Odd SOCs


Security Operations with Intelligence

SOC Mistake #4: You Don't Have a Centralised Knowledgebase

Some of the most effective security operations capabilities I've seen have leveraged well-defined intrusion analysis play books for events of different classifications that are flexible enough to support ad-hoc extensions to deal with something new… Read More…

SOC Mistake #5: You treat the SOC as a Project, not a Program of Continual Improvement

Building an effective and efficient Security Operations Centre can take a matter of years. Yes, you can build a foundational level of capability in several months (and it's what companies used to pay me to do in my previous role), but it takes time for processes to be tuned and become muscle memory to the analysts; to filter out false positives and minimise the risk of a real attack sneaking in as a false negative; initial training for your SOC staff is a baseline, understanding business operations, stakeholder priorities and the practical application of their training - these all take time. The transition from the foundational to the capability is achieved through repeatable and measurable processes, with the metrics providing the required telemetry for the SOC manager to make operational decisions - "train analyst x in y"; "retire use case z because the operational overhead exceeds it's value to the business"; and "reinforce processes to analyst b who isn't following the required playbooks". This often means that it can take 2 - 3 years for a SOC to reach it's optimum maturity level (depending on what the business has defined that as) - during this time there will be new threat actors, new vulnerabilities, new systems implemented within the organisation and new defences… Read More…

SOC Mistake #6: You don’t focus on the big picture

Often in Security Operations Centres that have been built this way, rules cannot be built in a granular enough way to provide the analyst with enough context to determine whether something is a false positive or a real attack without significant digging around.  To deal with event volume the Security Operations Centre has to invest significant cost in hiring additional Level 1 Analysts to perform event triage.  Another problem with bottom-up rules is that they can be extremely tricky to tune, usually have simple correlations relying on two or three different log sources and simple logic – often tuning them for one scenario may detune the detection capability of another…
. Read More…

SOC Mistake #7: On Use Cases, You Model Your Defences, Not Your Attackers

Use Cases - these are simply the most misunderstood subject around both security operations and Security Information & Event Management (SIEM).   SIEM is one of the most mis-sold and mis-brought items of information security technology.  The most common type of Request For Information we get from customers lists the different types of event sources and the Events Per Second (EPS) for each event source.  The customer often believes that a SIEM is magical, that it understands everything about their business and their threats.  All they need to do is merely pump their raw events into and actionable security intelligence pops out of the other end… Read More…

SOC Mistake #8: You don’t speak the language of business, you speak the language of security

This is by far one of the most common failings of Security Operations.  I’ve reviewed the maturity of several large global Security Operations Centres and they appear to be doing a reasonable job of the prediction, detection and investigation of information security incidents - but none of this is visible to the rest of the organisation who funds their operational budgets… Read More…