Last updated at Thu, 28 Sep 2023 20:24:50 GMT

The threats we all hear about today aren’t new. They also aren’t going away, but they are evolving. Hackers have existed for many years, and so too have our defenders. What has and is changing is the tactics used to defend against increasingly complex threats. And it’s on our security operations centers (SOCs) to batten down the hatches and sound the alarms, but are they enabled and prepared to do so?

While we have many ideas on how SOAR is the next generation in defense, we wanted to get the down-low straight from the SOC experts themselves on what SOCs can do to stay ahead — and how organizations can enable them to do so.

Pulling back the curtains, meet the four security experts we interviewed:

Mike Reiter
Threat Detection & Response Manager at a government-sponsored enterprise
Craig Chamberlain
Director of Security Research at Acquia
William Racsek
Senior Incident Response Analyst at Fannie Mae
Josh Liburdi,
Security Technologist at Sqrrl

1. The Question: In your own words, how do you define the purpose of a Security Operations Center (SOC)?

The Expert: Mike Reiter
Mike’s Answer: A security operations center is the first line of defense for an organization from a security perspective. With eyes on glass, they are responsible for monitoring alerts, triaging, and escalating possible incidents.

The ExpertCraig Chamberlain
Craig’s Answer: Security operations centers are the operational half of a security or engineering organization. They should be concerned with things that require immediate attention, such as alert handling and incident response, in order to make the enterprise more secure. However, many SOCs take the term “operations” too literally, and SOC personnel end up being technicians, making firewall changes and implementing security products instead.

Given how expensive and scarce security resources are, these tasks should be pushed back to network or technical admins so SOC personnel can focus on response and protecting the organization.

The Expert:William Racsek
Will’s Answer: A security operations center is responsible for protecting an organization from cyber-related attacks. Think of them as the fire department: while there may not be a fire to fight every day, that doesn’t mean you don’t need a fire department. The same goes for a SOC. Something will happen, and they are there to protect the organization when it does.

The Expert:Josh Liburdi
Josh’s Answer: A security operations center is an organization’s early warning system for threats. Whether the SOC has one or many people on the team, it’s their responsibility to identify, review, and escalate activity that may threaten an organization. Many SOCs start off as a one-person team and later grow to a centralized group as the organization grows.

2. The Question: When is the right time for an organization to establish a security operations center?

The ExpertCraig Chamberlain
Craig’s Answer: This is a governance question that hinges on many factors including risk management; generally accepted standards and practices in the sector; brand valuation and brand damage risks; regulatory or compliance mandates; and occasionally, insurance considerations.

The ExpertMike Reiter]
Mike’s Answer: While I’d love to say a SOC should be started immediately, realistically it should be as soon as the company has something of value to protect and the budget and strategy to implement it. If you’re in retail, for example, and responsible for protecting customer data, you should begin actively protecting that data immediately, and a SOC can do that.

The ExpertWilliam Racsek
Will’s Answer: When a company has something of value that it can’t lose, or can’t afford to lose, such as customer data, company IP, the brand, or even code, it must be able to protect that. SOCs help define what to do when you’re attacked, but unfortunately, by the time companies actually implement a SOC, it’s often too late. In most cases, it takes a real breach to happen in order to pull the resources together and take security operations seriously.

The ExpertJosh Liburdi
Josh’s Answer: Companies need a SOC early on, a lot earlier than most companies think. It comes down to the amount of risk an organization is willing to accept given today’s advanced threats by cybercriminals and hacktivists. Organizations need to recognize security risk early on, codify security into their business strategy, and then develop a SOC to support it. Unfortunately, most don’t realize this until after they are hacked or compromised.

SOCs also become necessary in managing the data that firewalls, antivirus, network monitoring, and other security instruments create.  Companies can’t just buy threat detection tools and collect log data and think that’s a black box solution — there is an important human component that needs to be involved in looking at the data to detect threats.

3. The Question: What are some of the most common mistakes you see organizations make in either implementing or managing their SOC?

The Expert : Craig Chamberlain
Craig’s Answer:

Here are some of the major areas of improvement for SOCs:

  • Lack of understanding of what a modern security organization looks like: Many companies still think that if you write a big enough check to get the next generation tools, they’ll be impregnable. Instead, they should employ the right people who can detect and respond to threats using data from these tools.

  • Administrative work deters fast response times:  In some cases, operational work becomes so overwhelming that it blocks security personnel from performing important functions like investigating and hunting threats. This increases dwell times times since SOCs don’t have time to actively find threats.

  • Alert fatigue: Some enterprises spend on products versus people at a very high ratio, resulting in a menagerie of dozens of untuned security tools emitting a flood of alerts that exceeds what human analysts can process and sort. The end result is alert fatigue and skill atrophy, ultimately leading to canonical security disasters.

  • Emphasizing process over results: When organizations require too many or too strict of processes, SOCs are unable to follow their instincts and chase real threats, destroying their threat-hunting abilities. Documentation becomes a distraction, and there is no substitution for hard knowledge.

