Focus On What Matters Most, It’s NOT a SOC

With the continued news of breach after breach, a lot has been made about having a Security Operations Center (SOC) to monitor alerts coming in from your security investments. Realistically, what is the best course of action to immediately augment your security investments? Should organizations build their SOCs, either internally or externally to an outsourced Managed Security Services Provider (MSSP)? Both options could cost millions of dollars, incur lengthy IT implementations, disrupt business productivity and delay immediate returns. In contrast, would organizations be better served if they focused on expanding the foundations and fundamentals of incident detection and response? For the purposes of this post, I’m defining a SOC as what I see most organizations working towards implementing- a group of individuals who’s sole purpose is to triage alerts- meaning no operationalizing indicators by the writing of detection rules, and/or incident response capability.

Focus on the Fundamentals First

For most security professionals, they think of patching and other basic blocking and tackling as the fundamentals of information security. I have never found that to be excessively useful, especially as your adversary is an intelligent threat actor on the other side of the keyboard. The better approach and focus should be on advanced incident response, which is an ecosystem of interconnected functions. Most teams start out by jumping right into the advanced aspects without first focusing on the fundamentals. This would be like trying to build an entire house without first understanding the basics of carpentry, electricity and more.

IRProcessToday

The following are the absolute basics organizations must first focus on:

Detection– Operationalizing threat intel is not trivial and can take some time to learn advanced proactive processes. What tools will you be leveraging the most in your environment and what process(es) will you use to enable successful and rapid detection?

Evidence Collection– When a machine appears to be compromised, how will you collect evidence to better understand what, if anything, happened. The challenges of a remote and traveling workforce, numerous sites and network segments, as well as a slew of other issues can drastically slow down response times and should be accounted for up front.

Containment– Mechanisms like quarantining, isolation, severing network connections, account shut off, etc. should be well documented and tested with all of the appropriate teams ahead of time.

Forensic Analysis– Once the evidence has been collected, what tools and techniques will be utilized to paint the incident picture? Does your intel provide the visibility and context to take the best actionable measures?

Remediation– Traditionally, remediation was generally “outsourced and handled” by the IT functions responsible to build servers and other end points. However, there is a matter of due diligence required by the IR team to ensure these machines are rebuilt properly and are not put back in a compromised state.

Communication– Communication is one of the most overlooked aspects of Incident Response and perhaps both the toughest and the easiest to get correct. Templates should be made for all forms of communications including: initial notification, updates and recaps, and tied to pre-established schedules. This update strategy should be mutually agreed upon by all vested teams and senior management to ensure expectations are met.

While in theory it can be useful to have a SOC looking at incoming alerts, realistically what good will that do if you fumble with the execution of the more detailed work that needs to be done? I have seen this happen more often than not and if anything it creates more of a mess (and a larger incident) that needs to be responded to.

The best model I have seen executed by a large company is to establish a very robust and healthy IR operation, that is also responsible for triaging alerts, and then mature by adding a SOC- essentially transitioning your IR operations into a 24×7 enterprise, not the other way around.

Can 9×5 monitoring be just as good as 24×7?

True information security success rests heavily on an experienced security team who understands IR, it’s tools and capabilities. With an astute staff, there are a variety of ways to get around having a SOC responding to alerts. Implement a process of prioritizing certain indicators and alerts to “page out” if they fire. Avoid introducing around the clock staffing models before the team has technically matured. This model inhibits further IR development especially for the security team covering the night shift and could be more of a detriment than providing value.

Once your capabilities are mature, consider building a SOC

Experienced IR and SOC teams know that by starting with the fundamentals and becoming extremely proficient, they can translate it to success in the form of true visibility, integration, and automation of their incident response.

Once your organization achieves a mature rapid detection and response model, then it is the time to consider building out a SOC for greater scale across your enterprise. With refined and automated processes in place, your senior analysts can focus on developing junior staff to oversee more important and sophisticated tasks (e.g. proactive hunting). They can also give them front line and practical experience using advanced IR tools and techniques.

