Article

Rick McElroy
Rick McElroy 30 April 2018
Categories

Building a High-Speed Security Operations Centre SOC

As a Security Strategist, I am aware that when an incident occurs, the speed of your response will dictate the extent to which you can minimise the impact. Every second counts, and while the clock is ticking, the cost of the breach is rapidly increasing.

Breaches that take over 30 days to contain cost companies an extra $1 million, and depending on the severity, it can cost even more. Minimising dwell time is the name of the game; the faster you can identify root cause, the faster you can remediate. So, how can you transform your security operations centre (SOC) into an intelligence-driven operation that can hunt for zero-day threats? Here I will talk about different components such as mastering security basics, organising your team effectively, and evolving your SOC with each new attack.

A highly efficient SOC enables its skilled defenders to harness both advanced automation and human insight to combat the ubiquitous threat of cybercrime. A high-speed SOC must excel in many different areas of security operations to ensure that valuable time is not handed over to the adversary. It is crucial for security professionals to understand that the ability to operate an agile, intelligence-driven SOC is dependent on your organisation’s answer to the following four questions:

What Are The Basics We Need To Master First?

Speed is only built on a strong security foundation. A process is only able to be automated once it has been perfected by your team. Automating a process that your team does not fully understand will create blind spots and likely decrease your visibility as you attempt to scale. Before tasking machines with processes that are key to your security, make sure you understand all the weaknesses of your current posture.

  1. Have you minimised your attack surface?
  2. Have you inventoried every asset?
  3. Are your systems being properly patched?
  4. How would you know if they were not?

Organisations must not only master the basics of security and achieve speed, but strive for complete visibility across their environment, and the continuous monitoring of every event.

How Can I Efficiently Organise And Lead The People On My Team?

Organising your team to protect your environment with agility is a difficult task with all the varied skills and challenges related to traditional SOC structures. Efficiency starts with breaking down the structures seen in traditional SOCs. Success can be found by moving beyond an operation that focuses solely on event analysis. Take the example of Red Canary, which has created amazing innovation within its security team and around the investigation process. Red Canary has included its Intel team in engineering efforts, engineers in analysis efforts, and so on. Rather than assigning each team member a label to exclusively focus on, each person has a core ‘practice.’ They still develop and improve within their practice, but they are also challenged to engage with other functions in the SOC.

How Can Technology Help Streamline Our Detection and Response Processes?

Technology can help you to proactively hunt threats across your enterprise, as well as rapidly drill down to the root cause of the threat, and ultimately reduce attack dwell time. Security professionals use technologies like Carbon Black’s Cb Response to validate their hunting hypotheses and create automated watchlists to generate custom alerts for suspicious patterns they identify.

In the case of malicious attacks, it can take over 9 months on average to properly identify the root cause of an incident and contain it. Cb Response allows analysts to visualise the complete attack kill chain and then respond and remediate the attack within minutes, without having to manually aggregate and sift through relevant raw data post-incident. It allows you to safely isolate an infected host and then obtain secure direct access to that endpoint to continue your investigation.

How Can My Entire SOC Evolve With Every New Attack?

In a Verizon report, 88% of breaches fell into one of nine patterns that had existed three years prior. Attackers know that legacy antivirus products can be easily bypassed by making slight changes to avoid being identified as “known bad.” However, utilising patterns of attack to connect the dots between IOCs and all other system events, SOC analysts and incident responders can gain a full understanding of the precise sequence of events as a cybercrime unfolds.

There is clear cause-and effect insight into where an attacker gained access, what he tried to accomplish, how he attempted exfiltration and, ultimately, what the exact root cause of the attack was. Without this contextual understanding of the attack, an incident responder would lack any additional insight into how the organisation could be better protected in the future.

Overall, with a high-speed SOC, your organisation can avoid addressing the same threats over and over. This means more time hunting new threats and less time constantly policing known areas of risk manually. The future SOC is not technology, per se; it is people, intelligence, and automation to allow for a rapid response to a threat.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
The Challenges of Customer Lifetime Value (CLV)

The Challenges of Customer Lifetime Value (CLV)

We all agree Customer Lifetime Value is important, but there’s not much agreement after that. This blog is about the challenges of Customer Lifetime Value (CLV). CLV is a fantastic concept but defining that value and...

Peter Rivett-Jones
Peter Rivett-Jones 24 May 2023
Read more
How to Review a Website — A Guide for Beginners

How to Review a Website — A Guide for Beginners

Whether you're a startup or an established business, the company website is an essential element of your digital marketing strategy. The most effective sites are continually nurtured and developed in line with...

Digital Doughnut Contributor
Digital Doughnut Contributor 7 January 2020
Read more
7 reasons why social media marketing is important for your business

7 reasons why social media marketing is important for your business

Social media is quickly becoming one of the most important aspects of digital marketing, which provides incredible benefits that help reach millions of customers worldwide. And if you are not applying this profitable...

Sharron Nelson
Sharron Nelson 6 February 2018
Read more
Exploring the Rapid Growth of Mobile App Development

Exploring the Rapid Growth of Mobile App Development

Smartphones have included mobile applications for more than ten years. The fastest-growing area of the mobile industry is the mobile app market. Only a few app developers were aware of the potential market opportunity...

Prashant Pujara
Prashant Pujara 24 May 2023
Read more
The Top Ecommerce SEO Trends for 2023

The Top Ecommerce SEO Trends for 2023

As we approach the midpoint of 2023, ecommerce businesses face an increasingly competitive landscape. To stay ahead of the game, businesses must focus on optimizing their online presence for search engines. Here are...

Jagdish Mali
Jagdish Mali 23 May 2023
Read more