When we started Sensato Cybersecurity Solutions, our goal was to develop a company that provided leading edge cybersecurity solutions. We did not want to replicate what others were doing and do it better, rather we wanted, and still do today, to be the rebels of cybersecurity. To do what we needed to, question everything, to analyze the status quo and most of all embrace a new perspective when it comes to securing and defending people, places and things. We call that new perspective that “attacker’s perspective.”Over a long period of time we interviewed CIO, CISO, managers, security analysts, security engineers and compliance officers.
What we learned was that no one was happy with their Security Operations Center.
Is that surprising? Our hope is that this guides you in planning and developing your own SOC program. If you already have a SOC, well we hope that it at the very least helps you understand that you are not alone.
Between 2015 and 2016 we worked to formerly and informally quantify why people had such disdain towards their SOC. Formerly we interviewed and surveyed SOC owners/operators and informally we discussed the topic during site visits with our clients or partners. When we finally aggregated the data, we found a set of consistent themes. Although we have not included every theme in this report, we have provided the most recurring themes that we found.
Many respondents reported that although their vision was to have a SOC program that was fully integrated with the rest of their operations, the SOC had become an island. The SOC didn’t maintain an understanding of the processes, challenges, culture or priorities of the overall organization. Although this was more pronounced with commercial offerings, it was also an issue for home-grown SOC programs.
We found that in many cases the SOC team simply acted as a ticketing group. One comment we heard often is that the SOC was simply a glorified help desk with some fancier tools and toys. The SOC team will often identify an issue, create a ticket, notify someone and then just report on the progress or lack of progress They didn’t provide guidance, have insights into resource constraints, skillsets or competing priorities.
The SOC was not trained to support their partners when it came to incident response.
Most SOC provide monitoring, but for many who embrace a SOC they don’t see any real value beyond the monitoring. The SOC does not provide effective coaching or training, insights into strategic planning, real threat intelligence, guidance on network planning or application deployment, social awareness, useful data, metrics or many of the other programs that were believed to be part of the SOC vision. A SOC that just does monitoring and reports an issue, is more than likely why so many are viewed as a cybersecurity help-desk and not a true SOC.
A SOC that is simply spun up quickly, monitors assets and reports anomalies is probably not the idea that was sold. In the pre-deployment stages of a SOC many are sold the vision that is more akin to command center with amazing capabilities to ferret out and fight back attackers. It is important to truly qualify what the SOC can do and what the investment in the stock will honestly provide.We want a real partner, someone who is a part of our team. Many reported that when they reached out to their commercial SOC vendor they would be told that the request required a new level of service or statement of work. For those running their own SOC, their internal customer’s felt that the SOC acted more like a police force creating an “us vs. them” culture that is not conducive to incident response. The SOC must not only be a real partner in every sense of the word, but also provide far more than technical capabilities.
Currently there are more than one million job openings in the cybersecurity industry. Making it extremely difficult for any organization to find the right talent. Unfortunately, the SOC is one area that requires extremely strong skills that go well beyond just reading a screen, punching a ticket and reporting progress. The SOC must be able to correlate intelligence, guide incident response, support forensics, provide over watch, support media activities, invoke and guide countermeasures and much more. The inability for any SOC team, homegrown or commercial, to provide these critical skills, is an early indicator that the SOC program will fail.
As stated earlier, these are just some of the things we learned during our year-long investigation into the myths and fallacies of security operation centers. You may find these amusing, illuminating or familiar, but we found them to be rather sad.
The goal of the SOC was originally to provide a highly professional service that can provide advanced detection, guidance and protection to an organizations people, places and things. The SOC must be collaborative, highly skilled beyond what most people realize, have clear processes and be a true partner that puts the mission before the contract or charter.
Based on the outcome of our investigation, we finally understood why so many of our clients were coaching us to build and offer a SOC program. The Sensato-CTOC (Cybersecurity Tactical Operations Center) finally came to fruition.
The Sensato-CTOC was developed to correct what we learned were frustrations and critical success factors during our investigation.
This report is not intended to sell you on our SOC program (although we would love to tell you more) but to help educate you on why we found that SOC programs fail.
If you want a real SOC, here are some key insights in what that means.
Whatever you think your salary requirements are, add 10%. You are looking to defend your people, places and things. The SOC team is not the receptionist at the front lobby, they are supposed to be the best of the best. Able to respond at a moments notice, decipher anomalies from realities, use advanced tools, write advanced scripts, make critical decisions and much more. You need to be able to afford the best and retain them.
Tactics, Techniques, Procedures are critical. The SOC needs to have standing orders, protocols and IAD (immediate action drills). You must streamline your procedures and make sure that they are more akin to the types of orders a special operation team or trauma center uses and not what is typical for the world of corporate America. If you have spent more time putting monitoring in place and can point to cool Splunk graphics but do not have your TTP in place, you are probably living in a world of false security.
Drills replicate real world scenarios and will give you insights into how things will happen when things go wrong. You can use things like tabletop simulations, cyber ranges, capture the flag, red vs. blue games or similar programs to better understand how your team will react.
Let me be clear, incident response plans are so 1992. You must deploy an incident response platform along with your SOC. The platform must evolve and be fuelled by current threat intelligence and tactics. A SOC that does not have an integrated incident response platform will quickly fall apart during a real prolonged incident. If you are the person who championed the SOC you may find yourself explaining why the SOC didn’t perform in its darkest hour.
There are many more things we learned during our investigation and would love to share them with you. For now, we think this is a good start, but also would love for you to contact us with all your frustrations, recommendations and thoughts.