SOC Mistake #2: Silos Silos Silos

After a gap of a couple of years I’ve actually sat down to pen the long-awaited SOC Mistake #2.

To be clear, I never intended these posts to be in order of contribution to ineffective and inefficient security operations, so these last two aren’t necessarily the most important.

silo-521761_1280.jpg

I’ve spoken about the topic of silos before in my posts SOC Mistake #8: You don’t speak the language of business and SOC Mistake #6: You don’t focus on the big picture, but they extend far beyond the boardroom and the SOC. In the past couple of decades working with operational cyber security teams I’ve often seen disconnects within the operations teams themselves with threat intelligence analysts, SOC analysts and responders all seemingly working at odds to each other with a lack of overall consideration of the end-to-end process flow and integration of the platforms involved. I’ve seen hand-offs of alerts, cases and incidents between multiple different platforms and a lack of enrichment that takes into consideration the persona of the recipient and what they need to get their jobs done.

Then we go beyond the operational security teams and we start to look at the way the SOC interacts with other aspects of the business - the owners of the event sources that feed into the SIEM; external application developers; the red teams; cyber risk managers; third-party suppliers and those responsible for vulnerability management. The processes related to each of these relationships, and the supporting systems are often built from a tactical perspective resulting in a ineffective and inefficient processes, supported by a sprawling technology stack that hampers agility and requires continual care-and-maintenance.

Now after keeping everyone waiting years you’d think I’d cover all of the above topics in more detail in a single post, but each area really does merit its own follow-up post - which I’ll start working on right now…honest ;)

Previous
Previous

Silos within the SOC Team Part 1: Know your sh*t

Next
Next

SOC Mistake #3: You Oppose Staff Progress