As Cyber threats and the awareness of the risks these bring hit ever new heights, organisations are looking to move beyond the confines of protection alone to the much wider cycle of cyber security – namely: Prepare, Protect, Detect, Respond and Recover.
Many models are pulled together in the NIST cyber security standard to reflect this shift, with the critical part being the ability to monitor and detect attacks right across the organisation; not just investing in technology to defend against attacks, but looking at the most effective ways to detect and respond.
That is encouraging more and more companies to look at building Security Operations Centres (SOCs). Yet a severe shortage of Cyber Security expertise is serving to undermine this and impeding the drive to have true visibility of their estate. At the same time, many people seem to be starting from scratch and reinventing the wheel as they start to build their monitoring services. This is why at Symantec we’re seeing limited value and improvement in detection, even though we are all trying to achieve the same outcome. Naturally enough, everyone wants to ensure they build in the appropriate detection that provides the right context for their organisation – but that means everyone is repeating the basic level of organisation over and over again. It’s both wasteful and unnecessary.
Having worked in or around this area for over 15 years, I’m disturbed to see so many organisations spending their time, effort (and money!) on ‘Groundhogging’ the same basic elements of the function, rather than focusing on the areas where they can make the difference.
How do you set about that? There are many complicated architectures of a SOC function, but really you can bake the function down into three core areas (I’m simplifying this to areas in the detection and response process, rather than including service desk or backend processes).
At present, much of the effort in organisations seems to be directed into building log collection and analysis. There’s lots of work for security consultancy firms in helping organisations to design and build a SOC, including the SIEM service. However, this is often porting the rules from one company to another. Many of the core rules required are the same. Where the differentiator comes into play is in the analyst looking at the actual attacks.
Many traditional NOC (Network Operating Centre) based solutions were staffed by experts in detecting and responding to service interruption and quality events. This is a very different skill to security analysts who are able to build expertise in detecting and filtering events to determine if they are real, and provide context and insight into the outcomes. Analyst skills are very hard to come by and, if you don’t have enough events to keep them interested, then those in your organisation will fall into spending their time on special projects, including ‘tinkering’ with your SIEM rules. If focused completely on responding to events, they will either become frustrated by the false positives and ‘noise’ or bored because there are not enough interesting events to analyse. They are also vulnerable to offshoring and may become protective around this.
This is where MSSPs can provide a difference. Working with many customers, they have evolved their platforms to filter noise from security devices to the minimum, identifying possible incidents that can then be validated and escalated by experienced analysts.
The triage area is where the value really starts to come to the fore. If you hire analysts, this is where you should focus them: responding to alerts escalated by an MSSP, but then truly understanding the business and structure of the organisation. They should become close to, and expert in, the systems that run an organisation, so they can focus on whether this needs to be escalated to a full incident response procedure or remediated by operational changes. If an internal SIEM and intelligence is required, this is where it can provide value as an investigative platform for the triage team, as they evaluate and decide on the right response to issues arising, which can then be escalated to the incident management or response team.
The incident management team is the most important to the business, understanding and advising the CISO, and the company management, on the impact and appropriate response.
The higher up this stack you go, the more value you provide to the organisation. Much of the expertise at the bottom end has been refined by the MSSP and monitoring services that have existed and matured over nearly 20 years. If big enough, it may warrant your own SOC; but using the outsourced provider initially gives the quick start to start delivering value much earlier in the project.
So, when we start building a SOC, why reinvent the wheel? Instead of beginning at stage one, get a head-start by outsourcing the lower tier – and thus concentrate on building the higher level and higher value functions.