted operations and cloud services. Suggest presenting at sales kickoffs or quarterly meetings. When communicating to your organization, your goal is to show how the SOC is relevant to your company’s success.
5. Know where the crown jewels are
No SOC has unlimited resources. In fact, most are understaffed and are perpetually catching up with their workload. The signal-to-noise ratio is simply too high to pay attention to every security alert. The solution is to focus on those main threats most likely to cause issues, especially with regard to your organization’s critical assets—aka the “crown jewels.” Interestingly, this can often be an undocumented copy of a database or sensitive information, which is just as valuable.
Many organizations are involved in mergers and acquisitions and routinely absorb other businesses. With each acquisition comes another set of crown jewels, technical debt, and a political fight over which IT department is better. One of your priorities with an acquisition is to make sure the new assets are adequately protected during and after the transition. Remember that M&A are frequently accompanied by organizational changes and staff reductions—a source of retaliatory attacks by insiders.
Be sure your staff knows what they’re protecting and why. Without knowing what the real risk is when a breach occurs, they’ll continue to treat all incidents with the same level of urgency—not knowing that some are more critical than others. If staff is invested in your organization’s success, they’ll have greater job satisfaction and commitment. Transparency and open communication will give your team the knowledge they need to make critical decisions, and can make a big difference in how they view their roles.
6. Make appropriate use of your resources
Plainly said, your priorities are where you spend your time. If SOC analysts spend their time waiting on information, searching for assets, jumping between screens, and hoping for a return call, there will be negative outcomes.
Often, SOCs lack alert context and don’t have the information they need to quickly make the right decisions. A SOC requires the ability to jump from atomic indicator to the device or the human involved: IP to HOST to account (human) mapping. This saves time and allows the analyst to more easily and quickly identify the adversary.
Count the screens your analysts must use to do their jobs. Modern security tools easily connect to existing systems in your environment—collecting and evaluating indicators by using behavioral analysis and machine learning to uncover suspicious behaviors. Rather than chasing every alert raised by separate, isolated systems, the analyst can focus only on actual problems.
Once your analysts have been alerted to unusual and suspicious behaviors, they can immediately focus on threat mitigation. Common incidents should be added to electronic playbooks, with responses being partially or fully automated, depending on organizational readiness and buy-in.
The power of user and entity behavior analytics and machine learning to identify security risks
Among state-of-the-art cyber solutions available today, the best centralize data feeds and logs across your network and assets, then apply user and entity behavior analytics (UEBA) and machine learning to surface security risks. Using threat scores, then generating alerts only for those that exceed the predetermined threshold, conserves analyst resources.
Consider security solutions that also have:
- Threat hunting tools to help your analysts probe unusual events (going beyond traditional alerting mechanisms) to determine their risk in near real-time.
- Automated playbooks to help mitigate threats as they’re exposed, so analysts can focus on what matters—without experiencing the burnout so common in SOCs that use manual discovery practices.
The Modern SOC
Many considerations go into building a security operations center. These key six approaches are essential as you build or expand your modern SOC.
See the Exabeam Webinar: “Is your SOC ready for battle?” for more information on what it takes to have a modern SOC.