Building an Enterprise Security Operations program (a.k.a. Security Operations Center or SOC) is never a ‘one and done’ exercise. Ongoing adjustments and improvements are what keep your security operations effective and efficient. Too often we see the SOC haphazardly created in response to a mandate to “do security now”. A CIO/CISO needing to meet an “immediate” deadline may skip important planning steps, or rely on security software vendors to tell him or her what to do, or opt to completely outsource security monitoring rather than assess and build what is actually needed.
Unfortunately, this course may leave an organization exposed to regulatory compliance gaps or worse—a breach. We’d much rather have companies stay ahead of emerging threats—that’s the focus of our business—rather than operate in a constant state of panic. So where do you start?
Dos & Don’ts to Apply to Your Security Operations Center
Whether you’re building a SOC from the ground up or ready to take a critical eye to your existing operations, here are eight strategic Dos and Don’ts for an effective, efficient program.
Do: Invest & Empower Your Staff
Cybersecurity Ventures predicts the shortage in cybersecurity talent to reach 3.5 million unfilled jobs globally by 2021. Nothing new here. So how do you attract and retain the critical skills needed to defend your enterprise?
Competitive compensation is obvious, but you can add more appeal by taking job-related training seriously—at least one course of the employee’s choosing per year as long as it aligns with their current job or career roadmap. Encourage the individual to bring recently learned concepts to the table with continuous improvement ideas related to your security program.
Empowerment is equally important. Your security staff must have top-down approval and support to execute their mission of defending the enterprise’s people, information, and information system against cybersecurity threats.
Do: Understand Your Threat Landscape
Participation in threat intelligence and sharing communities goes a long way toward understanding which cybersecurity threats pose an immediate risk to your organization, and for making informed decisions based on the risk reality and associated consequences.
Proactively collaborate with industry peers. If they’re observing specific threat trends, you’re likely to expect the same issues. Why not share lessons learned? As they say, knowledge is power, and powerful knowledge translates into strategic risk-based decisions and investments (or cost avoidance).
Do: Map & Track Your Resiliency
Once you’re making informed decisions based on the current threat landscape, prepare to evaluate your organizational defenses in the form of people, process and technology. If this is something you lack the expertise to do yourself, there are vendors, such as Revolutionary Security, who can help. Among our specialties in Enterprise Transformation Services is generating resiliency scorecards tailored to the specific client and their defensive capabilities. The result is a heat-map which identifies where defenses have failed based on recent incidents, or where defenses continue to provide resilient defenses. These observed trends provide clear decision-making opportunities.
Do: Foster Executive Support
Establish steering committees at the highest level possible to inform and educate decision makers in a collaborative environment. Segue this partnership into business outreach and socialization campaigns to inform and educate your full workforce of the cybersecurity operational mission. Simple lunch-and-learns go a long way toward active participation and support from your people.
Don’t: Buy the Latest Security Technologies in Haste
I’ve personally observed numerous occasions where CISOs decided to invest in the latest technology based on a fancy vendor demonstration, audacious vendor claims of the tool being a “silver bullet” for certain cybersecurity threats, or assertion that the tool will satisfy regulatory and/or compliance issues. Take the time to evaluate your threat landscape and enterprise resiliency prior to reactive investments.
Don’t: Use IT Service Frameworks to Design Cyber Operations
Information technology service frameworks have served traditional IT operations well for many years, but they’re not designed to create or determine direction of a cybersecurity program (especially operations). A previous CISO I reported to often said, “Cyber is not IT. It’s a difference of capabilities versus services.” One example may be corporate instant messaging (optional service) versus digital forensics (niche capability). IT service frameworks (e.g., ITIL/ITSM) typically boil down to pillars of services such as availability, service level agreements, and change management whereas cybersecurity frameworks such as the NIST Cybersecurity Framework (CSF) align to confidentiality, availability and data integrity. Cyber incidents don’t necessarily translate to IT service impacts; when working through a large-scale incident, both IT service availability and cybersecurity risk perspectives are important; however, the severity rating in terms of IT service outage can be very different that the level of priority and urgency applied from a cybersecurity perspective. A malware incident may be rated as “Critical” from a cybersecurity perspective but have no immediate or direct impact on the overall IT service level and thus may be rated “Low” severity. For instance, the compromise of a single host would not trigger any escalation thresholds from an IT service standpoint, though if the cybersecurity operations team detected data exfiltration from that compromised host, it would be considered it a critical incident. If the IT service perspective was the primary driver of priority, the incident may not receive the level of support and coordination required to mitigate the threat from a cybersecurity perspective with assistance from the broader IT organization. The differences in these frameworks result in a unique approach to designing your security program in the form of people, process, and technology.
Don’t: Silo Your Team from the Business
Too often I see cybersecurity operational teams isolated from IT or the broader business. As noted earlier, your cybersecurity team must be a visible, accessible component of your overall business operations. The consequences of a siloed SOC are fear, uncertainty, and doubt among the broader workforce as to what exactly the security team is doing. I was once asked by a non-technical employee at the beginning of a Security Operations Center (SOC) build project: “Is cybersecurity sitting back and reading our emails?” The answer is and should be “no.”
Don’t: Outsource All Aspects of Security Operations
Without a compelling reason—for instance, you’re a small organization that doesn’t have a cybersecurity team to begin with—you should spend available capital on your own operational capability. Managed Services have their benefits and may result in cost avoidance in larger organizations (e.g., 24x7x365 coverage), but a dedicated internal team cannot be rivaled if trained and empowered.
For example, over time an internal operations analyst can consistently identify and triage priority alerts amid the noise and myriad of alerts generated by security technologies. This takes months to years of concentrated focus learning an organization’s environment baselines and behaviors. Teams of people monitoring your network for threats from the outside simply do not have, and will rarely acquire, that level of “business as usual” knowledge for your organization.
Lastly, there’s a misconception that organizations may realize all too late – “outsourcing” security operations via a traditional MSSP only goes so far – specifically, the detection and triage of security events. Your organization is then responsible for investigating, analyzing, and responding to the events – which clearly requires internal capability and capacity. Our recommendation is to establish full-lifecycle security operations internally where possible and reserve “outsourcing” for specific activities that go beyond the team’s capabilities (e.g., advanced malware analysis, forensics, e-discovery, etc.).
Need help planning, building, or fine-tuning your SOC?
We can help. Engage our team to help you meet regulatory goals, actively defend your organization against emerging threats, and reduce business risk through smart investments that meet the needs of your evolving business.