The Mature SOC’s Role in Security Operations
There is a lot of talk about building an effective cybersecurity program, with security analysts recommending that your organization strive for cybersecurity maturity. But what do they mean by maturity, and what is the role of the SOC in reaching that point?
Cybersecurity maturity measures the success of the security systems and protocols that your organization has put in place. Government agencies like the Department of Defense and the Department of Energy, as well as security companies, offer cybersecurity maturity models with self-evaluation tools and processes so you can get a deeper assessment of your overall cybersecurity capabilities.
The Role of the Security Operations Center (SOC)
It is important to point out that not all organizations need a SOC or have the internal capabilities to support one. It is a big investment and it may be more cost-efficient to rely on third-party managed security service providers (MSSPs).
But for those organizations who do have a SOC, it is a key factor for organizations. It usually stays in the background, behind the curtain so to speak, said Brian Marr, security operations manager at Horizon3.ai, in an email interview.
“However, when something related to cybersecurity happens, it becomes one of your most important pieces of investigation,” said Marr. “The SOC requires and provides visibility into an organization when anomalies or security incidents happen.”
Although organizations will have different criteria or definitions of those anomalies, in general, the SOC revolves around visibility—the ability to see into and know what is happening within an IT environment.
Visibility into all data sources is the foundation for all advanced programs and investigations that a SOC does. These are the data sources where the “keys to the kingdom” for each organization exist, Marr pointed out, and as the lifeblood of the company, data sources need to be validated and monitored. After these data sources are available to the SOC, you bring in your other secondary sources that aren’t as critical but which could lead to good key points in investigations.
“A mature SOC has its data sources ingested and parsed so they can take actionable steps on them through their visibility,” said Marr. “Mature SOCs have trimmed alert fatigue by building proper exceptions for low fidelity items or normal business processes, and they have automation in place to scale accordingly.”
Building Maturity in the SOC
The key measures of maturity should be around efficacy, efficiency and response time, explained Avkash Kathiriya, SVP of research and innovation at Cyware, in an email interview. If they are overwhelmed by alerts and threat feeds and haven’t automated SOC entry-level (L1) analyst functions, it’s very hard to ensure confidence in security.
Another key measure is how long it takes to disseminate critical threats, alerts and actions to the right people. “In immature SOCs, detection, triage, enrichment, automated actions and communication to the right people can take days or longer. But in a mature SOC, these processes should happen within minutes,” said Kathiriya.
The next level of maturity is around applying automation to triage alerts, and then applying playbook workflows to streamline incident response. This typically requires a SOAR solution, said Kathiriya; however, the first generation of SOAR products were notoriously difficult to implement and constrained. “In order to successfully automate playbooks, analogous manual processes are in place. It’s impossible to automate ad hoc processes or seat-of-the-pants incident response.”
Another maturity marker is whether they have integrated threat intelligence into their processes. This should not be left until last, but many organizations regard threat detection and threat hunting as distinct skills requiring separate tools.
Having a mature SOC is a fundamental piece of the security system. The more the SOC can handle through automation, the more time analysts have to focus on issues that require manual investigations.
“It’s a cliche, but security must be a continuously evolving process – not a static set of technical solutions,” said Kathiriya. “Security teams also need clear visibility into what’s most critical for their organization to protect. There will always be noise in security, but the critical alerts and actions must cut through the noise.”
