Five key considerations when developing a Security Operations Center
Ensuring access to a reliable feed of threat intelligence through a security operations center (SOC) is an essential element of many organization’s security strategy today. However, establishing a SOC is a complicated endeavour, particularly when it comes to balancing budget and resource limitations in an increasingly complex security landscape. Even businesses that have already set up a SOC can find it challenging to know how best to prioritise investments to mature the SOC and evolve to the next level.
A common issue encountered by organizations is too much focus on investing in technology to solve the problem while not accounting for people and process costs. Technology traditionally is an area that is much more easily quantifiable than elements like personnel, making it easier to request funding for from the board. However, simply spending all the security budget on the Ferrari of tools will do little to combat threats without accounting for the people and process.
Instead, organizations should start with the following five key considerations if they are to get the most out of their SOC.
1. Understanding intelligence inside-out
A SOC is only as good as the fidelity and trust of the data that feeds the tooling and operation. Whether maturing an existing, or planning the design of a new SOC, it is critical to define the availability and trust of intelligence that will be leveraged internally and externally of the organization.
Intelligence data can range from traditional security tools, such as perimeter firewalls, to the more contextually elaborate, including user and entity behaviour characteristics. Importantly, threat intelligence also falls into categories of the tactical, strategic and operational as different audiences inside the organization may have varying priorities of the intelligence they need per their roles.
Each source of data has strengths and weaknesses, whether these are blind spots or biases. Breadcrumbs of intelligence mean little without sufficient context allowing an individual to take the appropriate action. The technical clues of an attack paint a picture but, for example it is understanding the human behaviour of the attacker(s) that can help tie the clues together to action a suitable response.
Tactical data becomes meaningful when applied to the strategic knowledge the team can gather about the tools and tactics used by attackers. Operational intelligence uses context and tactical intelligence to put a solution in place to help prevent, detect and respond more effectively.
Understanding the organizational value and gaps in threat intelligence may benefit greatly by taking into account the recorded actions taken by the analysts throughout an investigation. A post-mortem, following security incidents, also provides incredible value of intelligence to drive improvements to technologies and processes.
2. Roles and responsibilities
A mistake observed globally across organizations is to purchase intelligence sources but not account for the people and process that enables identification, action, resolution and contextual value from these sources.
A SOC team should be encouraged to have clear delineation of responsibilities that enable them to continuously improve operations. An operated model supported with a documented RACI and processes is an important success factor for an operation to be consistent and scalable. As an example, a threat intelligence analyst may review and categorise data and events into an organization prioritised use case library and may follow documented process for communicating the use cases to triage analysis and tool engineering. Frameworks such as STIX/TAXII and CybOX provide a strong foundation to leverage cataloguing what data is relevant and how to communicate the data with peers to strengthen the roles and responsibilities of the SOC.
Defined and documented roles and responsibilities in the SOC should align to enable the SOC service catalogue. Services linked to identification, escalation, response, engineering, communication and reporting help mitigate that new threats or issues are missed because of assumptions of responsibilities or breakdown in following processes. Larger enterprises may have a head count supporting each role in the operating model, but smaller security teams must find ways to provide the same service coverage and achieve agility within operations.
3. Solutions to enhance decision making
There are several tools that can be considered essential related to asset management, intrusion detection, vulnerability management, behaviour monitoring and security information and event management.
The sheer volume of threat intelligence data can easily become overwhelming, and it’s a commonly observed challenge to find businesses have invested in a SOC based on a specific technology but are then unable to efficiently manage the tool or investigate the volume of alerts which require investigation. With limited budgets, planned SOC investments into technology are often hindered, and produce cost waste as new problems are identified that were not accounted for in the budgeting cycle. On a threat related front, it may also reflect that true positive threats to the business are lost in the noise of hundreds of other warnings that are pulling security analysts attention away from the true threat.
Organizations must determine what intelligence holds the highest priority for safeguarding their operations and implement tools that can fine tune how data is received to better produce actionable insight. This can help be addressed by dissecting what type of intelligence is being collected and reviewed. Questions to think about… Does the intelligence provide accurate intelligence about the actor(s)? Intelligence on insider risk scoring? Geographic? Intelligence with a vendor technology bias?
4. Beware of automation
Automation is extremely beneficial but easier to advocate than execute.
Globally, automation is a critical part of the security maturity journey, with operations moving to a more adaptive security model. Organizations who have powered inhouse SOCs for years or utilise a heavily outsourced model are looking to lower process handling times and cost. Agnostic of where an organization is in their security maturity journey or size, all are exploring reducing cost while increasing the speed from incident detection to remediation.
Automating existing intelligence functions to improve investigative speeds and efficiencies is an invaluable part of the SOC maturity journey. However, consideration must be given to where automation may hinder rather than help. There are examples where automation has disrupted security operations or negatively impacted the perception of security because key applications have unintentionally been hampered.
Effectively planning, documenting and communicating the requirements and desired outputs of the use cases that are qualified for automation will help the business see where benefits can be achieved, which will help gain support for the initiative internally. For peer units in IT outside of security, understanding how automation provides value and reduces capacity requests of their own team helps you build a strong business case to support funding.
5. Intelligence enabling security as a culture
While a top priority of threat intelligence is to assist identifying and defending against imminent cyber-attack, the insight provided by a SOC can be utilised for wider business transformation – especially when it comes to its security culture. The SOC may process a single source of intelligence and distribute the output, so it is relevant to differing departments within the business. This helps security become more tightly integrated with the business with value to contribute to topics such as pending mergers and acquisitions, strengthen the employee’s security knowledge, and application/product development.
Developing a world class SOC
Organizations are encouraged to balance their SOC strategy against budget and skill constraints. Many CISOs have the desired vision but the financial and available skill constraints impact the ability to establish quick wins and execute the vision. Leveraging third-parties to help support the advisory, transformation, and ongoing running of the operations in the vision are areas organizations can maintain predictable cost controls and tapping into the skill gaps that are required.
A well-chosen managed security services partner will be cost-effective for many organizations with smaller staffs and help alleviate concerns around maintaining an experienced staff in a demanding market. Larger enterprises with an established SOC may elevate their capability maturity by identifying core processes and technologies of their operations and leverage a MSS to establish a hybrid operating model to more effectively scale and maintain costs.
By assessing how intelligence is received, assessed and used by the organization, the company can determine how it can split operations and responsibilities between internal and external resources. Armed with this knowledge, business will be able to better invest in the best SOC sourcing model for their needs, whether they are establishing a security center for the first time or taking their existing operations to the next level.