To keep up with attackers, organizations operating SOCs need to address sources of inefficiencies from a “design thinking” standpoint that takes into account the jobs to be done and leverages modern cybersecurity solutions to reduce, rather than increase, complexity. Last week we shared insights about the key roles and responsibilities of the SOC. Today, we’ll continue to explore four guiding principles to help you design processes and team activities for intentional enhancement of efficiency.
Map & Rationalize Security Processes
Security processes are the guidebook to more effectively working as a team, and technology can help streamline these processes. Understanding the processes and potential bottlenecks can also highlight areas for automation and workflow modification. To begin, SOC managers and CISOs should:
- Identify all key security processes. Begin by understanding the types of processes you have beginning with the most critical, such as intrusion detection, data loss prevention, incident response, and security control validation.
- Create visual process maps. Identify and map the proper sequence of all major processes and related sub-tasks. Security process maps need to be clear, visual, and easy to understand. This will also simplify onboarding of new employees and bringing new members of the security unit up to speed.
- Identify tools and stakeholders. For the processes and sub-tasks identified above, document the tools required to carry out those processes and the stakeholders responsible for managing each task and tool.
- Determine areas for automation. Identify which sub-tasks can be automated/semi-automated (e.g., ticket creation, IP lookups) and where information-sharing across tools would improve performance.
- Establish key metrics. Discuss and decide on metrics that can be used to measure the success of each process. This will help establish benchmarks, track ongoing progress, and identify processes in need of further refinement.
Simplify & Streamline Communication
In security, time is of the essence and there is little room for confusion. However, communications can be complicated when they are spread across different work environments or tools (e.g., email, chat, comments on alerts in a SIEM) that require team members to sift through communications across a variety of channels to identify the information they need.
These types of communication miscues can lead to errors, duplication of tasks, and diminished performance when critical information is not shared in a timely fashion. This problem has become increasingly more acute with the proliferation of remote teams and work-from-home arrangements. To simply the SOC team’s communications, SOC leaders should:
- Select a primary communication tool. A single tool should be chosen that the entire SOC team can use for real-time and chat-based communication. Different parts of the SOC team can have unique or private sub-channels, but they must easily be able to share information with others in the same tool.
- Identify the key communication types. Document the different types of communications needed and the stakeholder responsible for those communications. For example, determine different communication formats, templates, or requirements for configuration changes, low-priority issues, high-priority issues, and metrics reporting to the larger organization and C-suite.
- Decide what communications belong where. Identify which types of communication should be conducted in the unified environment selected above. Next, decide if there are unique types of communication that may require a different channel. For example, communications around incident response and acknowledgement of a breach may require a formal notification to compliance teams via email, while monthly metrics for company leadership might be best communicated as a shareable business analytics dashboard (such as Tableau) or a report in Google Sheets.
- Create a visual communications map. Just as you mapped out processes, map out the types of communications needed, the responsible stakeholders, and the designated channels for each form of communication. Again, these maps need to be clear, visual, and easy to understand to aid in employee onboarding and ensure consistent use.
Deploy Smart Integrations to Address Tool Sprawl
A modern cybersecurity organization has dozens of security controls and likely a handful of security management and orchestration platforms. Some of these controls, such as network load balancers, may nominally live outside of the security operations team. Others, such as IT asset management, may be primarily tasked with IT jobs, but are still essential for vulnerability management, compliance, and incident response because it contains information about who controls what assets, where assets are located, and what the security status of assets is.
To alleviate this sprawl, many SOC teams have adopted either SIEM and/or SOAR tools. Many popular enterprise SIEM and SOAR solutions have marketplaces and pre-existing integrations with hundreds of security controls. That said, integrations need to be properly tuned to avoid information overload. Successful integrations require the following:
- Accurate data signals. If a security scanner consistently reports false positives or false negatives, or a logging tool is misconfigured to report incomplete information, integrations can create more work and amplify existing pain points
- Simple, clear query capability. A critical part of integrations, as well, is to ensure that the team can more easily query information and test hypotheses.
- The ability to correlate tests with affected endpoints, systems, or IPs. In IT environments where tens or hundreds of thousands of assets are managed and secured, SOC teams can struggle to map every IOC instantly to the relevant endpoints and systems. Having instant real-time correlation accelerates root-cause analysis and triaging, improving efficiencies. Smart integrations with logging tools and log analyzers are critical for enabling this correlation and distributing that information in real-time into the SIEM or SOAR.
- Establish an integration roadmap. It is recommended that at least one SOC member be tasked with planning, managing, and monitoring integrations. Download our latest white paper on improving SOC efficiency to access a helpful integration checklist.
Emphasize Control Validation & Attack Simulation
SOCs have traditionally organized around the activities of incident response, intrusion detection, and remediation. For control validation, they have leveraged tools like penetration testing and red-team exercises, which are manual exercises conducted sporadically, and vulnerability scanning, which is primarily focused on identifying unpatched security vulnerabilities, rather than mimicking real TTPs and playbooks.
New breach and attack simulation (BAS) tools are changing that by making it possible to continuously run simulations of thousands of attack types customized to mirror relevant threat actors. The most modern BAS systems can actually run against production environments in the cloud and on-premise around the clock without requiring manual guidance and without compromising their performance or posing any threat to them. Because these systems can validate controls at scale, they provide a proactive strategy that is far more powerful and effective than reactive approaches. Only BAS can test multi-stage playbooks and sophisticated attacks as code, at scale.
Smart BAS solutions can improve SOC efficiency in a variety of ways by:
- Easily integrating with SIEM/SOAR, vulnerability management, and other SOC staple tools to enable teams to continuously identify configuration gaps and prioritize unpatched vulnerabilities
- Increasing the value of all the other security tools by keeping them honest and by unifying and correlating testing results into a single BAS solution
- Improving team communication and coordination by simplifying reporting and research
- Automating the creation and collection of reports on control efficacy and status, providing an easy way to build SOC metrics to track security drift, security gap exposure, and remediation rates
- Automating and continuously running attacks to allow security team members to focus on higher-value work that requires creativity and reasoning
- Visually analyzing results of attacks to identify security gaps
- Receiving and prioritizing remediation for those gaps before attackers find them, and testing remediation effectiveness autonomously
Want to Learn More?
Download our new white paper to enhance your understanding of core SOC responsibilities and design considerations, and gain actionable guidance about how to optimize processes, streamline communications, implement smart integrations, and more.