As we discussed in 7 Steps to Building a Security Operations Center, an enterprise SOC requires careful planning and precise synchronisation of people, processes, and technologies.
However, a good foundation is just the beginning. As cyber threats change, your SOC must adjust.
This essay will discuss industry frameworks, technology, and employees to improve your SOC.
SOC Industry Frameworks mature
Every SOC needs established, enforced, and reviewed security policies. Creating these doesn’t need starting from scratch. NIST Security Operations Center Framework (CSF) and MITRE ATT&CK knowledge bases offer them.
Industry colleagues are expanding these standards and exploring new use cases.
Consider recent advancements in these areas.
NIST CSF 2.0.
The CSF provides detailed, actionable SOC guidelines. It addresses cyber threat detection, protection, reaction, and recovery. Revisiting the CSF and improving SOC processes can guarantee your SOC meets NIST recommended practises.
Remember that the CSF is an evolving document. NIST released CSF 1.1 in April 2018. NIST is proposing CSF 2.0, a major framework update based on industry and stakeholder feedback. Updates aid the framework:
- Follow technical and threat trends.
- Apply lessons
- Commonize excellent practise
NIST said CSF 2.0 will “reflect the ever-evolving cybersecurity landscape and help enterprises more easily and effectively manage cybersecurity risk.”
Why not attend NIST’s public webinars and workshops and evaluate CSF 2.0 draughts to help NIST finish their latest CSF release?
Security operations specialists have used MITRE ATT&CK as a reference architecture since 2013. This information base is useful for real-world observation of adversary tactics and strategies.
48% of firms utilise the MITRE ATT&CK architecture “extensively” for security operations, while 41% use it “limitedly,” according to recent research. 19% consider MITRE ATT&CK crucial and 62% very significant for their future security operations plan.
MITRE ATT&CK evolves like NIST’s CSF. Today’s security teams are experimenting with new use cases to gain even more benefits from this foundation. New applications and use cases are described in a report:
- MITRE ATT&CK helps 38% of organisations integrate threat intelligence into alert triage and investigations.
- 37% follow it for security engineering.
- 35% use the framework to comprehend attackers’ strategies, techniques, and procedures, while 34% use it to understand cyberattacks’ broad scope.
- 33% use it to supplement security technology vendor threat intelligence.
The next-generation SOC’s technology.
The three main SOC technologies are:
Common data sources:
- Firewalls, IDS/IPS, and vulnerability scanners are security events.
- Internal and external threat intelligence
- Endpoint logs
- Active directory, VPN, and SSO Security Intelligence Platform authorization aspects
Security Intelligence Platform (including SIEM)
A security intelligence platform correlates data from all the sources above. It promptly alerts a SOC engineer if a threat is detected.
Event ticketing tracks their lifecycle. It connects SOC teams, affected infrastructure, and users. Many companies use third-party managed solutions to defer or mitigate the upfront expenses of investing in, maintaining, and updating key infrastructure aspects.
SOC technology gaps: where?
Forbes asked SOC experts what technology they need to succeed with their ambitions for the year. Interesting responses:
- Enhanced Insider Threat Detection: 35% of survey respondents consider corporate insider misuse a serious visibility gap in their infrastructure, according to the current SANS Institute white paper. Thus, over a third want to incorporate behaviour analytics technology to their SOC to identify hostile insider activity based on “regular” user and entity activity.
- SIEM flaws: 18% believed a better SIEM would boost SOC performance. SIEM solutions standardise and correlate data from various sources, assign risk scores, and send warnings and context to SOC analysts investigating. SOC professionals often criticise SIEM tools for:
- Lack of data query depth and breadth
- Data gathering or storage constraints that reduce incident context
- Lack of priority causes excessive notifications.
- SIEM tool setup and maintenance are complicated.
- The right SOC technology is crucial, but having top-notch SOC staff is much more so.
People are the third ingredient of a future-ready SOC.
Modern SOC Staffing
The SANS 2022 SOC Survey found that high manpower requirements are the biggest obstacle to security teams optimising SOC use. SOC specialists are pricey and scarce.
First, let’s examine SOC team duties to identify the issue and consider solutions:
- Tier 1 analysts handle phone calls and SIEM or sensor console alerts and warnings.
- Tier 2—SOC Tier 2 analysts resolve occurrences and incidents, whether it takes hours or months.
- Tier 3 analysts collect trending cyber information and analyse network activity and enemy TTPs across months and years. Analysts must manage immediate risks and prepare the SOC for emerging threats, making this role the most ambiguous.
- SOC Manager: This person coordinates SOC activities with technology leaders like the CISO and CTO.
Enterprise SOCs have substantial personnel turnover—the average employee stays 26 months. This short employment average precludes SOC teams from learning organizational-specific knowledge to manage identified incidents without dedicated third-party support and/or advice from more senior colleagues.
By 2024, more than 90% of purchasers outsourcing security services will prioritise threat detection and response, according to Gartner.
Outsourced SOC responsibilities include:
Penetration Testing: Third-party penetration testing experts use your company’s schedule, processes, and priorities to accomplish enhanced security verification.
Ethical hackers will uncover and fix software, web application, operating system, network, and other vulnerabilities for the top outsourcing partners. Your business and risk management requirements will guide their penetration testing of your IT environment’s most crucial regions.
24/7 Analysts: Tier 1 analysts are frequently outsourced SOC duties. This individual monitors security alarms and system and network data 24/7/365. These analysts also triage pertinent events depending on criticality/severity inside your workflows. They’ll elevate occurrences using your criteria and assign them to incident response teams or Tier 2 analysts to quickly eliminate threats.
Incident Handling/Response: A reputable outsourcing company would use their incident response professionals to help you mitigate dangers. They’ll generate reaction actions, authorise responses, and quarantine threats within your playbooks and processes. Secure backups, logs and security alerts to detect malicious activities, and identity and access management will also be implemented.
SoC-as-a-Service has emerged from the practise of outsourcing SOC duties to MSSPs in recent years (SOCaaS).
The MSSP manages some or all business SOC components in SOCaaS. Some organisations are hesitant to go this way because they fear losing control of their security plan. Most benefit from having an expert guide them through building, perfecting, and enhancing their SOC approach, feeling more secure and in control than ever before.
SOCaaS contracts are usually fixed-price, monthly or annual. Your supplier will commit to service level agreements (SLAs) that regulate the contract, making them more efficient and cost-effective than an all-in-house SOC.
A managed service SOC can also solve security team skills gaps and free up IT specialists to focus on business-critical issues. This assures your company has a 24/7 SOC.
Outsourcing SOC services typically costs less than buying, installing, and maintaining them in-house. This technique reduces CapEx and SOC specialist hiring, management, and retention costs.
SOCs safeguard businesses from internal and external threats. In 2023, SOCs—whether in-house, outsourced, or hybrid—will rise to the top of the business agenda.