Article

Rick McElroy
Rick McElroy 30 April 2018
Categories

Building a High-Speed Security Operations Centre SOC

As a Security Strategist, I am aware that when an incident occurs, the speed of your response will dictate the extent to which you can minimise the impact. Every second counts, and while the clock is ticking, the cost of the breach is rapidly increasing.

Breaches that take over 30 days to contain cost companies an extra $1 million, and depending on the severity, it can cost even more. Minimising dwell time is the name of the game; the faster you can identify root cause, the faster you can remediate. So, how can you transform your security operations centre (SOC) into an intelligence-driven operation that can hunt for zero-day threats? Here I will talk about different components such as mastering security basics, organising your team effectively, and evolving your SOC with each new attack.

A highly efficient SOC enables its skilled defenders to harness both advanced automation and human insight to combat the ubiquitous threat of cybercrime. A high-speed SOC must excel in many different areas of security operations to ensure that valuable time is not handed over to the adversary. It is crucial for security professionals to understand that the ability to operate an agile, intelligence-driven SOC is dependent on your organisation’s answer to the following four questions:

What Are The Basics We Need To Master First?

Speed is only built on a strong security foundation. A process is only able to be automated once it has been perfected by your team. Automating a process that your team does not fully understand will create blind spots and likely decrease your visibility as you attempt to scale. Before tasking machines with processes that are key to your security, make sure you understand all the weaknesses of your current posture.

  1. Have you minimised your attack surface?
  2. Have you inventoried every asset?
  3. Are your systems being properly patched?
  4. How would you know if they were not?

Organisations must not only master the basics of security and achieve speed, but strive for complete visibility across their environment, and the continuous monitoring of every event.

How Can I Efficiently Organise And Lead The People On My Team?

Organising your team to protect your environment with agility is a difficult task with all the varied skills and challenges related to traditional SOC structures. Efficiency starts with breaking down the structures seen in traditional SOCs. Success can be found by moving beyond an operation that focuses solely on event analysis. Take the example of Red Canary, which has created amazing innovation within its security team and around the investigation process. Red Canary has included its Intel team in engineering efforts, engineers in analysis efforts, and so on. Rather than assigning each team member a label to exclusively focus on, each person has a core ‘practice.’ They still develop and improve within their practice, but they are also challenged to engage with other functions in the SOC.

How Can Technology Help Streamline Our Detection and Response Processes?

Technology can help you to proactively hunt threats across your enterprise, as well as rapidly drill down to the root cause of the threat, and ultimately reduce attack dwell time. Security professionals use technologies like Carbon Black’s Cb Response to validate their hunting hypotheses and create automated watchlists to generate custom alerts for suspicious patterns they identify.

In the case of malicious attacks, it can take over 9 months on average to properly identify the root cause of an incident and contain it. Cb Response allows analysts to visualise the complete attack kill chain and then respond and remediate the attack within minutes, without having to manually aggregate and sift through relevant raw data post-incident. It allows you to safely isolate an infected host and then obtain secure direct access to that endpoint to continue your investigation.

How Can My Entire SOC Evolve With Every New Attack?

In a Verizon report, 88% of breaches fell into one of nine patterns that had existed three years prior. Attackers know that legacy antivirus products can be easily bypassed by making slight changes to avoid being identified as “known bad.” However, utilising patterns of attack to connect the dots between IOCs and all other system events, SOC analysts and incident responders can gain a full understanding of the precise sequence of events as a cybercrime unfolds.

There is clear cause-and effect insight into where an attacker gained access, what he tried to accomplish, how he attempted exfiltration and, ultimately, what the exact root cause of the attack was. Without this contextual understanding of the attack, an incident responder would lack any additional insight into how the organisation could be better protected in the future.

Overall, with a high-speed SOC, your organisation can avoid addressing the same threats over and over. This means more time hunting new threats and less time constantly policing known areas of risk manually. The future SOC is not technology, per se; it is people, intelligence, and automation to allow for a rapid response to a threat.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
7 reasons why social media marketing is important for your business

7 reasons why social media marketing is important for your business

Social media is quickly becoming one of the most important aspects of digital marketing, which provides incredible benefits that help reach millions of customers worldwide. And if you are not applying this profitable...

Sharron Nelson
Sharron Nelson 6 February 2018
Read more
‘Complainer marketing’ – should we harness rage to promote brands?

‘Complainer marketing’ – should we harness rage to promote brands?

As marketers, we're always looking to get the best results for our clients. But should we highjack the emotions of their customers to do so? No, as I explain in this post, you're better than that.

Tom Chapman
Tom Chapman 18 July 2018
Read more
8 Digital Marketing Trends to Watch in 2023

8 Digital Marketing Trends to Watch in 2023

The internet has conditioned customers to demand instant gratification, and that’s only set to continue. In 2023, customers will expect a response time of just hours. No more sending an email and waiting days for a...

Azeem Adam
Azeem Adam 3 May 2022
Read more
Deep Link vs. Universal Link: Which One is Better?

Deep Link vs. Universal Link: Which One is Better?

Are universal link and deep link the same thing? There are some big differences, let's understand them.

Stefano Pisoni
Stefano Pisoni 17 March 2020
Read more
The Impact of New Technology on Marketing

The Impact of New Technology on Marketing

Technology has impacted every part of our lives. From household chores to business disciplines and etiquette, there's a gadget or app for it. Marketing has changed dramatically over the years, but what is the...

Alex Lysak
Alex Lysak 22 September 2020
Read more