Most Overlooked Areas of SOC Productivity Optimization
Co-authors: Ema Rimeike and Fernando Mejia
Image source: Base Technologies
Every Security Operations Center (SOC) is supported by three essential elements that align to almost every security framework including ISO 27001, they are:
1) Technology
2) People
3) Processes
The usual assumption is that the relationship between above elements and the SOC exists by default. If that was the case, no business would be challenged by the shortage of security talent even though the gap seems to be closing for the first time, the latest research reveals (Source: Infosecurity Magazine) or SOC turnover which, according to Ponemon is at 30% on average and reaching as high as 50% (Source: CriticalStart).
Technology is key to successful SOC and helps stay on top of the ball when it comes to threat intelligence, security posture visibility, vulnerability management, detection, response, deep learning and so on. Gartner report points out developments in the security operations area continue to trend toward more self-sustaining technologies that require less-skilled workers, on the other hand, more complex cyber incidents require a specialist knowledge (Source: Crest-approved.org).
Too much technology investment creates another set of challenge: there simply isn't enough resources to manage and monitor multiple panes of glass and, as a result, some technology investments are under-leveraged because the staff is either not trained how to use it or there are not enough hours in a day to monitor it. Yet, the underleveraged technology may be driving data which adds to a well known alert fatigue challenge - one of the main factors why your security talent suffer from burn out and may churn.
The most effective and efficient security programs are the ones that leverage existing resources in more productive ways.
(Source: SANS)
Let's touch SOC processes briefly. When was the last time you have tested the resilience of SOC processes in a critical moment? Are you addressing the process bottlenecks such as manual input of data, man-hours intense reporting or lack of actionable information availability, unclear incident categorization, alert fatigue and incident overload, inadequate preparation, training or experience?
There are cases where processes create double or triple bottlenecks. For example, triaging an incident and tying to pull all related information together to paint a picture of the broader compromise is time consuming and complicated on its own. Add another bottleneck - not enough visibility into your own environment to help your SOC team map out the impact of the breach. Let's add a third bottleneck - the need to manually or partly-manual record/amend the incident details on a SOAR (Security Operations, Automation and Response) platform or any another platform your SOC team may be leveraging, all this under strict SLAs!
ESG research indicates that manual processes, skills shortages, and technology integration gaps make it extremely difficult to prioritize and respond to cybersecurity incidents in a timely manner.
As SOC covers other complex areas such as regulations, standards and compliance requirements that, traditionally, are considered on a Strategical Level, the key elements of SOC (people, technology, processes) are often overlooked. Remember, SOC is your Business Risk Dashboard. SOC productivity optimization has a direct impact to your business continuity and resilience, as evidenced by number of third party research. It's time to rethink the traditional approach!
What we offer here at Quantum Cybersecurity Skills is SOC optimization success recipes that are based on ‘Back To Basics’ action. We suggest analyzing each key element of SOC on main organizational verticals, those include:
1. Operational Layer
2. Tactical Layer
3. Strategical Layer
Our SOC optimization approach seeks to reinforce and accelerate the positive impact and potential that people, technology and processes have on a day-to-day SOC operations with an aim to be better aligned and support business needs. The outcome is taking a full advantage of your SOC in below areas:
1. Data management
2. Consulting and security posture
3. Business continuity and growth
Fig. 1: General diagram of the SOC verticals that addresses the proposed approach for SOC productivity optimization.
Source: Quantum Cybersecurity Skills
As shown in Fig. 1, let's discuss in more details about those objectives:
1) Data management on the Operational Layer. The exploitation and effective use of monitoring tools will speed up the identification of events, as well as the obtaining statistical inputs from technical and executive reports.
2) Consulting and security posture assessment on the Tactical Layer. The analysis of technological risks will reflect the security posture of the organization and the measures for risk reduction. This exercise is going to benefit both, the risk management and C-Level stakeholders to enhance their strategy.
3) Business continuity and growth is on a Strategical Layer. Maintain customer satisfaction, seek contractual renewals, and generate business scalability with new projects for current and future customers.
Another advantage of our proposed SOC productivity optimization approach is that if offers a simplified way of measuring SOC services quality, is great to capture a timely detection of SOC services degree of deviation from the business objectives, identification of the efficiency of processes and so on.
A more substantial portion of [SOC Leaders] budgets is allocated to sustaining what they have in place.
(Source: Accenture)
SOC productivity optimization is a transversal support on operational, tactical, and strategical levels for providers and clients alike through data management, identification of risk and escalation of services, as necessary. This makes Security Operations Services your internal trusted risk advisor at the Board level by providing access to valuable business risk indicators.
To conclude this blog, I'd like to leave you with below quote from Gartner:
Challenge the status quo of your security organization by questioning fundamental assumptions about accountability and the role of the information security team, which may have a material effect on the demands on the team and hence, the team’s effectiveness.
It's time to rethink the traditional approach!
You may also like below blog(s):
'Step #1: Do You Have The Invisible Gorilla in Your SOC?'
'Step 2: Associated $$$ of The Invisible Gorilla in Your SOC'
#SOCoptimization #SOCproductivity #SOCsalability #SOCsustainability #SOCvalue #SecOps #SOC #SOCsuperposition #InfoSec #MarginalGains
Organizations that are able to take a full advantage of their Security Services Operations (SOC) are better in reducing business risks, achieving through sustainability and scalability of existing resources; they are also significantly better in improving resilience and business continuity.
Quantum Cybersecurity Skills for SOC optimization is your trusted Partner to deliver continuous SOC productivity compliant with ISO 27001 PDCA (Plan, Do, Check, Act). We offer fresh, relevant, goal oriented, customizable, pragmatic, scientific SOC Optimization success recipes for every SOC / CSIRT / CERT / MSSP.
Reach out to us:
E: sales@quantumcybersecurityskills.com W: www.QuantumCybersecuritySkills.com
T: @SOCoptimization L: https://www.linkedin.com/company/quantumcybersecurityskills/