Why It’s Time to Go Back To The Basics of SOC Design

The average SOC is no more prepared to solve their cybersecurity issues today, than they were 10 to 20 years ago. Many security applications have been developed to help protect your network, but SOC Design has traditionally remained the same.

Yes, it’s true we have seen advancements like improved management of data with SIEMS and Orchestration of resolutions, but these tools haven’t resolved the fundamental challenges. Data generated from the most basic security alerts and incidents are overwhelming and still plague the most advanced security organizations.

Which begs the question: How are smaller, resource-constrained security organizations expected to keep up when even enterprise-sized organizations can’t?

According to a recent article in Computer Weekly, the issue is that most organizations, even with the tools & the know-how, are still getting the basics all wrong.

“Spending on IT security is at an all-time high. The volume of security offerings to cover every possible facet of security is unparalleled…The reason so many organisations suffer breaches is simply down to a failure in doing the very basics of security. It doesn’t matter how much security technology you buy, you will fail. It is time to get back to basics.”.

The article mentions that security operations teams need to focus these four key areas to really see any impact positively affecting their SOC design:

  1. Security Strategy
  2. Security Policy
  3. User Awareness
  4. User Change

But is it as simple as this?

The answer is a resounding YES!

There is no question that it’s still possible to cover the basics in security strategy and achieve enterprise security results. Our recommendation? Start with the most tedious and time-sucking part of security analyst role — analysis and triage of all collected security data. Let your team focus on higher-priority tasks like cyber threat hunting. It’s where you’ll get the biggest bang for your buck.

Ripping off the Bandage: How AI is Changing the SOC Maturity Model

The introduction of virtual analysts, artificial intelligence and other advanced technologies into the Security Operations Center (SOC) is changing how we should think about maturity models. AI is replacing traditional human tasks, and when those tasks are automated the code effectively becomes the procedure. Is that a -1 or a +10 for security operations? Let’s discuss that.

To see the big picture here, we should review what a maturity model is and why we are using them for formal security operations. A maturity model is a process methodology that drives good documentation, repeatability, metrics and continuous improvement. The assumption being that these are a proxy for effectiveness and efficiency. The most common model used in Security Operations is a variant of the Carnegie Mellon, Capability Maturity Model for Integration (CMMI). Many process methods focus on defect management, this is even more evident in the CMMI since it originated in the software industry.

In the early 2000’s, we started using CMMI at IBM, Big Blue insisted that we couldn’t offer a commercial service that wasn’t on a maturity path and they had adopted CMMI across the entire company at that point. We had, at that time, what seemed like a never-ending series of failures in our security monitoring services, and for each failure a new “bandage” in the form of a process or procedure was applied. After a few years we had an enormous list of processes and procedures, each connected to the other in a PERT chart of SOC formality. Most of these “bandages” were intended to provide guidance and support to analysts as they conducted security monitoring and to prevent predictable failures, so we could offer a consistent and repeatable service across shifts and customers.

To understand this better, let’s look at the 5 levels of the CMMI model:

  1. Initial (ad hoc)
  2. Managed (can be repeated)
  3. Defined (is repeated)
  4. Measured (is appropriately measured)
  5. Self-optimizing (measurements leads to improvements)

This well-defined approach seemed to be perfect. It allowed us to take junior analysts and empower them to have a consistent level of service delivery. We could repeat ourselves across customers. We might not deliver the most effective results, but we could at least be reasonably consistent. As it turns out, people don’t like working in such structured roles because there’s little room for creativity or curiosity. Not surprisingly, this gave rise to the 18-24 month security analyst turn-over phenomenon. Many early analysts came from help desk positions and were escaping “call resolution” metrics in the first place.

Our application of SOC maturity morphed over the years from solving consistency problems into consistently repeating the wrong things because they could be easily measured. When failures happened, we were now in the habit of applying the same “bandages” over and over.  Meanwhile, the bad guys had moved on to new and better attack techniques. I have seen security operations teams follow maturity guidelines right down a black hole, when for example, a minor SIEM content change can take months, not the few hours it should take.

