Moving to a New Reality: The Work-From-Home SOC

 The work-from-home SOC is a new reality, maintaining resiliency in security monitoring

As organizations establish work-from-home initiatives, maintaining business continuity and productivity is critical. Security is key to the success of this transition. In fact, it’s more than important than ever, given the current global pandemic. Cybercriminals will take advantage of any (perceived) weakness, as they have done recently by creating phishing campaigns pretending to come from the Centers for Disease Control or the World Health Organization.

There are many things organizations can do to ensure employees stay healthy and safe while also maintaining resiliency. Central to this is making sure the organization keeps running securely, particularly when it comes to the security operations center (SOC.) How do companies remain resilient during these times? It’s time to look at the work-from-home SOC.

Apply Automation to Reduce Reliance on Personnel

Automation and reducing reliance on personnel is a crucial aspect of maintaining an effective security operation in a time of crisis. If manpower must be limited, investment in automation should be accelerated. Automating your SOC can reduce staffing needs. This is invaluable during times when members of your SOC team are unable to work, be it for health or other reasons. Migration to the cloud, whether SaaS or IaaS solutions, has also reduced the need for people to be in a data center and physically manage systems.

In security operations, the main bottleneck has always been the limitations of human nature; that is, no matter how intelligent human security analysts are, they will never get better or faster at monitoring vast quantities of security log data that an organization’s sensors are producing today. Automation is a valuable tool that addresses this disconnect.

A SOC’s operational processes are intentionally formally structured, regular and repeatable. The vast majority of today’s SOCs, then, are built according to patterns that are highly responsive to automation. You can automate tasks that would be difficult or impossible for human brains to do, such as correlating an IP address associated with an alert with a sequence of events that took place on another part of the network two weeks ago.

Not only is implementing automation practical from a staffing perspective, but it also means you can ensure that your team members are able to focus on more interesting and fulfilling things than console monitoring, such as threat hunting. If automation can analyze and triage security data better than humans can, SOC analysts are less likely to get burned out. Automation, then, decreases the chance of errors and employee turnover. And this ultimately helps your company stay resilient, even during tough times.

Implement the Right Staffing and Communications Plans for Your SOC Employees

While the right communications plan is always important, organizations are quickly adapting to the current immediacy of work-from-home scenarios.

A good plan includes:

  • Making sure the appropriate notifications are set up and going to the appropriate team members.
  • Ensuring team contact information is up to date, including both work and personal phone numbers and email addresses.
  • Creating an FAQ document that provides information on who to contact on different subjects/topics that may arise.

It’s also important to look at scheduling, including planning shifts with both primary and backup staff. Everyone within the SOC team needs to know not only their own role but also the availability of the entire staff. Key to this is publishing staff schedules in a way that everyone can access and making sure that shifts and turnover policies are transparently communicated.

Using Today’s Collaboration Tools for Success

There are a plethora of sophisticated collaboration technologies available today that enable remote work as similarly as possible to in-office work for many industries. And these tools can help ensure the success of the work-from-home SOC on top of the implementation of automation.

While automation will go a long way toward ensuring business continuity, the SOC team will need video and voice conferencing tools. Tools that provide remote access to the network, such as VPNs and other communications services such as email are also essential.

Another key tool is ticketing or case management technology. When an incident is identified, these enable collaboration among members of the security team as well as outside functional teams. Investigative efforts and analysis can be logged in the ticket or case and then shared among stakeholders.

Security and Resilience Even in Uncertain Times

The current health crisis serves as a reminder that the next business-disrupting event could happen at any time. To stay resilient and maintain business continuity and productivity, keeping a strong and uninterrupted cybersecurity posture is a necessity. Accomplishing this requires an action plan. Automation is a business-critical partner for enabling the work-from-home SOC, reducing the burden for SOC staff and possibly even reducing staffing needs. In conjunction with cloud apps and services, automation reduces or eliminates the need for in-office analysts when the team needs to work remotely or is offline. Use the steps above to formulate a plan if you don’t have one already. If you do, check that plan against these steps to make sure you’ve covered all the bases for a high-functioning SOC that works no matter the circumstances or the location of your staff.

Chris Triolo

Avatar photo

Chris Triolo

Chris Triolo is the vice president of customer success at Respond Software. His security expertise includes building world-class professional services organizations as vice president of professional services at ForeScout and global vice president of professional services and support for HP Software Enterprise Security Products (ESP). Chris’ depth in security operations and leadership includes a long tenure at Northrop Grumman TASC supporting various Department of Defense and government customers including Air Force Space Command (AFS PC) Space Warfare Center, United States Space Command (USSPACECOM) Computer Network Attack and Defense, Air Force Information Warfare Center (AFIWC), and others.

chris-triolo has 4 posts and counting.See all posts by chris-triolo