For anyone responsible for maintaining their organization’s security posture, the findings from the SANS 2018 Security Operations Center (SOC) Survey should come as no surprise.
Among the highlights, respondents reported a continued breakdown in communication between Network Operations Center (NOC) and SOC teams, and lack of dynamic asset discovery procedures. Meanwhile, most organizations continue to perform manual event correlation even though SOC personnel are already spread too thin by mounting responsibilities and a shortage of qualified candidates to fill open positions.
While these issues have been a recurring theme for several years now, the most surprising revelation from the survey is that only 54% of respondents reported they actively use metrics to measure their SOC’s success. If this is the case, are all the other reported SOC deficiencies directly related to this deficiency?
I spent several years as a SOC analyst and SIEM engineer for a large MSSP, serving clients that ranged from Fortune 500 companies to small family-owned businesses. The diversity of these organizations quickly made one thing clear: not all security programs are created equal.
Naturally, larger organizations had a more mature security posture, knew what they wanted and what it would take to get there. They also had the financial resources to achieve their goals. On the flipside, most smaller companies were severely understaffed, their IT department was also the security department and they often lacked adequate funding.
Despite these differences, both large and smaller organizations struggled to measure the success of their security program. The root of the problem was not lack of resources, but rather the metrics being used to assess the performance of their security operations processes, procedures and people.
Choosing the right metrics, for large and smaller companies, is not a one size fits all proposition. Instead metrics must be aligned with the type of organization, its industry, size and attack surface. Visibility is a foundational requirement for establishing an effective security metrics program. This can be achieved using the following three steps:
1. Conduct a risk assessment
A risk assessment will help identify which assets need to be protected and why. A successful engagement will reveal an organization’s most valuable assets, how they could be attacked and the impact of a successful breach. These results also enable organizations to address their security deficiencies and provide a solid set of metrics that can be used to measure SOC performance over time.
2. Perform vulnerability assessments
Vulnerability assessments are a vital tool for detecting, prioritizing and remediating security weaknesses in an environment. All organizations regardless of maturity will benefit from these types of assessments, but organizations with a low to medium security posture may benefit the most. The result of these assessments will help give greater definition to which metrics an organization should track and what steps are necessary for continued SOC success.
3. Adopt a security framework
Every organization, including those that are not required to comply with any regulatory mandates or standards, should implement a security framework. Adopting a framework model does not guarantee security, but it typically improves security maturity. Organizations that follow a framework are more likely to identify, contain, and recover from incidents faster than those who do not. Frameworks, in conjunction with the security assessments mentioned above, provide organizations with a blueprint for how to best protect their environment and measure success.
Completion of these three steps will supply an organization with extensive data regarding their environment, not all of which will be useful for determining which metrics to implement. To choose the right metrics, make sure they are SMART: Specific, Measurable, Actionable, Relevant, and Timely.
In other words, they should be specific to what the organization is looking to accomplish, and accurate and complete so they are measurable. The information obtained from a specific metric should also be clear and concise, making it actionable and in turn relevant to accomplishing the goal. And lastly, metrics must be available when they are needed to ensure a timely resolution to an incident or goal.
By gathering the right foundational data, following best practices and utilizing the SMART structure to implement a security metrics program, organizations will have a tailormade set of tools to measure and improve the performance of their SOC.