The AVP – Managed Security Services at Paladion, Kaustubh Medhe shares the new SOC model, CyberActive Security Operations Center, that helps moving up the SOC maturity curve with automation and analytics
Just as the Maslow’s hierarchy of needs explains the development of an individual as he goes through life, the SOC function within large IT enabled organizations usually follows an evolutionary path towards the top of the pyramid.
Operational stability driven – In an organization’s early days, the focus is on keeping the lights on and ensuring that IT systems are available and run reliably. During this phase, security operations teams are primarily occupied with ensuring that minimum security hygiene is maintained – by way of implementation and management of infrastructure security solutions, periodic vulnerability assessments and patch management practices.
Compliance driven – Once a steady state is achieved and organizational processes mature, the security operations team need to cater to the requirements of various stakeholders (external regulators, internal audit and compliance teams, business partners and customers). In this phase, the focus is more on ensuring availability of logs, needs based analysis and review of events in response to an incident or suspected breach that warrants a forensic investigation. As a result organizations turn their attention to building a “reactive” security monitoring function to primarily meet compliance requirements. To begin with, most organizations avail of the services of a managed security service provider for monitoring a small subset of their assets to gain a deeper understanding of the security event and incident management process while meeting the minimum acceptable standards. It’s more about ticking the right boxes and gaining experience and less about effectiveness. Since this is an outsourced function, organizations may generally have to accept constraints imposed by the service provider with regards to log retention periods, limited customization and specific service windows for support.
Business risk alignment driven – Gradually, as the organization’s business grows, budgets become available, the operational security team begins to expand and has a greater degree of involvement and closer interaction with the IT and business teams, audit, compliance along with risk teams than before. With an increase in cyber security awareness at the board level, coupled with the “always elevated” global cyber threat levels, the security teams are under pressure to gain more insight into their security posture, expand their security monitoring to cover more assets, build more custom rules to detect attacks pro-actively and deliver more value to their internal stakeholders (business). There is a growing realisation that SOC is a specialized function requiring significant skills, continuous investment and process maturity, At this stage, mature organizations prefer to bring their security monitoring platform in-house with the objective of having greater control, more flexibility to integrate their key assets (business applications, databases), configure use cases and create rules that are tailored to detect specific risks that the organization faces.
This is also a phase where security functions need to “do more with less”; show increasing value by extracting the most from their existing investments in technology without a proportionate increase in headcount. In order to do this successfully, organizations need to focus on multiple elements if they are to move into the next maturity level by:
1. Developing a clearly articulated staffing strategy to define distinct roles and responsibilities for SOC staff. Allocate team members to these roles keeping in mind their skill, aptitude and interest. Augment skill gaps with requisite training on an ongoing basis.
2. Adopting a formal use case management framework in order to develop threat detection rules and visualization (dashboards, graphical views) that assist the organization in rapidly identifying risk indicators that could be early indicators of an in-progress attack or breach.
3. Aggregating threat alerts from a variety of sources (SIEM, WAF, DAM, DLP, IPS etc), correlating them with contextual information and implementing a formal triage methodology that security analysts can apply to each critical incident in order to analyze, prioritize, validate and investigate critical alerts.
4. Looking beyond rule based detection techniques (SIEM, AV) and use some of the latest emerging techniques such as security analytics to hunt for unknown/hidden patterns that could be leading indicators of a compromise.
5. Apart from detection capabilities, also focus on building effective incident response processes and communication workflows to deal with specific incidents in a rapid manner.
6. Choosing to partner or buy and rapidly gain expertise, rather than build these capabilities in-house.
7. Organizations can also choose to define and measure key metrics for their SOC– such as mean time to detect a breach, mean time to respond and mean time to resolve an incident, reduction in dwell time of an attacker over a period of time etc.
Situational Awareness – Having achieved and maintained the above level of SOC operational maturity, some organizations may aspire to scale the peak of the maturity model and attain the proverbial “Nirvana” stage – by developing situational awareness. Organizations who reach this level, demonstrate visibility and deep knowledge of strengths and cyber security weaknesses across their asset landscape, develop the ability to detect and trace attacks to their threat actors, build capability to respond to and neutralise an in-progress attack before it causes significant damage. They also contribute to the security knowledgebase pro-actively within their peer community and within IT Security Associations and forums – essentially assisting others in building and improving their cyber resilience. Some of the initiatives that the organizations can take in this phase take threat intelligence from a variety of external sources, generating their own internal threat intelligence and IOCs and sharing it within their peer community.
To conclude, each organization is free to choose its own target maturity level considering their own priorities and constraints. However, those organizations who wish to climb from a compliance driven SOC to higher levels (a business risk aligned, situationally aware SOC) need to actively consider evaluating the right technologies or choosing to partner with service providers who can deliver some of these improvements using their own proprietary technologies and service capabilities.
