With nation-states, hacktivists, and other rogue actors steadily increasing the pace and sophistication of cyberattacks, many organizations cross a threshold when they find they can no longer adequately monitor, detect, and respond to threats. They eventually create a centralized way for security teams to share information and collaborate on defense and response, typically referred to as a security operations center (SOC).
To scale up security operations and build an agile SOC quickly and efficiently, Endpoint talked with a trio of experts.
“SOCs are not turnkey,” says Wim Remes, CEO and founder of consultancy Wire Security. “It’s not about buying a bunch of technology, putting a bunch of people on keyboards, and then expecting the SOC to perform,” he says. “It’s about building the essential capabilities first, then increasingly improving and expanding the SOC capabilities over time.”
Set your goals
SOCs don’t always have the same initial starting goals, says Gal Shpantzer, co-founder of virtual CISO consultancy Security Outliers. To learn what an organization is aiming for, he recommends asking a few questions:
- Who are the initial customers for the SOC?
- Is the goal to provide dashboards to executives, or compliance, or incident response?
- What are the expectations around monitoring, alerts, analytics, and response?
Answering these kinds of questions may be best left to the collective wisdom of the broader organization. That’s why interviews with multiple stakeholders can help uncover goals.
It’s not about…putting a bunch of people on keyboards and then expecting the SOC to perform.
“Security architects and engineers should interview the various business units to identify how they want to interact and communicate with the security operations teams,” says Michael Lyborg, senior vice president of global security and enterprise IT at Swimlane, which advises companies on automating security operations.
“Then work backward by acknowledging the desired outcomes, user experience goals, response actions, and notification trees.”
Perform a gap analysis
Your organization may already have some of the necessary capabilities in-house to meet your goals, says Remes. The next step is to identify areas where your organization is strong and areas that need improvement.
Perhaps the organization is already effective at vulnerability management and has an efficient security dashboard that provides insights into ongoing events. On the other hand, it may lack threat hunting and incident response capabilities. Once you identify gaps, you can build a plan to address them in-house or externally.
Get the right talent onboard
Some of the essential capabilities of an SOC include security monitoring and testing, alert prioritization, incident response, security administration, remediation, threat hunting, research, and more. These competencies are more than just tool sets—they involve the brains behind the keyboard.
The people you need could already be inside your organization but working in related fields of system administration or security.
Hiring internally can often be a good choice. “Understanding the environment is essential because you cannot respond in an environment that you don’t know,” Remes says. “You will not be as efficient as people who are less skilled in security but who actually know the organization.”
Depending on the nature of the business technology environment, the SOC will need to be staffed by team members with a diversity of skills. Expertise could be needed in everything from modern operating systems to mainframes and legacy systems to cloud architecture.
Incorporate essential data feeds
An SOC is basically a way to analyze and respond to dataflow from across the organization. For a new SOC, the initial data feeds should come from the most sensitive and business-critical systems.
Lyborg of Swimlane advises executives building a newly minted SOC to keep in mind the type and taxonomy of data. Also important is to create a common data model to expedite the integration of tools and simplify the mapping of information. Typically data flows not only from security tool sets but also from servers and endpoints, multiple cloud environments, on-premise systems, network and infrastructure operations, and identity management systems.
To map the data sources, Shpantzer advises considering where they are physically located: “Are they on-prem? Are they in cloud systems? And do I have the data engineering skill set, either in-house or consulted, to create essentially what some people would call a data pipeline, to grab those logs from various old-school and modern methods?”
Adopt the latest tools
It makes the most sense to get a solid set of core capabilities running first and build from there. For a new SOC, first incorporate security monitoring and event detection into your response capabilities. After the essentials are in place, it’s time to consider adding more advanced capabilities, such as threat hunting, red teaming, forensics, and threat intelligence, among other specialties.
In a 2021 survey, the SANS Institute found SOCs most commonly use tools and tactics such as virtual private networks (VPNs), security information and event management (SIEM), email security, anti-malware, vulnerability remediation, host-based detection and response, firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). This tool set demonstrates that the majority of those surveyed were interested in keeping their SOC communications secure while providing for threat monitoring, attack prevention, and incident response.
Decide what to outsource
With millions of information security job openings going unfilled, it may be more practical and cost-efficient for organizations to outsource tasks that cannot be easily assigned internally.
Security architects and engineers should interview the various business units to identify how they want to interact and communicate with the security operations teams.
The SANS survey found that 38% of respondents operate their SOC in-house 24 hours a day; 15% entirely outsource their SOC; and 31% use a mix of internal and outsourced monitoring. To control costs, 16% do not operate their SOC 24/7.
Organizations often don’t have enough work to keep dedicated specialists busy. Many therefore outsource specialized capabilities on an as-needed basis. The most frequently outsourced jobs include penetration testing, red teaming, forensics, and threat intelligence, the SANS survey found.
Strive for continuous maturity
Once an SOC is up and running, the priority shifts toward adding capabilities, maturing capabilities already in place, and optimizing operations over time. A framework of best practices can help identify immediately essential capabilities and gauge maturity. Common frameworks include the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), Mitre’s ATT&CK framework, and the SOC capability and maturity model (SOC-CMM).
In general, an SOC will mature as more capabilities are added, as more operations can be automated, as security covers an increasing share of an organization’s critical assets, and as threats are prioritized and mitigated based on business risk.
“It’s important not to expect too much too fast,” says Remes. “It’s not going to be a switch that’s flipped. You’ll start basic and very manual and become more operationalized and automated over time.”
In short: Don’t let the perfect be the enemy of the good. After all, building an agile security operations team is a marathon after the initial sprint.