Back To The Future 2 – Lessons Learnt
Part One of this article covered some of the challenges of the traditional SOC approach – overly technology focused with budgets taken up with hardware costs and licence fees desperately chasing log capture.
Part Two covers what we've learnt over the past few years in building and operating what we would call a 'Modern SOC'
A SOC team takes years to build
The modern SOC business, one which understands how to embrace the different mindsets and skillsets and combine them with assisting technology will be the most successful.
The modern SOC requires diversity in skills (technology covered by a modern SOC is wide, from 10-year-old Solaris servers, through to the latest SaaS APIs and applications). Importantly, the modern SOC understands the value of diversity in staff and mindsets and that those critical, valuable human assets need to be using technology designed to assist them and make their job easier.
A key focus needs to be removing distractions from the core SOC team. The more diverse the SOC, the more creative and innovative it will be. Given the opportunity and time to train and experiment, SOC analysts will become more motivated and satisfied in their role, capable of resolving the puzzles thrown at them – literally.
The reason traditional SOCs often fail – they are too rigid and inflexible in their operating structure and their hands are tied by poor HR/recruitment processes. Innovation is stifled by inadequate, expensive and inflexible technology.
A SOC team needs to be large and dedicated, with few distractions
Traditional SOCs have SOC teams that are way too small. A 24/7 SOC providing services to enterprise customers should have a large SOC analyst team of trained, specialised and dedicated analysts.
Under resourcing SOCs is a fatal flaw and distracting analysts by having them on board new customers, write parsers and maintain the underlying SOC technology is a crucial mistake.
A SOC needs dedicated, specialist teams
Examples of the sorts of core SOC Teams include the following:
- SOC Onboarding and Design Team. A team dedicated to the on-boarding of new customers so the core SOC team is not distracted. The Team fully manages new customer deployments and changes end to end, as well as design and deployment of the in house SOC technology.
- SOC Experts/Consulting Team. A team dedicated to driving the best cyber outcomes for the customer, experts at tuning, at training SOC automation, running threat hunting programmes and always there to assist the SOC with incident analysis.
- SOC Support Team. Operates 24/7 with the SOC Analyst Team to keep all the SOC technology working/patched. This Team ‘keeps the lights on’, so the SOC analysts are dedicated to Security Operations.
- SOC Technology/Development/Devops Team. The role of this team will depend on what type of SOC technology is used, but their role is to listen to analyst requirements, develop more efficient workflows, implement automation and other technology improvements with the number one goal of supporting and augmenting the analysts.
A modern SOC business should reflect the nature of the problem it was designed to address. To do this it needs to be flexible, agile, diverse, inclusive and be ready to evolve and innovate in line with the changing problem space. It needs the best people; the most innovative, diverse and enthusiastic, and it needs to support this team with the best, ‘analyst aligned’ technology. This is glued together with constantly evolving processes/playbooks, with the whole business focused on the desired outcomes, ie detection and prevention of cyber incidents and cyber risk reduction, whilst delivering the best possible service to the customer.