InfoSec Insider

7 Tips for Maximizing Your SOC

Use the seven points listed above to create an effective and efficient operational workflow and, importantly, happier analysts who aren’t buried at the bottom of a pile of mostly irrelevant data.

It takes a special sort of person to be a security analyst. The person must be detail-oriented, curious, intelligent and hard-working, and with a quick reaction time as constant attacks unfold. These analysts have deep expertise that they use during their long shifts to sort through what’s worth investigating and what can be safely ignored. They are an impressive bunch, but they are only human.

The challenges facing the security operations center (SOC) are numerous: Today’s volume of cyberattacks and network activity make it impossible for them to monitor all security alerts; and, they are only given enough time to consider very few factors for the alerts they do look at. This results in missed incidents, long dwell time for attackers and many false positives that waste the security team’s time and attention.

This reality reduces the security posture for the enterprise. It takes the typical organization 197 days to identify that their IT environment has been compromised, the Ponemon Institute found in its 2018 Cost of A Data Breach Study. The total cost of containing, investigating and repairing a breach averages $3.86 million, or $148 per lost or stolen record.

In general, the cost of a breach is proportional to how long it goes on undetected. The more quickly the breach is discovered and contained, the lower the overall cost to the victim. Incidents that are fully resolved within 30 days cost an average of $1 million less to remediate than those taking more time. Unfortunately, the trend is moving in the wrong direction, as it’s taking companies longer to identify and contain the data breaches they’re being confronted with than it did last year.

Put simply, there are three primary barriers that prevent security analysts from being able to make instant decisions as data is streamed real-time:

  • Excessive information and data to process,
  • Insufficient meaning—we don’t understand what the data is telling us, and the log files often don’t contain useful information
  • Inadequate memory—we can’t remember details from two hours ago, let alone days, weeks or months earlier.

1. Make your data work for you.

Are you getting real value from all that data you’re collecting? If you’re not using it to inform decision-making logic, it’s not doing you any good. With today’s security operations software, autonomous analysis is possible, and this can give you the opportunity to make a revolutionary change in how you use log data. What’s important is how well you monitor, employ and analyze it to recognize malicious activity in your environment.

2. Join the small data movement.

Some SecOps teams collect information from more than a hundred data sources – monitoring everything from endpoint operating system events to router status logs. But more than 99.99 percent of this data is never put to any use. This dramatically increases your costs without appreciably improving your security posture. A better method is to collect only what you need and then actually use it.

3. Measure what’s relevant.

No matter how large the enterprise it belongs to, and no matter how much the business has invested in security technologies, some attacks will always succeed. Infosec leaders often produce metrics that demonstrate how hard they’re trying to prevent breaches—which is not really relevant anymore. And CISOs often use threat metrics to justify their (traditionally underfunded) budgets. Instead, leaders need to ask more penetrating questions about the value they derive from their investments in security operations.

4. Prepare to expect the unexpected.

Cybercriminals will try to target vulnerabilities that they know are considered low-priority risks. These are so numerous, and so often unexpected, that it’s nearly impossible to anticipate all the attacks that can be launched against them. Tabletop exercises and red teaming can be tremendously valuable in this area. What is your mega-breach response plan?

5. Don’t rely on peer organizations; instead, reimagine active defense.

The procedures and workflows used to safeguard our businesses are, for the most part, simply not working. Much of the thinking – and benchmarking – that your fellow business leaders do center around the concept of having reasonable protections in place. Instead, we must reimagine what it means to defend ourselves in a digital world. Successful defense requires you to take an active and anticipatory approach to the inevitable attacks you will experience.

6. Stop merely managing human failures.

Analysts and managers make a hard job harder when they conceal operational failures, fail to disclose known vulnerabilities or create a dishonest organizational culture. Instead, make your SOC a place where employees can be honest about what they find without worrying about getting fired. And incorporating automation and security analysis software into places in your SOC where human failures commonly occur can greatly improve its overall operational efficiency and effectiveness.

7. Language matters.

It’s not a “virus” – a rapidly multiplying microscopic parasite – that’s on your network. And it’s not just “malware” – something inanimate – that’s in your environment. There are human criminals taking deliberate action, via malicious code, and their intent is to do you harm. We need to recognize the seriousness, gravity and human origin of the threat.

Cyberattacks will persist, and fighting them will remain a constant battle. Use the seven points listed above to create an effective and efficient operational workflow and, importantly, happier analysts who aren’t buried at the bottom of a pile of mostly irrelevant data.

Chris Calvert is co-founder, Respond Software

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles

Discussion

  • chintan savai on

    I totally agree with all these points.. however important questions is how to decide what logs to be sent to SIEM? With introduction of IoT, clouds and other digitisation initiatives, it is difficult to decide what to monitor and what not. It is important to collect syamon logs from endpoints but they tend to generate noise. Which should be the driving factor in deciding which logs should be monitored? Should it be aligned to organisation’s security goals? These goals are also generic in nature.
  • Justin McGuire on

    I hope that if I end up working in a SOC, the individual managing it shares your opinions. I like that you brought up how "language matters". One thing I keep hearing about is how difficult it can be for people on the security side of an organization, to properly convey to others, what the threat landscape is and why certain resources are needed. Being new to the field I can totally understand why that is difficult. I very clearly remember feeling like half of what I was trying to learn was in a different language.
  • SisalMakonge on

    I vigorously agree with these points. Spot on!
  • Timothy Seki on

    Totally agreed with these points!
  • Joe on

    Having worked in a SOC for a few years - I found most people left due to a highly toxic environment. Oftentimes you're surrounded by a manage with little to no technical ability, screaming at you to stop DDoS attacks, not knowing what they are. Hiring folks to meet a quota. Giving shift leads too much power and control. I've seen people burn out looking at 10,000 alerts per day. SOCs need to be run properly - and "properly" means different things to different people. Great list.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.