Most security professionals are already familiar with the concept of a security operations center. But many CISOs and other security professionals question the need for a SOC for their own organizations. Maybe they think they're too small or aren't likely targets for attacks. Maybe they don't think they have the resources to build and staff a SOC effectively.
While many organizations struggle with the challenges of implementing and managing their own SOCs, the bottom line is that pretty much every organization needs one. Why? To put it simply, a SOC dramatically improves an organization's ability to respond to targeted attacks.
According to the 2020 Nemertes Cybersecurity Research Study, which included 335 companies across 24 industries in 11 countries, having a SOC correlates with a decreased mean total time to contain (MTTC) threats of 43%. In a nutshell, a lower MTTC means a company can detect, understand and contain threats faster. So, companies with a SOC have an MTTC that's 43% lower -- or faster -- than companies without one.
SOCs have advanced a great deal since their inception, and the next obvious question is: What defines a next-generation SOC? More precisely, what makes a security operations center next-generation? Broadly speaking, a next-generation SOC has the following five main characteristics:
If those are the characteristics of a next-generation SOC, how do you go about building one? Here are 10 tips to keep in mind as you make the transition.
1. Build or buy a next-generation SOC. The most fundamental decision to make in building a next-generation SOC is whether to build one at all. Large enterprises have the staff to operate and manage a SOC, but smaller companies may struggle. Consider: To have 24/7 support, a company needs a minimum of eight to 10 staffers -- three eight-hour shifts per day, plus weekends and vacations. Most cybersecurity operations teams, particularly at smaller companies, aren't large enough to accommodate that level of support. In Nemertes' 2020 Cybersecurity Research Study, we found that companies with fewer than 2,500 employees overall did better -- based on MTTC -- by outsourcing their SOC, while companies with more than 2,500 employees were better off building their own.
Whether you outsource your SOC or build your own, take the nine remaining factors into consideration, either as selection criteria for a SOC service or as your own strategy.
2. Consider deploying SOAR. SOAR tools are a key way to make sure a SOC is intelligent and automated. These tools provide cybersecurity teams with a centralized console to manage and coordinate security, which reduces the time required to assess a situation and decide on an action. They enable incident response automation, shaving valuable time off MTTC and ensuring that analysts can focus on proactive problem-solving. They also provide an audit trail for compliance and post-mortem purposes.
3. Optimize tool count. The proper adage to follow when stocking a SOC is to "deploy as few tools as possible but no fewer." It's easy to get carried away with thousands of available cybersecurity products, but each tool carries its own technical debt and imposes its own support burden. A few well-chosen tools are better than a hodgepodge. With the right combination of tools, security teams may find they can eliminate entire categories. A SOAR tool plus an NGFW may eliminate the need for a SIEM approach, for example, or an extended detection and response product, which monitors endpoints and the rest of the enterprise to detect breaches and is similar to behavioral threat analytics, could obviate the need for endpoint detection and response or traditional antimalware.
4. Emphasize integration. Whatever tools constitute the SOC should have native integration with one another. Integrating tools into the SOC ecosystem should be a heavily weighted selection criterion when it comes to choosing cybersecurity products. If a tool doesn't integrate into the SOC ecosystem, it's likely a poor choice.
5. Define protected resources expansively. A traditional SOC monitors resources that include users, desktop and laptop devices, and servers. A next-generation SOC should track these and also provide protection for the IoT attack surface and for cloud-based and virtual resources.
6. Put success metrics in place. Cybersecurity teams should track the right success metrics. The most important is MTTC, but other relevant metrics might be events per analyst hour, events blocked, number of serious incidents per unit time and the like.
7. Don't forget the infrastructure. A next-generation SOC requires next-generation infrastructure. The SOC needs high-speed, high-quality connections to monitored resources, whether those are containers and VMs executing within clouds or remote user devices.
8. Ensure analysts focus on proactive efforts. Cybersecurity professionals should ensure that SOC analysts have enough time to conduct effective threat hunting, develop proactive strategies, and assess the likelihood of nation-state attacks and targeted attacks. Cybersecurity professionals who outsource their SOC services should ask detailed questions about how analysts spend their time and how they are compensated for threat hunting.
9. Include as many threat intelligence sources as possible. Capturing and analyzing information is a key job of the SOC. To enable it to function effectively, security professionals should provide analysts with as many sources of information as possible. Cybersecurity pros who outsource their SOC services should ask about the number and type of threat intelligence feeds.
10. Deploy and take advantage of AI, machine learning and cybersecurity analytics. To ensure a next-generation SOC is proactive and intelligent, deploy AI, machine learning and cybersecurity analytics, or ask the SOC provider about current and planned deployments.
If you do all of that, your next-generation SOC will be smarter, more dynamic, more automated, more proactive and more customized than previous incarnations.
23 Nov 2020