Introduction
Security Operations Centers continue to be under significant pressure to respond, manage and assure security. According to The Ponemon Institute’s 2015 Cost of Data Breach Study, how quickly an organization can identify and contain data breach incidents strongly affects the financial consequences. “Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. Malicious or criminal attacks are the most costly data breaches.”
While SOCs continue to invest in detection and monitoring systems and tools, and these systems continue to evolve, most SOCs still being held back by a significant amount of manual processes. According to Enterprise Strategy Group, “Clearly, large enterprise organizations are basing incident detection and response activities on massive amounts of data in order to gain situational awareness and take the appropriate remediation actions. Unfortunately, doing so isn’t very efficient when IR depends upon an army of independent tools and reporting engines distributed throughout the network. Enterprises are addressing this with IR automation and orchestration by building their own runbooks/workflows, tapping into software APIs, writing scripts, or deploying commercial IR platforms.”
Staffing and skills shortages will continue as companies struggle to find and keep key resources while the use of outsourcing is hampered by ability to incorporate into workflow, visibility, and SLAs. As SOCs deal with increasing volume of alerts and successful breaches, efficient cyber security case management becomes increasingly critical. But the old strategy of simply adding staffers to a security team is no longer feasible, largely because the talent is simply unavailable.
We offer a basic roadmap to help address these challenges and improve SOC effectiveness and efficiency:
FIRST: INCREASE COLLABORATION AND CROSS-TEAM EFFICIENCIES
- SOCs have the opportunity to increase automation and workflow to improve cross-team collaboration, gain significant efficiencies, assure closed-loop processes and improve reporting and visibility
- State of the art service management workflow automation and process management can be applied
- Improvements and refinements can be performed on runbooks and workflows
SECOND: ADD INTELLIGENCE TO PRIORITIZATION, RESPONSE, AND REMEDIATION
- Automate mundane and manual functions
- Implement closed loop, automated response and validation of remediation
- Evolve use of intelligence over time with programmatic approach to its application
- Institute a set of metrics that capture maturity (am I doing better, worse, or staying the same)
THIRD: SUPPLEMENT IN-HOUSE CAPABILITIES WITH OUTSOURCED EXPERTISE
- With best in class automation and workflow, SOCs more easily supplement in-house resources with outsourced expertise to better manage staff and skill and coverage gaps
- Providing maintenance and access by using a full range of skills and expertise
- Continue with staff development through recruiting and in house development programs
Conclusion:
- Challenges abound but SOCs can continue to evolve to improve their ability to manage
- Adding better collaboration and workflow automation can help eliminate manual processes
- Incorporating intelligence and automation can help with prioritization and efficiencies
- With time saving automation and better process management, opportunity for partnering and outsourcing to improve availability of skills and resources
- Gain better prioritization of remediation activities through the integration with ITSM so time and money can be spent more effectively.
- And lastly, gain a better understanding of the maturity of your security effectiveness.