Last updated at Thu, 30 Aug 2018 13:02:00 GMT
Building or selecting the right provider for a 24/7 incident detection and response (IDR) operation can be a daunting task. You want to make sure you’re getting the most from your investment—and that your analysts have the visibility, technology, and structure they need to perform. Whether you’re looking to add coverage or are experiencing challenges with your existing security operations center (SOC), here are some key things to consider at a high level. To dive deeper, check out my most recent webcast:
Security operations center fundamentals: Where to start
Before taking any specific steps, I recommend having solid answers to the following questions:
- Am I ready for a SOC? Rapid7 measures security programs based on their maturity. In the webcast, I map out the capabilities and implementations associated with the core areas of IDR programs to help you map out a rough maturity. If your maturity level is one of the first two levels, you may want to consider investing in areas of preparation and prevention instead of a 24/7 SOC. If you have already implemented these areas, then a SOC is probably right for you.
- What are the goals of my security programs? Even with outsourcing, the cost of a 24/7 SOC is significant. Ensuring that you know the goals of your security programs and overall business will help you select a provider that best aligns with what you’re trying to achieve.
- Should I build or buy? Factors to consider include budget, geography, ability to acquire and retain talent, the uniqueness of your detection and response needs, and executive/board buy-in, among others. Most organizations will end up selecting an incident detection and response service provider due to the cost and effort involved with building this capability in-house.
How a SOC can help you reach your security goals
With the answers to those questions in hand, let’s take a look at the five capabilities that a SOC should bring to the table in order to accomplish your goals:
Preventing known threats from materializing: The SOC must own the threat prevention plan and strategy. In most cases, the SOC can offload a significant amount of day-to-day work by simply leveraging prevention technology effectively. Though there is no silver technology bullet that will solve all problems, good prevention technology removes repetitive and monotonous tasks from your analysts’ plates, which allows you to use your technology and humans where best suited.
Detecting threats: Since we have already acknowledged that there is no technology silver bullet, you must supplement your prevention technology with a mix of people and incident detection technology to detect any threats that move through the prevention layer. This is why you invest in a SOC.
Threat hunting: The market is full of different interpretations of “threat hunting.” For the purposes of this article, let’s just define it as analysts having access to data to identify threats that were missed by the prevention and detection technology. To be successful here, analysts need two things: data and a strong query and data visualization technology. The rest is analyst creativity in finding threats.
Threat validation: Just because the technology says there is a threat doesn’t always mean there is one. Further, when multiple threats are affecting you at the same time, you need to be able to prioritize your response based on potential impact to the business. In order to effectively validate and assign criticality to a threat, SOC analysts need visibility into endpoints, networks, and logs. If you’ve invested in technology to provide prevention and detection on the endpoint, network, logs, and external services, the team already has what it needs to perform validation. Simply add processes and some business metrics around prioritization and criticality, and your SOC has the data it needs to make business-focused decisions.
Incident response: When a bona fide threat has been identified and confirmed, it’s time for a response. The right people, technology, and process will ensure you can fully execute on technical analysis, but authority to take action is a critical requirement that is far too often forgotten. In order to be successful in preventing a threat from causing material damage to the business, the SOC needs the authority to take action against a threat.
Set your SOC up for success: What to have in place
To be effective in these five critical SOC functions outlined above, your team will need the following:
- Technology that gives analysts visibility and data processing power.
- Training to understand the threats and the tools they have at their disposal. Remember, the threat actors will evolve, and ongoing informal and formal training is required to maintain skills.
- Metrics to measure how well they are performing. Simply looking at time to close issues encourages analysts to close alerts as quickly as possible, while focusing on a more meaningful metric such as time to remediate threats promotes a focus on quality and eliminating threats before they cause material damage to the business.
- Authority to action threats quickly. Far too often, the SOC does not have the ability to affect IT infrastructure, which results in threats being active in environments for longer than needed. With the appropriate authority, the SOC can significantly reduce the impact of a threat.
- Effective people management to ensure analysts have the tools they need to be successful today and a path for generating additional value for the organization as they mature as a professional.
Each of the five capabilities and five enablers is likely worth its own blog post, but lucky for us, Rapid7 has a webinar to cover this! Check out our corresponding webcast to dive into this topic deeper, and be sure to tune in to the rest of the IDR webcast series over the next few months.