A Successful SOC — Too Much To Ask?
Security Operation Centre — One of the oldest areas of the cyber security program yet remains the most dynamic, ever evolving, and fresh zone to explore more, deliver more, ask more and mostly importantly WORRY MORE!!!
There is no denying the fact that a security operation centre is certainly a topic when discussing top cyber risks, it’s mitigation, the challenges around them and mostly remains an unsolved mystery to make it an EFFECTIVE & SUCCESSFUL RUN.
I shall not dare to think or say that there is a well-tested and precise MANTRA for a successful SOC story which I have cracked or witnessed completely but have been reflecting on this topic from a while as an area of share with the fraternity based on some of my concrete learnings. This may not form a secret recipe, but I am confident that it can enhance a SOC team as better CHEF. As we grow through SOC journeys, we get to experience some success & wow moments in bits & pieces. It then serves as a platter of enlightening insights which can lighten our path & approach while establishing or running a security operation centre.
It has been almost 15 years participating in security operation centres in various roles directly & indirectly, in-house, MSSP and for customers. Here is a sequential thread of knots I could visualise in mind while imagining a SOC SUCCESS STORY. And it starts with ….
COST
It may or may not be shocking for many who read this as first & foremost point. But as we know everything is driven by cost and affordability plays a crucial role in the determination of a contributing SOC. An affordable cost aligned with business can decide —
- What CONTROLS we can choose for the SOC — Tools
- How wide can be the coverage of SOC — Attack Surface
- How much time & efforts can be directed into the controls & the coverage — Size of SOC
While it is easier to expect for a SOC story to start with COST but it is an immensely tough task to arrive at what we can afford && what we must invest. Trying to enlist some methods & exercise which can enable security operations well supported by effective costing -
- A detailed Capacity Planning Exercise as per the risk appetite, attack surface, magnitude of ambition to make business live & protected
- Foundational Resource Management Strategy — computational, people & bandwidth
- A well derived approach for an Effective ongoing Budget Management and not just having one time budget for time being.
What next ….
CONTENT
We often end up prioritising and focussing on technology. And why not, ultimately it is the technology, tools and techniques which drives the SOC. But don’t we know by now that technology age faster than the threat scenarios off late. By the time we approach to fix a scenario with the tool, there is a high chance we face the end road of the tool by the time the solution matures over a period of time.
Hence, it is more important to focus and stabilise the HEART OF THE TECHNOLOGY — “ THE CONTENT” which drives the tool i.e, the life of the SOC. One may wonder, content is bound to come up as the solution comes up but we are often not sure if the content works the way we expect ? Mostly we are uncertain of the answer or are partially or least confident.
How do we arrive at a CONSISTENT & CONCRETE CONTENT FRAMEWORK ? Here is what I could think can bring a more clarified approach though not easy
- Tool agnostic consistent Content Management Framework
- A Specialised & Focussed Workforce for content inclusive of Management
- Content Engineering process
- Content Fine-Tuning process
- ACT on content just like incidents — A real time BAU
Test & Measure approach — Test What We Create & Measure what is created ….
While Content can do wonders for a SOC but it is incomplete without much needed SALT to CONTENT which is ….
CONTEXT
Cyber security workforce face the burnout more often and the biggest contributor to the fatigue is the centre of security operations. The root cause for most of the great but NOISY content is :- “ LACK of CONTEXT”
It is like knowing the locality but not knowing the building or knowing the building but not knowing the house number & so on while arriving at a destination/end goal… The fact is — it is also one of the easiest area to achieve to make SOC a success — we do not need tool, we do not need technique, we just need a GOOD TEAMSSS WORK. How? — It is not tough to have a well maintained concise & mapped -
- Identity Data
- Entitlement Data
- Access Data
- Asset Data
- Vulnerability Data
- Critical Groups of — IPs, Users, Assets, Applications & Data Repositories
- Threat Data — Integration & Accessibility to ENRICHED THIRD PARTY FEED
“ An external feed is not noisy if our internal feed is sharp & crisp and it is possible if we give more importance to internal intelligence than external intelligence “
So, that’s nice that we are budgeted, content with contextual content but are we RESILIENT?
CONTINUITY
And this is why we get to be enabled for not being “DISRUPTED”. Last few years have given enough taste of how many ways we can loose the continuity to protection layers. Strategically it is one of the centric program which runs across all the organisational process and hence the core concepts are simple to adopt. But it gets equally specific & tiresome when it comes to ensuring CONTINUITY & WELL ESTABLISHED/TESTED RECOVERY PROGRAMS.
A good continuity & disaster recovery programs rests well on pillars of -
- A strong Strategy with leadership vision aligned with Business
- An approach & method based on evaluation of current state
- Executed & Driven by relevant team tests
- More automated, dynamic & live adoption
With this I arrive on otherwise most focussed area of SOC operations —
COMMAND & CONTROL
How do we have a good command over the surveillance operations. We know it is laid on the foundation of — PEOPLE, PROCESS & TECHNOLOGY and driven by —
- A wide & deep VISIBILITY — network, endpoint, gateways, applications
- A swift DETECTION — Near to Real-Time
- A fast RESPONSE — Automated Response Procedures
- And An accurate, complete and quick CONTAINMENT — Automated Remediations
- Only to ensure not a single lesson dies its death without LEARNING — Live Incident Management Knowledge Base
- Without a miss on MEASUREMENTS on Key Metrics
SUMMARY
There is a lot which I just covered in simple words and we all know it is easy to say than to do but it is evident that a MISSION STARTS WITH STRONG YET SIMPLE MISSION STATEMENT/s. We get to be sure of —
- How we start
- What we focus on sequentially
- What key processes come during inception and what comes at the end
- What are we aiming at achieve & succeed
While I did not stress on the best practices as have seen them changing with times but would like to mention — MITRE framework is the heartbeat of SOC and going to be so to run any cyber security program foundation-ally. So, anything or anyone part of SOC story must be MITRE enabled & mapped. Hope this Chief five “Cs” from my introspection serves a bit to us all and let me say it at the end of this note —
“SOC remains the heart & lifeline of cyber security program and let’s live it Healthy “