What To Do When Your SOC Gets Sick
Whether it’s due to lack of attention, poor capital planning or alert fatigue, there are lots of reasons why your SOC can become unhealthy. Here’s how to make it better.
Congratulations, you’re the new CISO! Whether you have served in the role previously or it’s new to you, you’ll be asked to observe your new organization, to develop a 100-day plan or roadmap, to evaluate people, processes, and technology, and of course you’ll need to tell executive leadership where you would attack the organization and how you will protect against that. It’s a daunting and exciting task to be the new CISO.
There is so much to observe, learn, and then you must formulate a roadmap. You are inundated with learning the new organization from the CISO’s viewpoint. Finally, the day comes when you tour the Security Operations Center. You are looking forward to this, because it’s operational; it’s where you fight the adversary—consortiums of hackers seeking to attack, to collect, and sometimes to destroy. They have various motivations, capabilities and sponsorship.
Of course, you want to see the chess match in action between your cyber analysts and the threat actors. You look around: it looks like a SOC (analysts sitting at monitors), and then your SOC Director briefs you on manpower, processes, technology, annual budget, measures and metrics. As the briefing continues and your smile transitions to furrowed brows. As you investigate, and question, and seek to understand, you can see what has happened, your SOC is sick! You have seen the symptoms before and you know the diagnosis, it’s SOC-atrophy.
SOC-atrophy: An omissive noun. 1. When your technology has remained dormant too long. 2. Unrefreshed detect/protect technology. 3. The absence of intelligence and heuristics. 4. Plagued by false positives.
Your SOC became sick for several reasons.
- The technology you have is antiquated and completely signature-based, best suited for static threats, not advanced threats. While signature-based solutions have a role, it’s a secondary protection role.
- The organization failed to keep up with technology and the evolving threat. For years, the organization has relied on incremental funding. This budget strategy has a typical result; a disparate mix of capabilities purchased individually as security silos without consideration for how the capabilities will work together. The tools don’t work together. It’s an integration nightmare!
- Before you were attacked by threat actors, you were attacked by vendors with boxes of magical capabilities and convincing rhetoric. ….and someone bought a few of these hard to integrate, low ROI boxes.
But SOC-atrophy is not often a technology problem
As you sit down with your analysts, you observe that each analyst must be knowledgeable about several different tools and that they spend a lot of time collecting data and alerts. You observe the waterfall of alerts overflowing your analysts with data — mostly false positives. The analysts have alert fatigue; they just can’t keep up.
One bottom line: the organization didn’t see the evolution of the threat, didn’t keep up with technology, and has not figured out how to use threat intelligence, much less integrate intelligence as a key enabler to your SOC. The old technology in your SOC was the right decision for a different time, but not for today.
Capital planning for cyber investment has also been a challenge. Typically, SOCs are developed and funded piecemeal; a silo of capability at a time. This has a cause and effect, the tools are hard to integrate or don’t integrate at all, which in turn make it virtually impossible for an analyst to easily perform their job. Whether it has been a lack of attention, inadequate measurement of effectiveness, poor capital planning, or alert fatigue, there are several ways for a SOC to start on a path to wellness. Here are five strategies to overcome SOC-atrophy.
- Research to understand all SOC investments. You need to analyze the costs of each tool, licenses, scope of delivery, effectiveness, how the investment is packaged with other investments, and the overall cost, and then prioritize the value of what you have. You will want to keep the best value, and get rid of the lower value, higher cost, solutions. This is your available trade space. Additionally, work more with CISO counterparts across your industry to understand the tools they are using, the challenges, the ROI, and their results. This information is critical before meeting with vendors.
- Perform a SOC-focused assessment. This will gauge operational effectiveness and highlight gaps. Knowing your current health is a relatively low-cost endeavor and helps you in building a business case for investments to close the gaps.
- Study the threat landscape. From CEO to cyber analysts, your organization needs to clearly understand the threat landscape and how the threat is escalating. This understanding will help you focus on the technology, expertise, and intelligence you need to protect your organization.
- Resist the urge to fund your tools piecemeal. Develop the business case for an integrated platform with the ability to visualize web, email, file servers, endpoints, mobile, and SIEM, in one picture, to better detect and remediate threats earlier in the kill chain. The Board needs to understand the business case for an integrated platform.
- Encourage cross-organizational collaboration. It’s critical to build partnerships for vetting the business case and gaining consensus on your SOC plans. Spending quality time with your fellow IT executives and other business leaders to discuss — at a strategic level — what you are working on, your timeline, and your forthcoming proposal. There is no greater feeling than going into a board meeting with many of the members clearly in your corner.
SOC-atrophy is curable, but it will take time, detailed diagnosis, a get-well plan, and a well-articulated investment plan. It will also help to provide quantifiable value to the business or mission!