7 SOC Analysis Tips on How to Maximize Your Security Operations
There’s a lot of talk about how things keep getting worse for security operations. The attacks keep coming—and they’re more dangerous, more frequent, and more successful than ever before. The reality is that we’ve been saying this every year since security operations became a part of enterprise IT. The balance of power has never favored the defenders. Only now, with the advent of decision automation and security analysis software, has it become possible to envision a real shift in power.
In fact, with the SOC analysis tools available today, business leaders tasked with improving the effectiveness and efficiency of their security programs can see tremendous gains—improvements that are not incremental but proceed by orders of magnitude. In order to get these results, however, CISOs not only must select and deploy the right SOC tools, but also must change their mindsets, approaches and organizations. It’s a major shift, but one that’s more than worthwhile to make.
Here are seven tips to guide you along the path to maximizing your security operations:
#1: Ask harder questions of your team.
Just because your engineering team has added additional data sources—from which you’re collecting logs or which are reporting into your Security Information and Event Management (SIEM) solution—doesn’t mean you’re getting any real value from that data. If you’re collecting the data, you’re incurring costs for its storage. But if you’re not using it to inform decision-making logic, it’s not doing you any good.With today’s security operations software, autonomous analysis is possible, and this can give you the opportunity to make a revolutionary change in how you use log data. It’s not enough merely to know how much data you’re collecting; what’s important is how well you monitor, employ and analyze it to recognize malicious activity in your environment.
#2: In the age of big data, become part of the small data movement.
Many enterprise security operations teams collect enormous mountains of data. Some include over a hundred data sources—monitoring everything from endpoint operating system events to router status logs. But more than 99 percent of this data is never put to good use.If you say that you “might” use this data “someday” for forensic purposes, you’re making a weak argument. One that dramatically increases your costs without appreciably improving your security posture.
I’ve personally witnessed a $20 million Intrusion Detection System (IDS) operating without having had a single signature update in four years. That is not a wise investment; in fact, we call it “security archeology.”
#3: Avoid vanity metrics.
In today’s information security landscape, no environment is impervious to breaches. No matter how large the enterprise it belongs to, and no matter how much the business has invested in security technologies, some attacks will always succeed.
Against this backdrop, InfoSec leaders often produce metrics that demonstrate how hard they’re trying to prevent breaches—not the probability or extent of their success.
Similarly, CISOs frequently draw upon threat metrics to justify spending. Though spending is unquestionably necessary, leaders need to ask more penetrating questions about the value they’ve deriving from their investments.
#4: Prepare for those random elements that often enable attackers to succeed.
Today’s attack surface is incredibly flat. Cybercriminals will try to target vulnerabilities that they know are considered low-priority risks. These are so numerous, and so often unexpected, that it’s near impossible to anticipate all the attacks that can be launched against them. Keep in mind the device used to attack you may not be run by IT but by your facilities team.
Tabletop exercises and red teaming can be tremendously valuable in this area. You may never have imagined how hackers might exploit your HVAC systems to gain access to your network, but a talented penetration tester can reveal these types of vulnerabilities, and help you mitigate them.
#5: Don’t look to peer organizations to provide an example for your information security program.
Far too many of the workflows and procedures we use to protect our businesses are simply not working. Merely passing a compliance audit does little to guarantee your security. And much of the thinking—and benchmarking—that your fellow business leaders do centers around the concept of reasonable protection.
The landscape of security operations models is broad:
What’s actually required is a mindset shift: we must reimagine what it means to DEFEND ourselves in a digital world. Successful defense requires you to take an active and anticipatory approach.
There’s real merit in deception technologies, such as using trip-wired data decoys to mislead the criminals who may already have made it onto your network. With nation-state level threat actors targeting companies every day, we need these sorts of strategies to stand a chance of success.
#6: Too many of the information security processes and procedures we currently have in place are built around managing human failures.
SOC analysis is a challenging task, but we make the job even more difficult when we conceal problems, fail to disclose vulnerabilities, or create an organizational culture that’s dishonest. Instead, make your SOC into a place where employees can tell the truth without fearing for their jobs. When you discover that your environment has been compromised, you unlock a valuable opportunity to improve your security posture, but only if your analysis of the situation is accurate and open.
Incorporating automation and security analysis software into places in your SOC where human failures commonly occur can make a huge difference in its overall operational efficiency and effectiveness. That human in the middle of the security incident workflow is the major constraining factor limiting the entire system’s ability to handle large volumes of event data, and to do so consistently and without error.
#7: It’s time to think differently about security operations.
Often the language that we use is inaccurate or misleading. It’s not a “virus”—a rapidly multiplying microscopic parasite—that’s on your network. And it’s not just “malware”—something inanimate—that’s in your environment. There are human criminals taking deliberate action, via malicious code, and their intent is to do harm. We need to recognize the seriousness, gravity and human source of the threat.
By adding security analysis software to the front lines with your security operations team, your organization can make major improvements in how you uncover and respond to threats. At the same time, you have the opportunity to create an effective and efficient operational workflow and a more honest organizational culture, too.