Last updated at Thu, 11 Jan 2018 15:31:47 GMT
You have your security operations center (SOC) in place, now what?
Creating a SOC is not a cheap undertaking, so to be sure your investment in people and resources pays off, your next task is to make it as efficient as possible. Efficiency drives time-to-response, and with intrusion detection and incident response, optimizing for this metric is crucial. Over the long term, it also becomes more cost-effective.
I’ve seen the good, the bad, and the ugly during my time working as an analyst in a SOC — from grueling rotation schedules to thrown together processes to a lack of communication. But ultimtately, too much manual and repetitive work was what really bogged us down the most. That's also where the largest ineffiencies existed.
So, here are the seven ways to reduce inefficiency in your security operations center, and my advice on how to make them better:
1. Reduce Alert Overload and False Positives
You’re probably no stranger to alert fatigue and weeding through a bunch of false positives. With so much to review, and most of it useless, where do you start, how can you be accurate, and can you ever get ahead?
How to Optimize:
You or your team shouldn't be spending time manually reviewing every alert, especially if your alerting tools aren’t tuned to weed out false positives. On top of fine-tuning your security tools to reduce false positives, you can also use orchestration and automation to reduce the amount of manual effort required to investigate alerts.
Automating alert triage can take manual work out of the equation, freeing up your team’s time to focus on deeper forensics and analysis, response and remediation, and alerts that actually indicate a problem. With security orchestration and automation, you can streamline alert detection, investigation, data enrichment, and response with little to no human intervention. This will both minimize alert fatigue and lead to a faster time-to-response.
2. Get Your Security Processes In Order
Security processes are what tie together the people and technology on your team, helping to define who should do what and when. Having too many processes, especially if your team is still small, can bring productivity to a screeching halt. But with too little process, you may quickly find your team scrambling each time a threat arises. So how do you create just the right amount of process?
How to Optimize:
Rather than making a process for everything at once, prioritize the most impactful processes that handle the threats that affect your organization most. Two important processes all teams should have in place are intrusion detection (ID) and incident response (IR).
Consider all the tools and tasks involved in those processes, and formalize what an incident handler should do when a security event is detected.
- How is the team notified?
- What is the criteria for escalation of an event to an incident?
- What does the investigation and response process entail?
- What do remediation efforts look like?
Start with a framework like this, and build out similar processes as needed (For more advice on how to create security processes, see our eBook).
Once you have a well-defined process with a repeatable set of steps, the next natural step is to orchestrate and automate it. While processes can bring about efficiencies on their own, there may still be steps that are repetitive and low-level that take up too much of your team’s time (with little excitement), such as creating tickets or looking up an IP.
Eliminating these tedious tasks can shift your team’s focus to threat hunting or responding to incidents faster, for example, all while increasing productivity and making your team more cost-effective.
It then makes sense, once you’ve found the right order which works best for the organization, to document each process making them easily accessible and clear. To be effective, security processes must be visible, clear, and easy to follow. First, determine what metrics are important. If processes already exist, are they well-documented? Making sure documentation is clear and accessible for both existing and new employees can help to ensure they’re followed.
3. Streamline Team Communication
The very foundation of a SOC can begin to crumble without a central place for team members to communicate proactively and openly. If your analysts and incident responders, for example, don’t have a cohesive way of communicating about new threats, tasks, questions, and metrics, they can feel isolated and unsupported.
In a worst case scenario, errors become frequent, overlap in tasks begins to occur, and compromises slip between the cracks. So how can you enable better communication, especially if your team is remote, large, or already overburdened?
How to Optimize:
Find a tool that your entire team can use to communicate information and requests fast. Slack and Hipchat are great examples of this. Here, you can create different channels for different purposes to streamline communications.
For example, one channel can be for reporting threats where all team members are invited and can submit threats (e.g. phishing) and another channel can be for reporting where just your SOC analyst and incident responders are involved and can discuss how to respond to each security event.