The Expert: Mike Reiter
Mike’s Answer: A mistake many companies make is investing in tools before they invest in people. What happens is companies will purchase and install tools without anyone knowing how to use them.

Without people on the team to evaluate and then use these tools, organizations end up buying tools either to check a checkbox or because of a great vendor pitch, but will end up having to rip them out later when they learn that’s the wrong approach. The best approach is to start by identifying security gaps and then build detection around that using people, technology, and processes.

The Expert: William Racsek
Will’s Answer:
These are some of the biggest areas of improvement for SOCs:

  • Thinking someone else can do security better: Companies need to choose wisely if they decide to outsource, otherwise it can be a huge mistake. Most companies who outsource quickly realize that they don’t get the same level of commitment to security as they would in-house. For example, if a company gets breached, they have everything to lose, whereas their MSSP will lose just that one customer. When the stakes aren’t the same, that can be dangerous.

  • Not being prepared with the right processes and procedures: Processes and procedures can be easily written down on paper, but they don’t always work in a real scenario. SOCs need to ensure that the right processes are in place, that they’re actionable and memorable, and that there is team buy-in.

  • Getting ahead of themselves when it comes to technology: Companies get really wrapped up in the next great tool that can solve all their problems without first putting in place core technologies like logs and network captures. Void of those, the new tools (which are all based on these core tools) won’t do much for you.

The Expert: Josh Liburdi
Josh’s Answer: There is a very big need for people with security skillsets to be able to detect and respond to incidents. To meet that need, companies should look to hire not only people with IT backgrounds, but college grads who majored in InfoSec. Recent grads have a good sense of the current threat landscape and are also moldable, meaning able to learn fast and fit in with the organization quickly. Another opportunity is to invest more in the current people on your team.

Many companies treat lower-tier security analysts as a commodity. However, these are the people who can rise to lead future incident response if they have the right training.

4. The Question: Are SOC's any more or less important today than in the past?

The Expert: Mike Reiter
Mike’s Answer: SOCs are definitely more critical today. A lot of data is moving to the cloud, and SOCs are able to monitor where that data is at all times, keep logs of it, and respond if there is a breach to that data. Without a security team constantly involved in those processes, companies will be in big trouble.

The ExpertCraig Chamberlain
Craig’s Answer:  Good SOCs are probably more critical than in the past given how many predators are operating today. There was an age where security was inexpensive, simple, and rarely a problem, so token or simplistic security programs worked. These days that is not the case.

Almost any organization today seems to be having a security incident, which is a good indicator that companies need modern capabilities like analytics, threat hunting, incident response, etc., and probably even more so in the future. The question is if everyone can do that, with the negating factor being the talent shortage.

The ExpertWilliam Racsek
Will’s Answer: Absolutely, and as each day passes, this becomes more and more true. Companies are trying to keep up with customer demands by developing and releasing products as quickly as possible, and defenders need to be one step ahead to make sure security is keeping up with that pace, because the attackers are.

The ExpertJosh Liburdi
Josh’s Answer: SOCs aren’t necessarily more or less critical than in the past, but they might seem more critical today with more people paying attention to the threat landscape. Threats have been around for a very long time, but the thing that has changed is our ability to respond to and mitigate the risks they pose to us. In the past, threats were things like email worms. Today, it’s email worms in the form of ransomware, and the tactics need to evolve to detect and mitigate those threats.

5. The Question: Should organizations outsource a SOC? When is the right time to bring it in-house?

The Expert: Mike Reiter
Mike’s Answer: A lot of times it comes down to budget, time, and resources. Outsourced managed security service providers (MSSPs) can be a cost-effective option if companies can’t afford a full staff. Or, if they can only afford to staff a SOC for 40 hours a week but need 24/7 coverage, an outsourced SOC can be useful. Other times, companies outsource if they need help building the SOC in the first place.

While outsourcing can work, companies with valuable intellectual property need a plan to eventually transition the SOC internally.

The ExpertWilliam Racsek
Will’s Answer: Outsourcing to an MSSP can be a good strategy early on if you need to get something in place, but you also need a plan to move that function in-house. Most companies realize this, but they don’t actually plan for how to bring it in-house. Start by setting up a way to measure the service they’re providing to determine if what they’re doing is working or not. If it’s not, those metrics can help get you out of a contract and move the SOC in house.

The ExpertJosh Liburdi
Josh’s Answer: For organizations with one or a few individuals in a security role and not yet ready to build an entire SOC team, an outsourced SOC team can help to beef up security operations in the meantime.

We’d like to extend a huge thank you to Mike, Craig, Will, and Josh for offering such detailed and actionable advice! From planning for the differences in today’s threat landscape, to putting people and processes first, to optimizing in-house security talent, there is a lot for organizations to learn to ensure SOCs accomplish exactly what we all want them to do — keeping our adversaries at bay and our data and businesses safe.

If you're looking to get started with a SOC, we have a blog post with in-depth information on how to set up and build one. Check out the post here: How to Structure and Build a Security Operations Center.

Learn more about Rapid7's Managed SOC Services