Frameworks in strategy, governance, operations and technology need updating.
As adversaries evolve to strike targets more creatively, your Security Operation Center (SOC) needs to be structured differently than in the past. Today’s SOC must be aligned to the business to specifically mitigate and reduce cyber risk. Also, your SOC team needs to become more agile and operationally efficient in detecting and responding to threats.
Powering the new ways of working with SOCs are the basic concepts of Fusion, Agile, DevOps, artificial intelligence, machine learning and automation. These advanced tools can empower your Cyber Rapid Reaction Teams to reach much better outcomes faster.
At the same time, if you haven’t captured valuable metrics and indicators of efficiency and effectiveness to measure these outcomes, your SOC successes and failures can’t be measured properly. Thus, you’re missing data to use to improve what was inefficient, ineffective or suboptimal.
Your SOC needs to be flexible, adaptable and optimized to detect new and emerging threat vectors. If not, the consequences can be costly. At the same time, your SOC can’t just react to threats. Consider this situation:
In 2020 at least four major security firms targeted by attackers had breaches.1 One of those hacks into the supply chain software for SolarWinds was particularly damaging. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents.
In most of these breaches, the response took a long time. Hence, the risk exposure was sustained and caused more damage than if the analysis and response was faster and more agile.
Number of government and private networks infiltrated by the SolarWinds hack2
Given these circumstances, SOCs need to make a paradigm shift guided by a focus on efficiency, specifically speed and agility, and effectiveness, with a particular concentration on risk reduction.
Your SOC needs to be aligned with your business across the supply chain. To achieve this goal, your strategy and governance need to be risk-focused and aligned to your enterprise risk. Risk quantification should drive your planning and investments.
Likewise, multidimensional risk and efficiency indicators should drive continuous improvement efforts and showcase risk reduction and operational performance.
SOCs also need more collaboration using the adaptive integrated operations strategy as basic concepts, such as Fusion and Agile. A Fusion enabled SOC has the following characteristics:
- A fusion center should include dedicated specialists, rotational involvement and capacity management as part of its governance.
- Core Fusion elements for effective cyberdetection, response and recovery involve your IT, network and DevOps specialists.
- Fusion provides risk management within industry-specific operations that are susceptible to various threats.
- Business risk functions such as consumer fraud and anti-money laundering are integrated within the fusion center.
- Fused competencies within the SOC with fully integrated command chains ensure unified vision, mission and resource dedication to your risk reduction efforts.
An Agile SOC has the following characteristics:
- Promotes adaptive planning, evolutionary development of operational run books, on-demand formation of analysis and response teams and a maniacal focus to rapidly removing obstacles to agility.
- Leverages Agile principles and methodologies, speeding up analysis and response time, thereby substantially reducing duration of risk exposure, such as dwell time, compared to traditional “process-based” siloed methods which take much longer.
Evolve your SOC’s threat intelligence function from just collecting or disseminating feeds and threat bulletins. You want a cross-functional operation performing collection, enrichment, threat hunting and dissemination of threat and business risk intelligence activities across your enterprise’s IT, security and business risk functions.
Use omni source threat intelligence to infuse and inform detection, protection and recovery processes with full lifecycle intelligence capability encompassing cyber and business threat intelligence.
Omni source threat intelligence provides cybersecurity defenders with up-to-date and accurate threat intelligence. It’s more thorough than traditional threat intelligence, which doesn’t drive strategies for detection, protection or both.
Omni source threat intelligence is comprised of numerous sources including human, cyber, social, geographic, business, threat actors, threat vectors, deep web, dark web and Open Source Intelligence (OSINT).
SOC staff can only protect an environment against what they recognize. An omni source intelligence gathering strategy should be supplemented by appropriate technologies that can perform the following tasks:
- Centralize the raw intelligence
- Provide a work bench for intelligence analysts to enrich the intelligence, remove redundancies and add context
- Disseminate enriched intelligence with the appropriate Threat Level Protocol (TLP) designators to the critical functions in the organization to inform protection, detection and response and recovery measures
Adaptive SOCs have agility, which means the ability to rapidly perform security activities as one of its cornerstones. Integrated SOCs fuse critical IT, business and risk teams and processes for maximum collaboration and sharing. An Adaptive Integrated SOC combines these principles to gain razor sharp focus on achieving quick results by proactively collaborating across critical constituencies without being slowed down by inefficient process-based approaches.
The new operating model redefines the following elements:
- How your talent is assigned
- How those team members converge and work a problem
- What resources are available
- What authority the team members have to act in an adverse event
This new model promotes empowered actions, organic skill development, motivation, cross training and Agile operational enhancements. These changes can result in improved outcomes, retention and surge capability leveraging cross-trained resources.
The Fusion service catalog offers more open communication and collaboration for your team members as well, with such features as catalog management, service requests and service fulfillment. There are mission-enabling services available to Fusion Center constituents from every operations function, such as watchlist addition and custom and compliance reports. Its adaptive integrated model makes it possible to overcome gaps in contextual data sources faster than traditional techniques.
DevOps, the process that expedites application development efficiencies and software release management, and DevSecOps, the process of integrating security practices within the DevOps process, may already be used in your organization.
The principles of Continuous Integration and Continuous Development (CI/CD) in DevOps tool chains and the integration of security testing tools that are prevalent in DevSecOps models that provide quicker, more reliable and secure code to production environments have inspired SOCs to move cyber response integrations deeper into the IT tools chains. Technologies such as Security Orchestration, Automation and Response (SOAR) have been at the forefront of driving these efficiencies in cyber operations.
Operations teams often redundantly deploy and underutilize existing enterprise IT and corporate security technologies. As a result, core technology is straining to handle data ingestion and correlation. To address this situation, take the following steps:
- Develop a security technology roadmap linked to maturity that aligns with enterprise strategy to leverage advanced technology
- Leverage existing initiatives for enterprise data aggregation to serve cross-functional needs
The adaptive integration operations concept discussed previously require SOCs to consider evolving technologies based on open platforms. These technologies can connect across an ecosystem of security and IT technologies to provide single pane of glass visibility and use federated searches to discover and hunt for threats in a multicloud hybrid IT environment. Concurrently existing tools may need to be configured differently to allow the on-demand, collaborative approach required for adaptive integration to work.
By extending or reconfiguring existing ticketing tools, you have one parent security ticket with response sub-tasks for cross-functional fusion team members. This change removes the notion of working tickets by Service Level Agreements (SLAs) defined for various corporate functions.
Also, use emerging class of technologies and tools such as data security platforms to combine or analyze data, or both, from sources spread across technologies to perform the analysis. You avoid redundancies proliferating in a single repository that way.
These recommendations share a common goal of improving efficiency and effectiveness of your SOC in the evolving world of security.