As SCRT’s blue teamers, we often deal with Security Operations Centers (SOCs). Being able to interact with many different SOCs for our consultancy service gives us the possibility to understand the main challenges a SOC faces and how to solve them.
This blog post results from a Master of Advanced studies’ thesis for Geneva’s Haute École de Gestion, in the field of information security management. It relies on both public resources (articles, books, e-books, etc.) and several interviews that were conducted with different SOC managers and CISOs.
We will try to get a glimpse of real-life challenges and compare them to the sponsored content, so we can limit biases and determine how to tackle what really matters.
We would like to thank all SOC managers and CISOs who have taken part in this study.
Author : Greg Divorne
There is data, and Data.
Information gathered was classified in the categories below according to a method detailed in the paper, but let’s jump to the synthesis.
The lower the priority, the most important it is. The highlights in green show that the challenge is often mentioned in interviews, but not in the public sources. For the red ones, it is the opposite.
|Missing global infrastructure vision||5||1||6|
|Not enough human resources / lacking skills||1||5||6|
|Missing mission / governance||6||1||7|
|Inadequate or wrong use of tools||2||10||12|
|Data (Big data)||11||5||16|
|Lack of authority||11||13||24|
|Threats evolving faster than defenses||11||13||24|
|Pentest / Purple Teaming||13||13||26|
It is interesting to note that the challenges reported by the SOC managers really differ from the ones that have been made public. This is highly probably due to sponsored articles within the public sources, and we foresee trouble when this content influence policy makers.
We can also notice that most of the points in red are easy to sell: you’re missing resources? Hire a MSSP service. Got bad tooling? Acquire new (and expensive) tools.
We know the readers of our blog won’t get fooled that easily, yet we have to remind everyone to base their choices on the reality of their own environment!
So, what are the key takeaways?
The most relevant part is that the governance and infrastructure vision are the two main challenges that the SOCs currently have to face. Of course, if one does not have a proper governance in place, they won’t be able to decide what to do next, which is why they will face many other subjacent problems.
Regarding the vision (or knowledge) of the infrastructure, it is critical to protect one’s assets. How would one be able to protect something they don’t know the existence of? Impossible. While some tooling may help with automated scan of assets, it then remains to classify those assets in accordance to their importance to the company. Which, in turn, requires to known the importance of the data it hosts and the business application it runs, far beyond knowing it’s a Tomcat server with log4j and a MongoDB database, if you see what I mean. To value the application, one needs to know the value of the business processes it serves, and how it fits in the organisation’s chain of value.
Finally, we found out that the biggest challenge is often Dave, who is the human, and not the technology. One may have as many technologies, as much budget as they want, if they don’t know how to leverage them, they will never get the best results they could. But Dave needs a real governance to pick up the tools that will serve the strategy and solve subjacent challenges, and not just providing meaningless shiny dashboards!
Summary of proposed solutions
The solutions proposed below are in order of importance. If you want to benchmark or improve your SOC, you should follow the steps one by one, beginning by the governance.
Clear and precise governance must be established between the various stakeholders, with the support of the top management. The CIO, CISO and SOC Manager, along with the risk management office when it exists, must define the scope of the SOC in terms of assets coverage and security missions. It must also confer sufficient authority to the SOC in the event of a major security incident to take appropriate, time effective measures before the whole house is burned down. It may imply delegating decision power with strong consequences on business operations to the SOC management.
Global infrastructure overview
A complete, up-to-date and dynamic global infrastructure map must be available, and has to cover at least the perimeter defined by the governance. It needs to mention at least the asset, its purpose, its criticality, and its owner. It is also strongly recommended to have a user repository with their different accounts (again with purpose, criticality and owner).
A budget must be determined by considering the different aspects highlighted during the governance. It must include the entire triangle: Human Resources, Processes and Technology. It must be proportional to the missions and perimeters entrusted to be efficient. Mind you we wrote about humans as the first element in the list.
The tools made available must be able to fulfill the various missions defined above. Do not hesitate to evaluate the different tools on the market. Do not neglect the “support” workload, i.e. the effort required to set up, maintain and develop the tools.
They must also include training (internal or external) so that the users of these tools are able to use them efficiently, with the version bought and their successive versions (that may bring enhancements, you know).
It is important to provide an interesting and motivating work environment. This starts with the corporate culture to the personal development of the employee. Keeping an employee happy is much simpler and more profitable than having to re-hire future employees, train them, and thus falling into a vicious circle. The human element is crucial to the success of a SOC and often times underestimated.
A major factor in the turnover of SOCs is “alert fatigue”, when there is too many alerts per person. The number of alerts must be kept reasonable at all costs, otherwise they will never be processed conscientiously, and the result will be worse than if there are fewer but more relevant alerts. There are mainly two strategies to address this point. The first is to reduce the number of alerts, and the second is to help analysts with tools that automate recurring actions.
An emerging problem that will grow over time, as volume data becomes bigger and different. The integration of artificial intelligence will be necessary to help dealing with this new problem. However, it should not be forgotten that experts will still be needed for a different understanding of incidents and their resolution.
Finally, for an effective SOC, the various things mentioned must be regularly reviewed. It is good to start from the governance every time to check if the situation changed, before focusing on the recurring pain points. Breathe and keep a higher perspective. Recognise your progress and successes is also very important.
In order to test your SOC, it is very interesting to ask for simulated attacks on a regular basis (CF : Continuous pentesting). This will allow you to locate potential flaws in the SOC coverage, update processes, production release, etc.
Do not hesitate to develop KPIs tied to your own challenges. Their accuracy makes it a powerful tool for the governing committee to see whtat was achieved and make informed decisions about reviewing expectations or granting additional means.
If you are interested in having a more detailed reading, or to get help on how to manage all those aspects, you can contact SCRT for guidance. We will be happy to help you and improve your overall security posture!