Having dedicated channels to discuss specific parts of security can help drive efficiencies and provide necessary visibility, especially when coupled with effective processes.
4. Optimize for Draining Rotation Schedules
Rotation schedules can be taxing on security teams. Many SOCs have a 24/7 rotation schedule, requiring team members to be on call for 12-hour shifts, even on the weekends. Worse, these schedules can change frequently, so one week an analyst may be on call from 7am-7pm and the next week they’re on a 2pm-2am schedule.
How to Optimize:
Many of the tasks your on-call team is doing in their 12-hour shift could be automated. With the low-level tasks automated, you cut down on the length of on-call shifts and reduce the amount of alerts they need to investigate manually. Quite often the alerts they’re triaging are either false positives or low severity, so it’s best to let a machine pick up the slack here.
Bonus: By working smarter, your team will get to focus on more rewarding tasks, thus reducing turnover, which helps solve for the security talent crunch we’re facing today.
5. Add a Reporting Capability
At the end of the day, your executive team needs to know how effective security efforts are, especially if they’ve dedicated a big part of the company’s budget to the SOC. Otherwise, you could have a hard time securing the necessary budget going forward.
SOCs need to report on time-to-response, the effectiveness of new initiatives, and even how other teams across the organization are implementing security measures. Whether you’ve done these reports before or not, you can imagine how time-intensive they are. Manual and repetitive, reporting is a task your team should look to optimize.
How to Optimize:
First, determine the metrics that are important to your security organization's success. A few to consider:
- Volume of Events
- False Positive Ratio
- Headcount to Ticket Ratio
- Time to Detection
- Time to Response
Next, implement a dashboard for reporting. Reports done by email can be messy and often don’t get the visibility they need. With a centralized dashboard with ability to customize, you not only get a standardized template for reports (making input much faster) but all security stakeholders across the organization get the visibility they need when they need it.
With reporting in place, automation can pull in the metrics you choose and create a customized report, taking a lot of manual effort out of the equation.
6. Encourage Professional Growth
While new employees look forward to getting ahead, they are often thrown to figure out processes and tribal knowledge on their own. There isn’t always a mentor present to help them. Many are entry level employees with no practical experience in infosec. For those that do stem from a background in the field, generally there aren’t clear paths for growth in organizations.
How to Optimize:
Whether it’s career growth, new training, or certification reimbursement, providing your team members with ways to learn new skills is essential to the long-term success of the SOC. This helps to ensure team members are working on truly meaningful work, which can go a long way in terms of productivity and job satisfaction. And ultimately, encouraging professional growth will also keep your employees happy, so they’re less likely to leave the company.
7. Orchestrate and Automate
Security teams today operate in a space requiring them to adapt to inevitable changes. With constant threats and a growing number of attacks every day, teams spend too much time sorting through alerts and other tedious tasks that come their way. On top of this, they’re doing this manual work across unconnected systems. All things combined, these factors ultimately slow incident response and possibly lead to higher margin of error.
How to Optimize:
To extract the most value from your security tools, orchestrate and automate them. Orchestration connects your security tools into a single pane of glass, ensuring they’re all working together cohesively. Then, automation can streamline workflows between tools to eliminate manual, tedious tasks and free up time to work on higher value tasks. With Komand, for example, you can orchestrate and automate in one.
Optimizing Your Security Operations Center
You’ll never be able to get ahead of the curve if your team has to manually go through every step in the response process. It’s simply too slow for today’s breed of threats. To do things better and faster, you need to optimize.
Start with the above ways to optimize your security operations center. Remember to also leave the door open for feedback from your team so that you can continuously optimize other processes and workflows, and guarantee the best possible outcome for your company, your team, and your security posture.
For more ways to optimize your SOC, take a look at our security automation best practices ebook. It's a free resource on when, where, and how to add automation to your security operations. You can download the guide here.