Cybersecurity Monitoring

An Effective SOC Begins with a Mindset Overhaul

Chris Calvert
by Chris Calvert
category Cybersecurity Monitoring

Even with the deepest pockets, there are still not enough people to keep pace with demands of today’s Security Operations Center (SOC). The volume of relevant security data and the number of analysts available to review make this a continually growing problem.

Our research in collaboration with the Ponemon Institute released earlier this year found that even though most organizations say their SOCs are “essential” or at least “very important” for minimizing false positives and threat intelligence reporting, the cost for these typical SOC activities is high.

The current model for a SOC still boils down to spending the bulk of the budget on hiring and training junior people just to plunk them down in front of consoles, knowing they’ll be gone in a couple of years seeking for more interesting, higher-paying work. SOCs are losing money on people investments and are trapped in a dangerous cycle of replacing people who burn out from chasing alerts and false positives.

Since we can never keep up with the information overload, we need to transform the SOC paradigm so the investments in people pays off, reduces attrition, and even makes security work fun. Automation and new technology platforms are only just part of the solution, however. We need to change the current mindset that’s bogged down by formal process and procedure to one that is situation focused.

Dynamic defense, not passive protection

We talk a lot about protection in the security business—protecting data from thieves, networks from intentional disruptions, and applications from malicious corruption. But there’s an inherent lack of dynamism in protection in that the SOC is waiting for attacks to come to us. We need to be more proactive.

We need to move from a “protect” mode to a “defend” mode. It’s an important nuance because it requires that we’re always changing and adapting to fend off attacks from cutting edge threat actors—cybercriminals who are on the offense, all of the time. Defend mode means taking an active approach, rather than a passive one that relies on technology platforms, not people reacting effectively.

This mental switch is a critical step because it recognizes we can no longer run security operations the same way we run information technology. Doing business in the dangerous place known as the Internet means accepting the inherent asymmetry between attacker and defender. No matter what protections you put in place, the attacker will find a way around it, so we must be ready to defend ourselves.

Security alerts shouldn’t be user trouble tickets

Cybercriminals will keep trying. If one attack method fails, they try something else. They're going to continuously adapt because they’re content to wait until the next opportunity avails itself—the very definition of agile.

Since they send lots of emails, it’s just a matter of time before someone in your organization clicks on one of them. The problem with today’s SOC is when the alert comes through it’s treated like everything else in the IT service management (ITSM) tool—a ticket to be resolved by a passive security staffer staring at a console.

As much as cybercriminals have a method to their madness, their attacks materialize in the SOC chaotically, yet we still treat security operations as if it should have the same structured and measured maturity, availability, performance, and scalability that we have in our production IT environments. But if our SOC is bogged down by alerts and ITMS-like tickets to fill security gaps created by a business user, then we’re not in a position to truly defend the organization. We’re still in protection mode with the unsatisfying success rates laid out in our research with the Ponemon Institute.

Does security need to collaborate with IT? Most definitely. Embedding security everywhere, thinking about it during the application development process and full-blown SecDevOps are worthwhile goals, but there’s a pressing need for the SOC to free itself from ITSM tickets via the console approach, even if there’s some level of automation. There needs to be more flexibility and agility in the SOC because the cybercriminals aren’t working with a measured, orderly schedule. They have strong financial incentives to keep volleying attacks at teams set to protect, not defend.

Keep your SOC team engaged

Defending is more fun than protecting because people are no longer staring at consoles all day waiting to be attacked.

The approach to running SOCs to date has been to stream as much information as possible to a console, and add people as needed within budget constraints until they fell over at the keyboard. It’s no wonder the attrition rate is high. If want to address the “expensive people” problem and improve SOC economics, we can’t be investing all our money into technology platforms just so people can spend their entire day on tasks not optimized for humans.

Rather than use people as detection engines, we need to get them doing what they’re best at—working together to manage the bad out of the environment. People are optimized to solve problems and projects, rather than detecting an incident after its impact starts to register or because a user requests assistance. We need to move from a constant cycle of incident response and remediation to a focus on systemic immunity. True remediation means that an incident is no longer possible anywhere else within your organization.

But we can’t do that if we’re bogged down by piles of process and procedure. The SOC needs to be centered on the bad guys and predicting what their courses of action might be so we can frustrate them and send them packing. We don’t need strict, structured procedures to do that, just simple documentation to guide who we’re going to talk to when certain things happen. A cost-effective SOC is a social one with a shared consciousness that is situation-focused where security professionals can be curious, creative, and collaborative—not overloaded by information streaming from a console.

This situation-based approach recognizes that things change constantly, and because we achieve systemic immunity and successfully protect the organization, there’s a sense of accomplishment and that keeps people engaged in the work. Detectives, NOT gate guards—that’s how you build a cost-effective SOC.