Review your SOC: boosting efficiency and response

Fujitsu / July 24, 2024

In today's rapidly evolving threat landscape, organizations must adopt a proactive approach to cyber security. An effective strategy for a robust security posture is ensuring close collaboration between the Security Operations Center (SOC) and the broader security team.

One of the things I find surprising in some organizations is the engagement of the security lead with the SOC. The daily operation of the SOC is often presented as dashboarded data and more unusual or worrisome incidents get called out, but on the whole the security lead is often too distant from the SOC. I find it hard to understand why, particularly as within my role I review my SOC's casework weekly and couldn't do without the insight that I get from that 90 minute meeting with my team.

I am lucky enough to have a direct relationship with my SOC but note that even if you buy SOC services from a third-party you should still be able to push for a relationship with the SOC team!

In this blog, I will explore why I value it so much.

As a leader I can set tone and focus

Sometimes the SOC pushes too hard on trivia, and at the same time can also not drive hard enough. It can get urges to 'tune-out' what it regards as false positives or it can misinterpret some of the incidents it is presented with, particularly incident tickets written by non-security people. My being on the call means I can set direction and also ensure balance and thoroughness. It is also a forum for people to challenge my ideas and the security posture I take. A good example of this is why deeply focus on a lost mobile device that’s encrypted, behind MDM and contained no significant data when a few lines below is a team messing around with PowerShell because they are looking for a workaround..?

There is often a deeper story

Sometimes incidents are not what they present as, there can often be a back-story or a commonality between incidents that we can spot if there is a group discussion rather than a written report. Often there is a human angle that needs to be explored or understood. In this way, the SOC - responsible for monitoring and analyzing security incidents - can provide valuable data but also very human insight that helps our security team understand emerging threats and vulnerabilities. In addition, the SOC focuses on operational aspects such as monitoring and incident response, while the security team handles more strategic tasks like policy development and risk management. By working together, we can ensure a comprehensive security coverage.

It's action-centric

With key team members on the SOC review call I can very quickly pass an action to one of them for a quick response - a good example of this is that the Communications Lead will move quickly on taking a pattern of incidents to being a communique to key teams to prevent recurrence. When the SOC and security team operate in silos, critical information can be lost, leading to inefficient incident handling and incomplete post-incident analysis. Collaboration ensures that all relevant data is collected, analyzed, and utilized effectively.

It is an opportunity for the group to learn and bond

The SOC can provide feedback on the effectiveness of security policies and controls, while the security team can suggest improvements in monitoring and response strategies based on their broader understanding of the organization’s risk landscape. In increasingly dispersed teams, the SOC review can be a very useful team activity; ours is humorous, frustrating, informative, democratic and friendly and an excellent forum for learning and debate - it plays a particularly good role in supporting new or remote members.

It's an expensive asset - so maximize the investment

Latest, but not least… By working together seamlessly, it sets a positive example for the entire organization, emphasizing the importance of collaboration and vigilance in maintaining security.

Conclusion

Organizations that prioritize this collaboration will be better equipped to navigate the complexities of today’s cyber threat landscape. My advice therefore is that for the insight, the sense of team and for the opportunity to be seen visibly steering the ship, you should take the chance to review the casework of the SOC and get a view of that world beyond the dashboards!

Clive Tillotson
Vice President Risk and Resilience and CISO
Clive Tillotson is Head of Resilience and CISO for Fujitsu Global Delivery, which is Fujitsu’s centralized delivery organization operating from 18 countries, with 23,000 people and in support of Fujitsu’s customers around the world, including Japan itself. Clive’s responsibilities include Information and Cyber Security, as well as Physical Security, Major Incident Management, Data Protection and Privacy, Risk Management and Business and Service Continuity. In 2020 Clive led the Global Delivery Response to Covid, and moved all Global Delivery Centers to remote working, avoiding any disruption to services. In 2022 Clive joint-led Fujitsu’s closure of the Russia-based delivery center, moving the workload of 1,800 people to elsewhere in Fujitsu again avoiding significant customer impact. He received the President’s Award for each of these major activities. Clive has been in Fujitsu for 17 years. Before this he flew attack helicopters in the British Army and also had a career in Archaeology.

Clive Tillotson | LinkedIn

Editor's Picks

AI-driven transformation: A synergistic path to sustainability and profitability
Drawing on Fujitsu’s research and extensive experience with customers worldwide, this blog discusse…
Fujitsu / November 20, 2024
Understanding Zero-Knowledge Proofs and their impact on privacy: A simple guide
Zero-knowledge proof (ZKP) technology is rapidly evolving, and its impact is being felt across vari…
Fujitsu / November 12, 2024
Unlocking Net-Zero: The role of emerging technology
Increasing levels of environmental awareness has led both governments and organizations to commit t…
Fujitsu / November 12, 2024