The decision to invest in a Security Operations Center (SOC) is viewed as critical in mitigating a company's risks, as it is now essential to limit intruders' time and access to the organization.
Have one Security Operations Center (SOC) increases the attacker's real cost and decreases the benefit, which impairs their return on investment (ROI) and motivation to attack the organization. Everything in SOC should be geared to limit the time and access that attackers can gain to the organization's assets in an attack, thereby mitigating business risks.
Below are the four key functional integration points that SOC should have with the business:
- Business Context (for SOC) & #8211; The SOC needs to understand what's most important to the organization so the team can apply that context to fluid security situations in real time. What would have the most negative impact on the business? Downtime of critical systems? A loss of reputation and customer trust? Disclosure of sensitive data? Tampering with critical data or systems?
- Joint Practice Exercises (with SOC) & #8211; The leaders business partners must regularly participate in the SOC in the practice of responding to major incidents. This builds the memory and muscle relationships that are critical for quick and effective decision making in the high pressure of real incidents, reducing organizational risk. This practice also reduces risk by exposing gaps and assumptions in the process that can be corrected before an actual incident.
- Major Incident Updates (from SOC) & #8211; The SOC should provide updates to business stakeholders for key incidents as they occur. This enables business leaders to understand their risks and take proactive and reactive measures to manage that risk.
- Business intelligence (from SOC) & #8211; Sometimes SOC finds that opponents are targeting a system or dataset that is not expected. As SOC discovers the targets of attacks, they must share them with business leaders, as these signals can trigger business leaders' perceptions (outside the awareness of a covert business initiative, the relative value of a neglected data set. etc.).
The evolution of SOC
In an evolution of SOC, the key elements must be people, teamwork, and continuous learning, including:
- Use human talent wisely & #8211; People are the most valuable asset in a SOC and can't waste time on repetitive and reckless tasks that can be automated. To combat human threats, we need well-informed and well-equipped human beings who can apply skill, judgment, and creative thinking.
- Teamwork & #8211; Teamwork makes a high-pressure work environment like SOC much more enjoyable and productive when everyone knows they are on the same team and everyone is back to each other.
- Shift mindset left & #8211; to get ahead and stay ahead of cybercriminals and hackers who constantly develop their techniques, and need continuous improvement and shift activities "left" in the timeline of the attack. This principle is effectively an application of a continuous learning “growth mindset” that keeps the laser team focused on risk reduction.
SOC metrics
The final organizational element is how to measure success, a critical element to getting it right. Metrics translate culture into clearly measurable goals and exert a powerful influence on shaping people's behavior.
Measuring various success indicators in SOC is important, but always recognize that SOC's job is to manage significant variables that are out of direct control (attacks, intruders, etc.). See deviations primarily as a learning opportunity for process or tool improvement rather than as a SOC failure to achieve a goal.
Key Metrics:
- Time to acknowledge (TTA) & #8211; Accountability is one of the few elements over which SOC has direct control. Measure the time between an alert being generated (“light starts flashing”) and when an analyst recognizes this alert and initiates the investigation. Improving this responsiveness requires analysts not to waste time investigating false positives while another true positive alert is waiting. Any alert requiring an analyst response must have a 90% history of true positives.
- Time to remediate (TTR) & #8211; Track time to remediate an incident and ensure that it is limiting the amount of time an attacker has access to the environment, which drives the effectiveness and efficiency of SOC processes and tools.
- Remediated incidents (manually / with automation) & #8211; Measure how many incidents are manually corrected and how many are resolved with automation. This ensures that staffing levels are adequate and measures the effectiveness of automation technology.
- Scales between each layer & #8211; Track how many incidents have been scaled between levels to ensure accurate capture of each layer's workload.
Safeway is a consultancy one stop shopping which has helped companies such as Sodexo, Ci & T, Fujifilm, Braskem, ABBC and others to ensure their information security.
Through the application of agile process and continuous improvement in our dedicated SOC 24 & #215; 7, we use a unique and modular risk management platform focused on each client's specific business processes, applying the best technologies in the market to the SaaS model. All this without the need for large upfront investments in hiring
Watch this video on our YouTube channel and find out more about what we are calling: The evolution of SOC →