The Value of Business Context in the SOC, and the Challenges of Maintaining It

Tim Wenzlau
by Tim Wenzlau
category Perspective

Better decisions within a SOC are those that directly support protecting the organization’s brand value and revenue generating lines of business.  SOCs must make tradeoffs and prioritize investigations because of security analyst scarcity and unavailability to look into all possible leads.

As a rule of thumb, teams should pay attention to what matters most to the business.  A low probability incident against assets of high importance would take priority over a high probability incident against low importance assets.  High importance assets might include revenue generating services, payment networks, production servers and sensitive information.  And, low importance assets could include user workstation and guest networks.  This doesn’t mean you should ignore these issues, but rather automate or find an alternate way of dealing with the investigation of incidents involving low importance assets.

Identifying which assets are important, why they are important, and communicating this information effectively to the people on the ground making decisions, like your security analysts, is a challenge.  Ideally, business processes and revenue generation should be mapped to technology infrastructure.

Configuration management databases (CMDBs) were designed to store these relationships, but interviews with security analysts have highlighted massive distrust regarding their accuracy and completeness.  CMDBs are notoriously difficult to maintain and organizations often find themselves in a never-ending asset management initiative.

So, how do most security analysts learn to apply business context and appropriately identify important assets?  Not surprisingly, they acquire this knowledge through years of experience in specific companies and industries.  For example, how important are image files for an oil and gas company?  At first glance, images files might seem to be lower priority for any company.  But in this case, given the likely probability those files will be used for geophysical survey data to identify leases in productive areas, the level of importance is very high.

When security analysts hired, they are trained in general attacks and network telemetry analysis.  Analysts can only learn the specifics of the organization’s network through on-the-job training.  These specifics could include architecture, IP ranges, controls and business infrastructure, enabling them to appropriately contextualize, escalate, scope, and prioritize incidents for incident response.

Security analyst retention is challenging for many organizations. In fact, most analysts make a move between 1 and 3 years on the job.  To mitigate against the loss of tribal knowledge due to frequent turnover, documentation is essential.  However, many companies discover too late that their documentation is incomplete or outdated. Some contextual documentation is highly volatile, and yet still critically important, such as being able to historically map an IP address to hostname for infected host identification.

Given these challenges, is your SOC effectively making decisions with accurate and actionable business context?