If you are considering outsourcing your SOC to a MSSP, think through the process especially if they discover an issue. Do they have the expertise to successfully remediate the incident? Inexperienced MSSP teams using haphazard approaches could cause more harm than good and further escalate issues. Ask them when they were last breached and what happened? How many breaches in total? Finally, what is the breach notification process regardless if your information was compromised.

Conclusion

It is important to note that a Security Operations Center is a powerful tool to help detect and respond to major cyberattacks; however, there has been too much focus to run out and build them without first understanding or implementing the basics. Simply put, most companies are not ready for a SOC. They fail to understand that an incident response foundation needs to be in place first. While every company is unique and will have its own requirements, it is not always the correct approach to invest in a SOC. Focus first on the fundamentals and make them work for your company, and then, evolve.

I’d love to hear feedback on Twitter, so please reach-out @SeanAMason. Also, there is a cooler white paper version of this blog post at Resolution1 Security. Thank you for reading!

2 thoughts on “Focus On What Matters Most, It’s NOT a SOC

  1. It seems to me Mr Sean Mason that the desire to have an impactful headline (‘NOT a SOC’) caused you to publish a post that, in my opinion, is significantly misleading to many firms considering incident response (IR) as a component of their IT Sec management options. Offering an analogy, I see that your firm is located in Menlo Park CA. Having delivered training in that area, I’m aware of its proximity to SF Bay and also numerous ‘Open Space’ areas in the hills. Albeit accidents can happen anywhere, SF Bay is nowhere near as full of foreboding as the open Pacific Ocean just across the peninsular from you. Notwithstanding, would you be so bold as to propose to CA-TF3 Urban Search and Rescue Team (coordinated by Menlo Park Fire Dept) that they not have any form of Rescue Coordination Center (RCC) because the size and probability of risk in their domain isn’t anywhere near as big as the size and probability of risk of the US Coastguard domain who, applying your logic, require an RCC based upon size of domain (Pacific Ocean)?
    Your own suggestions for advanced IR which, as you say implements: “..an ecosystem of interconnected functions..” leads you to suggest elements to be entrenched in an IT Sec responder’s routine (with which I wholeheartedly agree), those of: detection, evidence collection containment, forensic analysis, remediation, and communication. These elements, in my view, effectively make the business case for establishing a SOC.
    The difference between your recommendation and mine is that I would recommend a SOC as soon as a mid- to long-term need to respond is established (with all the rigor that imposes) but the size of it would be appropriate to the scope, complexity, and probability of risk upon commencement. In other words, a ‘lean-mean-fighting-machine’ that is sufficiently scalable, with a scope that can be enlarged as and when necessary.
    In medicine, there is a concept which is revered: that of ‘ritual’ and I believe strongly that this is essential in any form of IR. Two family members of mine collectively have >30 years experience in national and regional SAR IR (a fair comparison to IT Sec IR) and their organizations are living proof that your assertion is flawed.
    In conclusion, the sooner an appropriately sized SOC can be established and the associated IR routine and rigor ingrained in day-to-day activities (including those you outline), enabling that all-too-important ritual, the more successful will be outcomes.

  2. Between the technology, processes and procedures, the very act of implementing log monitoring is a painful, disruptive process. That does not go away simply because you call it an IR build out instead of a SOC. Your article points to an end-game implementation of a SOC, so in the beginning call it a White Elephant if you like, the objective is still the same long term; until you put a SOC in place to handle the log volume and correlate items that are occurring, detection is difficult. Ideally and organization will build out both skill sets in parallel IR & SOC as the SOC proper often does not handle forensics and evidence handling, valid skills but nothing moves past detection. If an issue cannot be detected all follow on skills/activities are moot. In your example this is breach response, certainly once someone else has detected it for you (as is often the case) you have some idea where to start with investigation, but that does not prepare you to identify the next item on your own.

Leave a Comment

Your email address will not be published. Required fields are marked *