Review your SOC: boosting efficiency and response
Fujitsu / July 24, 2024
In today's rapidly evolving threat landscape, organizations must adopt a proactive approach to cyber security. An effective strategy for a robust security posture is ensuring close collaboration between the Security Operations Center (SOC) and the broader security team.
One of the things I find surprising in some organizations is the engagement of the security lead with the SOC. The daily operation of the SOC is often presented as dashboarded data and more unusual or worrisome incidents get called out, but on the whole the security lead is often too distant from the SOC. I find it hard to understand why, particularly as within my role I review my SOC's casework weekly and couldn't do without the insight that I get from that 90 minute meeting with my team.
I am lucky enough to have a direct relationship with my SOC but note that even if you buy SOC services from a third-party you should still be able to push for a relationship with the SOC team!
In this blog, I will explore why I value it so much.
As a leader I can set tone and focus
Sometimes the SOC pushes too hard on trivia, and at the same time can also not drive hard enough. It can get urges to 'tune-out' what it regards as false positives or it can misinterpret some of the incidents it is presented with, particularly incident tickets written by non-security people. My being on the call means I can set direction and also ensure balance and thoroughness. It is also a forum for people to challenge my ideas and the security posture I take. A good example of this is why deeply focus on a lost mobile device that’s encrypted, behind MDM and contained no significant data when a few lines below is a team messing around with PowerShell because they are looking for a workaround..?
There is often a deeper story
Sometimes incidents are not what they present as, there can often be a back-story or a commonality between incidents that we can spot if there is a group discussion rather than a written report. Often there is a human angle that needs to be explored or understood. In this way, the SOC - responsible for monitoring and analyzing security incidents - can provide valuable data but also very human insight that helps our security team understand emerging threats and vulnerabilities. In addition, the SOC focuses on operational aspects such as monitoring and incident response, while the security team handles more strategic tasks like policy development and risk management. By working together, we can ensure a comprehensive security coverage.
It's action-centric
With key team members on the SOC review call I can very quickly pass an action to one of them for a quick response - a good example of this is that the Communications Lead will move quickly on taking a pattern of incidents to being a communique to key teams to prevent recurrence. When the SOC and security team operate in silos, critical information can be lost, leading to inefficient incident handling and incomplete post-incident analysis. Collaboration ensures that all relevant data is collected, analyzed, and utilized effectively.
It is an opportunity for the group to learn and bond
The SOC can provide feedback on the effectiveness of security policies and controls, while the security team can suggest improvements in monitoring and response strategies based on their broader understanding of the organization’s risk landscape. In increasingly dispersed teams, the SOC review can be a very useful team activity; ours is humorous, frustrating, informative, democratic and friendly and an excellent forum for learning and debate - it plays a particularly good role in supporting new or remote members.
It's an expensive asset - so maximize the investment
Latest, but not least… By working together seamlessly, it sets a positive example for the entire organization, emphasizing the importance of collaboration and vigilance in maintaining security.
Conclusion
Organizations that prioritize this collaboration will be better equipped to navigate the complexities of today’s cyber threat landscape. My advice therefore is that for the insight, the sense of team and for the opportunity to be seen visibly steering the ship, you should take the chance to review the casework of the SOC and get a view of that world beyond the dashboards!
Clive Tillotson | LinkedIn