According to the HPE Security Operations Maturity report, the industry median maturity score is 1.4, or slightly better than ad-hoc. I’m only aware of 2 SOCs in the world that are CMMI 3.0.  So, while across the industry we are measuring our repeatability and hoping that it equates to effectiveness and efficiency, we are still highly immature, and this is reflected in the almost daily breaches being reported. You can also see this in the multi-year sine wave of SOC capability many organizations experience; it goes something like this:

  1. Breach
  2. Response
  3. New SOC or SOC rebuild
  4. Delivery challenges
  5. Maturity program
  6. Difficulty articulating ROI
  7. Cost reductions
  8. Outsourcing
  9. Breach
  10. Repeat

With a virtual analyst, your SOC can now leap to CMMI level 5 for what was traditionally a human-only task. An AI-based virtual analyst, like the Respond Analyst, conducts deep analysis in a consistent fashion and learns rationally from experience. This approach provides effective monitoring in real time and puts EVERY SINGLE security-relevant event under scrutiny. Not only that, you liberate your people from rigorous process control, and allow them to hunt for novel or persistent attackers using their creativity and curiosity.

This will tip the balance towards the defender and we need all the help we can get!

The Security Situation Center: To Boldly Go Where No One Has Gone Before

I would love to tell you that there was a more formal origin behind the core tenets of the Security Situation Center (SSC), but the truth is, the concept originated from my watching too much Star Trek. I am a huge Star Trek fan, and while watching an episode of the “Next Generation” series, I started thinking about the parallels between navigating hostile cyberspace and the efficiency behind the bridge operations of the Starship Enterprise. While the series is 30 years old, it still captures our imagination, and in this case, gives us some original, innovative ideas we can implement today.

So turn to my day job, when I have Star Trek turned off. My team and I understand in the very near future, that the tedious SOC monitoring and analysis tasks, now performed by analysts, will be managed and processed by AI-based expert systems. In other words, soon there will be the day when it is no longer necessary to put human eyes on glass to monitor security alerts. The transformational possibilities for an operational cybersecurity team of this future reality is extraordinary!

On the bridge of the Enterprise, all personnel have a distinct role and ownership of duties, backed up by team members elsewhere on the ship. They also have many people trained for each role. When you consider the many different situations they expect to encounter, you can quickly see this team is well-prepared, well-trained and confident. They have navigation, engineering, communications, science, medical, tactical, command, and of course, counselor Troy for diplomacy and a little espionage. They are prepared for the unexpected, so they have all options covered. The organizational structure and preparation allow them to hightail it at warp 9 when running from hostile situations, hide, fight, discover, fix, or talk their way out of anything. This feels exactly like what I want my security defenses to be able to do!

The basic Security Operations Center template has many junior people doing the same job. There might be some level of rotation, but that job puts human “eyes on glass” watching alerts or events then deciding which require action and at what level of urgency. This model typically leaves security situation management to an ad-hoc team of incident responders, senior architects, and the management chain. This ad-hoc team occasionally convenes to respond to high profile incidents, which in reality is an additional duty.

The hostility level and risk that organizations expose themselves to by conducting business on the Internet now appear more like a low-level information war than just the occasional malware infection or credit card breach. We know the economics are too powerful not do business on the Internet. However, as the world becomes more digital, perhaps it is time we acknowledge this new reality, leave status quo behind and reorganize to actively defend our companies on the Internet.

Fortunately, there is also some organizational experience, beyond Star Trek to this idea. When I ran an MSSP in the early 2000’s, on a quarterly basis we were able to practice with every new Internet worm. These War Rooms were fueled by sleep deprivation, caffeine, hundreds of millions of dollars in financial losses and lots of grumpy IT and IT security guys and gals. It was management by exception at its worst. When it worked, we managed to recover in reasonable time frames, but we never fixed the root of the problem.

With a Security Situation Center, you have a small team of experienced security personnel whose full-time job is to actively defend the business and then proactively prepare to defend the business. This includes immediate grasp of all of the controls deployed and their current status, the vulnerability status of the entire enterprise, and intelligence on the capability and intentions of bad actors. Just like on the bridge of the Starship Enterprise, these folks are at once leaders and coordinators with the IT and IT security teams that actually make the ship fly.

I’ll surely have more ideas of what a future Security Situation Center will look like. More importantly, I invite you all to comment and provide feedback about how you imagine our industry can push operational security into managing, not only monitoring, situations.

As Captain Picard said so well, “Engage!”

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.