It’s easy for CISOs to get caught up in organizational politics, overwhelmed by the bombarding, gloom-and-doom information security news cycle, and hoodwinked by smiling sales reps peddling shiny objects. Altogether, these factors can lead to a situation where the CISO and other security leaders lose focus on what actually matters: understanding their risk-profile, concentrating on the right threats, and establishing repeatable processes to address security issues. Hair-on-fire reactions won’t solve what is ultimately an analytical problem.
There seems to be an almost industry-wide over-emphasis on tooling and automation, and while there are a ton of great tools on the market, tools aren’t the panacea you’re looking for; they’re a means to an end. Of course there are SOCs that lack good security products, but more often than not, SOC problems stem from a lack of established, repeatable processes, properly developed use-cases for understanding what is and isn’t a threat, and a clear understanding of what hardware and software is attached to the network.
At MKACyber, we believe that SOC management ought to be predicated on the following three principles that, if followed, pre-ordain how you organize detection and response, dictate how a CISO or SOC director requests budget and justifies spending choices, and, more generally, enables your security team to stay ahead of threats.
1. Analyze the Threats First
As a CISO, you need to analyze your organization’s threat-profile first, before you go out an invest in anything other than solutions that will help you determine what does and doesn’t pose a risk to your network. You can’t just start dumping threat feeds into your security information and event management (SIEM) or detection platforms and delude yourself into believing your are improving your security posture. A CISO needs to first identify the problem or need, then identify the tool or the data that actually solves that problem or fulfills that need before he or she invests in anything.
2. Organize Attack Types into Use-Cases
You have to understand the attack types or use-cases that are relevant to your organization and then identify the data that can help detect and mitigate these attacks. In this way, you organize your threat profile into actionable use-cases that facilitate repeatable processes and methodologies for detecting, blocking, mitigating, or remediating specific types of attacks.
This should ensure that your SOC analysts are methodical and that their detection strategies are organized into repeatable processes. Security teams have to apply their tools precisely, configuring them to detect specific types of attacks and monitoring specific areas within their organization’s IT infrastructure. It’s important for security and IT teams to work together on conducting continual risk assessments and keeping up-to-date software and hardware inventories, which leads into our next point.
3. Understand your Visibility
This is perhaps the broadest point because it means simultaneously knowing what is on your network and understanding what an attacker can see on your network. It’s a major problem when attackers have a better understanding of an enterprise’s network inventory than do the security and IT departments. In essence, visibility to the attacker and the defender are the same thing.
An additional point of importance is being able to apply this understanding. Knowing what’s on the network is step one. You then have to grasp how data traverses the network, so you can identify what is normal and what isn’t, separating the noise from the signal, and focusing on what is anomalous and more likely to be malicious.
It is necessary to understand how the network functions under normal conditions and where and how traffic traverses it. By discerning the difference between known and unknown and normal and anomalous traffic, security teams will develop the ability to better distinguish between good and bad network activity. The best way to do this is through access to system data, such as logs, which report on everything going in and out of the IT infrastructure.
Unfortunately, having access to this data is often a dependency that is controlled not by the security team but by their IT counterparts. Your detection capability and your analysts ability to identify anomalous traffic is only as good as the data your security architecture is able to deliver, based on sensors, black holes, active directory logs, intrusion detection systems, email filters, and other systems. If the security team is restricted from accessing this data, they simply will not be able to adequately detect threats, and this is why the IT department has to enable the security department; IT and security must be partners.
Building out proper use-cases based on attacks types that are relevant to your organization and then allowing those use-cases to facilitate the deployment of repeatable security methodologies works to keep your security teams focussed on threats that actually matter and how to neutralize them. MKACyber’s SOC methodologies and platform, built on decades of security operations experience, put these principles into pragmatic effect. If you or your organization is looking for help on how to manage security operations, then reach out to the experienced specialists at MKACyber.