Virtualization Technology News and Information
Defining Success for a SOC


By Dan Pitman, Principal Security Architect, Alert Logic 

As an organization's first line of defense, a high-performing Security Operations Center (SOC) is essential for security incident detection. But the confluence of increasingly complex IT environments, a shortage of skilled security professionals, and a consistently changing and expanding attack surface is creating a bigger challenge for SOCs than ever. 

Ultimately, the success of a SOC is defined by its ability to prevent or mitigate cyberattacks. While no organization is immune to attacks, meeting some benchmarks can put SOCs in a better position to achieve successful outcomes. SOCs may struggle to meet these benchmarks due to resource and talent constraints. In these cases, enlisting an MDR partner can help.

Emphasize the human element

Enterprises' spending on cybersecurity products continues to rise. Despite a lower growth rate than forecast before the coronavirus pandemic, Gartner expects Information Security spending to grow 2.4 percent to reach $123.8 billion in 2020. Faced with security staff shortages and skill deficits, organizations are adopting an array of technology tools and services to bolster their IT security strategy.

While technology is foundational to strong security, alone it adds limited value to the SOC. Managed Security Services (MSS) can help resource-constrained security teams extend their capabilities and prevent basic and well-known attacks. But they are inadequate for responding to major, new, or unusual security incidents.

Attackers are employing sophisticated and rapidly evolving techniques. Attacks are unfolding in multiple, incremental steps, often over weeks or months. The combination of multiple disjointed tools and services utilized by most SOCs produces data that is difficult to normalize, and the tools themselves are often tuned down to uselessness because staff resources are too constrained to make sense of its output.

The complexity of today's threats requires human experts to intermediate and validate events and their potential impact. The threat landscape evolves daily, so what worked in one instance may not work in the future. Human analysis in conjunction with threat intelligence is critical to respond to threats and minimize the damage they can inflict.

Retain your talent

In addition to foundational security abilities, responding to today's threats requires analysts to have expertise in specific disciplines. A strong threat intelligence team, for example, will have comprehensive knowledge of threats informed by continuous research. This context allows them to filter through thousands of new vulnerabilities every week and quickly identify those with the biggest potential for exploitability and damage to the organization.

The ability to retain security talent is crucial for the SOC because acquiring the knowledge and experience required to successfully combat today's security threats takes time. Unfortunately, companies are challenged with retaining SOC analysts and the number of security professionals is not growing to meet demand.

While there are several reasons for SOCs high turnover rate, there are a couple of proven ways to improve talent retention: providing analysts an opportunity to work on projects outside their daily responsibilities and offering training opportunities for career development. Both vastly increase an analyst's value to the SOC.

Decrease time to identify risks and vulnerabilities

In today's hyperactive threat landscape, it's not unusual for a new vulnerability to be exploited within a week of being identified by attackers. Conversely, an organization's normal patching schedule can be 4 to 6 weeks. This time gap underscores the need for monitoring. Businesses can't rely on patching alone as a defense.

A successful SOC will have a threat process that's informed by continuous research, enabling it to quickly identify high-risk new vulnerabilities, detect attacks, and reduce their impacts and lateral spread in minutes. This proactive approach and rapid response will give the organization more time to develop appropriate patches. 

The MDR advantage

Meeting these benchmarks can be a challenge for overtaxed SOCs. A Managed Detection and Response (MDR) solution can complement the SOC's tactical responsibilities with strategic and platform-specific expertise and human mediation.

MDR providers deliver an economy of scale. Typically, they employ more than 100 skilled SOC analysts, with a retention rate that's better than the average.

Most SOCs are compelled to take a generalist approach to stretch their limited staff. MDR provides team members that have deeper levels of knowledge based around the organization's unique business needs. They work on higher-level security incidents as they advance through tiers, gaining expertise as they respond to more complex attacks. And because analysts work in distinct disciplines, responses are performed in parallel, rather than linearly, decreasing the time to detect attacks to just minutes. 

Many SOCs are struggling to meet the challenges of an increasingly dynamic threat landscape. Responding to the proliferation of complex threats requires expertise and skills most businesses don't have. An MDR approach balances technology with the human intelligence needed to ensure accuracy and value. Partnering with an MDR provider can help SOCs meet success criteria and reduce the likelihood and impact of successful attacks.


Previous Articles in the Series:

1.         Defining MDR and MSS

2.         Defining Detection Left of Boom and Right of Boom

3.         Defining Visibility and Threat Management

4.         Defining Active Threat Hunting and Threat Intelligence

5.         Defining Daily Tasks and Skills of a SOC Analyst

6.         Defining Success for a SOC 

Next Up: Defining Value from an MDR Solution


About the Author

Dan Pitman 

Dan Pitman is a Principal Security Architect at Alert Logic and works with customers to develop and design security solutions to fit their needs on-premises, hybrid, and in the cloud. With over 20 years' experience in technology spanning consumer support, development, infrastructure operations and security, Dan is passionate about technology and leads the way as a Solutions Architect in helping Alert Logic's customers secure their systems. Born and raised in South Wales, Dan enjoys returning to Alert Logic's Cardiff Headquarters on a regular basis, working with the teams there continuously improving the customer experience.

Published Thursday, September 10, 2020 7:32 AM by David Marshall
Defining Daily Tasks and Skills of a SOC Analyst : @VMblog - (Author's Link) - September 10, 2020 8:34 AM
Defining Success for a SOC : @VMblog - (Author's Link) - September 22, 2020 8:39 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2020>