The ‘Filter’ of Shame: 5 Tips to Building a Modern SOC without Filters
category Cybersecurity Analysis
tags Cyber Security, How to build a SOC on a budget, Security Operations Center, SOC, soc security operations center, SOC Security Operations Center Design
Building an Efficient & Cost-Effective Security Operations Center with No Filters
Filters are great. I use one every day to keep the grounds out of my coffee. Filtering or tuning down the volume of security alerts because the security team can't keep up with the growing pile of escalations increases risk and let's face it, is bad for business. But it's not your fault. Security operations tools and platforms have used filtering technology for years. It's now time to stop. There’s a better way to approach security operations, and it doesn't involve wearing a 'cone of shame' on your head.
Here are five things to consider when you want to create a modern and highly efficient security program that doesn't rely on the filter of shame.
1. Start with People
Begin with your people, or lack thereof, in mind. Security professionals are in high demand. They want to protect the business, not sort through thousands of alerts each day. Think about your security technologies, existing and under evaluation, through the lens of your people’s experience. About each tool, ask: Does this prevent or enable active response to a threat? Or does it create work because it’s often producing false positives or alerting on things that are low risk and not actionable?
Discussing these issues with your team shows you care about day-to-day life inside your program. Done well, this exercise will highlight the most important points of efficiency and inefficiency. Prioritizing automation around your people - through prevention, detection for response, and hunting - is a great start to building a highly efficient program and making security operators happy.
2. Prevention Is Powerful
Preventing a threat from entering your business or taking action against your data and systems yields a high return on investment. Preventative controls on your network, web gateway, email, and endpoints are a must. Focus on solutions that can support a hybrid cloud environment and look for ones that can detect threats even if they might not be able to fully prevent malicious activities (more on this later). The solutions should be easy to deploy and update. Plus they should include API support for logging and taking action.
3. Detection for Response
By thinking of detection and response together, you’re focusing not just on technology, but also on the people that will respond. Right now a lot of security marketers are talking about automating response. But using automation to power response is a better way to think about it.
Modern airplanes use automation efficiently to reduce the pilot’s workload, increasing safety and efficiency. The pilot is still in charge. Put your security operators in charge with a technology-focused model that starts with automation to detect and investigate security events, enrich security incidents with threat and business context, and ultimately make the response process faster with response-ready escalations. This is the best way to drive efficiency into your program, but it will require a new approach.
Traditional SIEM, log collection, and MSSP models start with a funnel to filter and reduce the volume of alerts that must be investigated. Context is king when it comes to security incident response. The filter of shame reduces your team’s ability to understand and quickly respond to the right incidents. It gets rid of that all-important context. Software and modern computing intelligence can reason through this data, creating an advantage for your team. Use it to make your people heroes, not replace them.
4. Security Data Management
Modern IT and security controls produce a ton of data. If you are going to stop filtering data and start using it to your team’s advantage, you'll need somewhere to put it. Traditional on-prem SIEMs don't scale well, requiring the filter of shame. Take a look at an escalation from a SIEM and ask your security responder what initial steps they will perform to investigate the event. They will likely go back into the filtered data, if it is available, to try to enrich and understand the incident. This model is inefficient and broken.
Fix it at the source with a data management strategy (not just logs) that does two things. First, centralize the collection of data using API's and a modular framework so data can be stored efficiently and cost-effectively, in a way that fits how it will be used. Second, ensure this framework can fork the right data over to the right place at the right time. This is where your program will gain massive efficiency and scale.
Start by streaming your data through a Robotic Decision Automation engine to detect security alerts and turn them into enriched security incidents before escalating to your people. Next, index and store the data for future use. This is where your team can go to hunt for threats whenever new information becomes available. You can also write business logic here to cover all your custom use cases.
Storing and searching your data doesn't have to be crazy expensive. We all have a "then my boss called about the volume-based pricing charges we incurred this month" story. If you don't, good for you. I have worn the cone of shame on this one. The big public cloud providers have some great solutions to address this. Stay tuned for a future blog on how one security team used the Google Public Cloud to build an efficient and effective data management program that costs them only a few dollars a day.
5. Run the Business
Security is a business function. Preventing, detecting, responding, and hunting for incidents and threat actors are just parts of the job. Compliance and data privacy are changing. They’re becoming more complex and time-consuming to navigate. Cloud adoption can be a powerful business driver but can also introduce new risks if not properly understood and actively managed.
Think about the time and expense you’re currently allocating to day-to-day security operations. Could taking off the 'funnel of shame'-free up your team to see more, do more, and actively manage the business of security? Share your thoughts and stories with us, and tell us about the architectures you’re using to make your team more efficient and effective—and let them act as the heroes they already are.