Building a High-Speed Security Operations Centre SOC
As a Security Strategist, I am aware that when an incident occurs, the speed of your response will dictate the extent to which you can minimise the impact. Every second counts, and while the clock is ticking, the cost of the breach is rapidly increasing.
Breaches that take over 30 days to contain cost companies an extra $1 million, and depending on the severity, it can cost even more. Minimising dwell time is the name of the game; the faster you can identify root cause, the faster you can remediate. So, how can you transform your security operations centre (SOC) into an intelligence-driven operation that can hunt for zero-day threats? Here I will talk about different components such as mastering security basics, organising your team effectively, and evolving your SOC with each new attack.
A highly efficient SOC enables its skilled defenders to harness both advanced automation and human insight to combat the ubiquitous threat of cybercrime. A high-speed SOC must excel in many different areas of security operations to ensure that valuable time is not handed over to the adversary. It is crucial for security professionals to understand that the ability to operate an agile, intelligence-driven SOC is dependent on your organisation’s answer to the following four questions:
What Are The Basics We Need To Master First?
Speed is only built on a strong security foundation. A process is only able to be automated once it has been perfected by your team. Automating a process that your team does not fully understand will create blind spots and likely decrease your visibility as you attempt to scale. Before tasking machines with processes that are key to your security, make sure you understand all the weaknesses of your current posture.
- Have you minimised your attack surface?
- Have you inventoried every asset?
- Are your systems being properly patched?
- How would you know if they were not?
Organisations must not only master the basics of security and achieve speed, but strive for complete visibility across their environment, and the continuous monitoring of every event.
How Can I Efficiently Organise And Lead The People On My Team?
Organising your team to protect your environment with agility is a difficult task with all the varied skills and challenges related to traditional SOC structures. Efficiency starts with breaking down the structures seen in traditional SOCs. Success can be found by moving beyond an operation that focuses solely on event analysis. Take the example of Red Canary, which has created amazing innovation within its security team and around the investigation process. Red Canary has included its Intel team in engineering efforts, engineers in analysis efforts, and so on. Rather than assigning each team member a label to exclusively focus on, each person has a core ‘practice.’ They still develop and improve within their practice, but they are also challenged to engage with other functions in the SOC.
How Can Technology Help Streamline Our Detection and Response Processes?
Technology can help you to proactively hunt threats across your enterprise, as well as rapidly drill down to the root cause of the threat, and ultimately reduce attack dwell time. Security professionals use technologies like Carbon Black’s Cb Response to validate their hunting hypotheses and create automated watchlists to generate custom alerts for suspicious patterns they identify.
In the case of malicious attacks, it can take over 9 months on average to properly identify the root cause of an incident and contain it. Cb Response allows analysts to visualise the complete attack kill chain and then respond and remediate the attack within minutes, without having to manually aggregate and sift through relevant raw data post-incident. It allows you to safely isolate an infected host and then obtain secure direct access to that endpoint to continue your investigation.
How Can My Entire SOC Evolve With Every New Attack?
In a Verizon report, 88% of breaches fell into one of nine patterns that had existed three years prior. Attackers know that legacy antivirus products can be easily bypassed by making slight changes to avoid being identified as “known bad.” However, utilising patterns of attack to connect the dots between IOCs and all other system events, SOC analysts and incident responders can gain a full understanding of the precise sequence of events as a cybercrime unfolds.
There is clear cause-and effect insight into where an attacker gained access, what he tried to accomplish, how he attempted exfiltration and, ultimately, what the exact root cause of the attack was. Without this contextual understanding of the attack, an incident responder would lack any additional insight into how the organisation could be better protected in the future.
Overall, with a high-speed SOC, your organisation can avoid addressing the same threats over and over. This means more time hunting new threats and less time constantly policing known areas of risk manually. The future SOC is not technology, per se; it is people, intelligence, and automation to allow for a rapid response to a threat.