With the continued news of breach after breach, a lot has been made about having a Security Operations Center (SOC) to monitor alerts coming in from your security investments. Realistically, what is the best course of action to immediately augment your security investments? Should organizations build their SOCs, either internally or externally to an outsourced Managed Security Services Provider (MSSP)? Both options could cost millions of dollars, incur lengthy IT implementations, disrupt business productivity and delay immediate returns. In contrast, would organizations be better served if they focused on expanding the foundations and fundamentals of incident detection and response? For the purposes of this post, I’m defining a SOC as what I see most organizations working towards implementing- a group of individuals who’s sole purpose is to triage alerts- meaning no operationalizing indicators by the writing of detection rules, and/or incident response capability.
Focus on the Fundamentals First
For most security professionals, they think of patching and other basic blocking and tackling as the fundamentals of information security. I have never found that to be excessively useful, especially as your adversary is an intelligent threat actor on the other side of the keyboard. The better approach and focus should be on advanced incident response, which is an ecosystem of interconnected functions. Most teams start out by jumping right into the advanced aspects without first focusing on the fundamentals. This would be like trying to build an entire house without first understanding the basics of carpentry, electricity and more.
The following are the absolute basics organizations must first focus on:
Detection– Operationalizing threat intel is not trivial and can take some time to learn advanced proactive processes. What tools will you be leveraging the most in your environment and what process(es) will you use to enable successful and rapid detection?
Evidence Collection– When a machine appears to be compromised, how will you collect evidence to better understand what, if anything, happened. The challenges of a remote and traveling workforce, numerous sites and network segments, as well as a slew of other issues can drastically slow down response times and should be accounted for up front.
Containment– Mechanisms like quarantining, isolation, severing network connections, account shut off, etc. should be well documented and tested with all of the appropriate teams ahead of time.
Forensic Analysis– Once the evidence has been collected, what tools and techniques will be utilized to paint the incident picture? Does your intel provide the visibility and context to take the best actionable measures?
Remediation– Traditionally, remediation was generally “outsourced and handled” by the IT functions responsible to build servers and other end points. However, there is a matter of due diligence required by the IR team to ensure these machines are rebuilt properly and are not put back in a compromised state.
Communication– Communication is one of the most overlooked aspects of Incident Response and perhaps both the toughest and the easiest to get correct. Templates should be made for all forms of communications including: initial notification, updates and recaps, and tied to pre-established schedules. This update strategy should be mutually agreed upon by all vested teams and senior management to ensure expectations are met.
While in theory it can be useful to have a SOC looking at incoming alerts, realistically what good will that do if you fumble with the execution of the more detailed work that needs to be done? I have seen this happen more often than not and if anything it creates more of a mess (and a larger incident) that needs to be responded to.
The best model I have seen executed by a large company is to establish a very robust and healthy IR operation, that is also responsible for triaging alerts, and then mature by adding a SOC- essentially transitioning your IR operations into a 24×7 enterprise, not the other way around.
Can 9×5 monitoring be just as good as 24×7?
True information security success rests heavily on an experienced security team who understands IR, it’s tools and capabilities. With an astute staff, there are a variety of ways to get around having a SOC responding to alerts. Implement a process of prioritizing certain indicators and alerts to “page out” if they fire. Avoid introducing around the clock staffing models before the team has technically matured. This model inhibits further IR development especially for the security team covering the night shift and could be more of a detriment than providing value.
Once your capabilities are mature, consider building a SOC
Experienced IR and SOC teams know that by starting with the fundamentals and becoming extremely proficient, they can translate it to success in the form of true visibility, integration, and automation of their incident response.
Once your organization achieves a mature rapid detection and response model, then it is the time to consider building out a SOC for greater scale across your enterprise. With refined and automated processes in place, your senior analysts can focus on developing junior staff to oversee more important and sophisticated tasks (e.g. proactive hunting). They can also give them front line and practical experience using advanced IR tools and techniques.
If you are considering outsourcing your SOC to a MSSP, think through the process especially if they discover an issue. Do they have the expertise to successfully remediate the incident? Inexperienced MSSP teams using haphazard approaches could cause more harm than good and further escalate issues. Ask them when they were last breached and what happened? How many breaches in total? Finally, what is the breach notification process regardless if your information was compromised.
It is important to note that a Security Operations Center is a powerful tool to help detect and respond to major cyberattacks; however, there has been too much focus to run out and build them without first understanding or implementing the basics. Simply put, most companies are not ready for a SOC. They fail to understand that an incident response foundation needs to be in place first. While every company is unique and will have its own requirements, it is not always the correct approach to invest in a SOC. Focus first on the fundamentals and make them work for your company, and then, evolve.
I’d love to hear feedback on Twitter, so please reach-out @SeanAMason.