06 Apr 5 Reasons for “Spring Cleaning” your SOC
By Tom Young, Executive Vice President of Worldwide Sales
Spring Cleaning. It’s that time of year. Pull the furniture away from the walls, clean out behind the couch and get rid of all the clutter that’s been building up for months. Fun times. But truth be told, most SOCs could use their fair share of Spring Cleaning too. While some state-of-the-art firms have highly-automated Incident Response processes, sophisticated security threat models, Threat Intelligence feeds and Malware reverse-engineering teams, the vast majority of firms are buried under a pile of legacy processes, unintegrated systems, and disorganized files. This leaves most companies in need of sorting through a variety of wikis, PDFs and Microsoft OneNote templates to define, maintain and update their Security Operations, Alert Triage and Incident Response processes. If this sounds familiar, here are five reasons your SOC could use a good old-fashioned “Spring Cleaning”:
Many SOC processes on the books today are the brainchild of experienced analysts who enthusiastically documented best practices that became the default process. In the process of automating Alert Triage and Incident Response processes, many organizations have multiple stakeholders that interpret these legacy processes in different ways. The act of implementing a Security Orchestration, Automation & Response (SOAR) platform allows teams to collaborate, providing them an opportunity to streamline workflows, eliminate redundant tasks and prioritize systems for integration.
Close Process Gaps:
When Security Operations, Alert Triage and Incident Response responses are examined in detail for SOAR implementation, many assumptions are made about which teams have responsibility for performing certain tasks. For example, if the Triage team needs to pass a task to the Forensics team, the SOC analysts must first capture relevant facts before sharing those details with other team members and awaiting a response. These transitions are often the cause of many breakdowns in the speed and consistency of an incident response process, therefore its critical to communicate effectively, accurately and quickly between teams in order to close costly process gaps.
Highlight Skills Gaps:
After a SOAR platform has been implemented to eliminate gaps and automate processes, the form of the day-to-day Tier 1 analyst work changes from collecting, documenting and prioritizing alert information to focusing more on determining whether the event is a false positive or the tip of an attack spear. This automated alert triage process enables analysts to spend less time on grunt work and more time on detailed analysis, allowing team members to serve their highest and best use. Once experienced Tier 3 analysts are able to close process gaps and eliminate the analysis bottleneck, they are able to spend time closing the skills gap by facilitating knowledge transfer to less senior team members, making the overall team more effective.
Prioritize Technology Gaps:
After cleaning up processes and closing communication and skill gaps, security teams can turn their attention to prioritizing technology gaps and identifying enterprise risk. Many firms are not able to integrate their technology in a way that allows them to quickly assess risk. For example, network session data from detailed packet capture (PCAP) can be used to determine whether off-hour, remote logins are valid, yet many firms are not able to leverage these tools, incorporate them into their processes or integrate them in a way they can quickly and easily review the data needed to escalate or deprecate an alert or incident.
The effectiveness of security metrics is determined by the security team’s ability to capture meaningful data, measure objective results and reflect the organization’s priorities. While its easier to capture data on the number of logs collected, alerts processed and incidents closed by type, many teams struggle with the manual effort required to report more insightful metrics such as Time-to-Detect, Time-to-Contain, and Time-to-Remediate.
By regularly reviewing how critical processes are measured and attempting to understand the barriers that make capturing these metrics difficult, SOCs can improve their ability to improve performance and protect the enterprise.
The desired outcome of this SOC Spring Cleaning is for the Security team to inventory all of the outdated processes, gaps, skills, technologies, and metrics and consolidate this information into a prioritized roadmap for the organization to implement. This roadmap should drive Security team resources, budgeting, and engineering priorities and serve as the benchmark for continuous ongoing improvement throughout the SOC so that all of that hard work doesn’t get swept under the rug. Security teams of all sizes can benefit from sweeping up all of their leftover processes and organizing operations in a way that is fresher, cleaner and more effective.
Is your SOC ready for a good, old-fashioned Spring Cleaning?
Syncurity’s award-winning IR Flow Security Operations and Incident Response Platform
IR Flow Product Overview Datasheet (pdf)
Stop Drowning In Security Alerts Ebook
Addressing Analyst Fatigue In The SOC Whitepaper