Securing the Digital World

Building rockstars in SOC

Jun 13, 2016 | by Prashant Mishra |

What makes detection most effective? I know you are thinking technology. However, if you have been in the security operations domain for long, you know the answer. It's the "people" who use the technology. As a infosec leader/member for your organisation, you should continuously look for methods and tools that make your teams better and faster. There is already deficit of analysts. The responsibility to make your existing analysts rockstar lies on you. Also, the same objectives should be used by organisations that are building security products. The key tenets to build rockstars from tool and process perspective are:

a) Choosing tools with persona driven interfaces
b) Choosing tools with better threat detection mechanisms,
c) Building process for SOC Governance

I am not mentioning the "skill set" development as that's an obvious tenet. Let's understand each of the above in details:

a)Tools with persona driven interfaces:

All the products should be easy to deploy and operate. While the deployment process can take its own time considering the processes in place, the operations part has more priority to my belief. The tool should allow anyone with basic security knowledge to start using it in matter of hours. This means a user interface shows relevant data based on roles and hiding intricacies unless asked for. Additionally, the tool should also come with inbuilt security workflows that are presented based on the persona of the user that's using the system. An analyst should only see incidents and should have access to the Workflows approved by the organisation for incident management. Similarly, an operations person should only see the health and wellness related data in his interface. Also, a content creator should only see content that's escalated by the incident analyst teams for creating the IOC's.

These tools will help you analyst work efficiently and not get distracted by irrelevant noise.

b) Tools with better detection mechanisms:

While rule driven approaches have been used for years now, they are getting ineffective in new attack campaigns. There are two key approaches that will make your analysts better from detection perspective. These are behaviour analytics and hunting.

Behavior analytics tools augment existing incident detection tools. They can be developed as a home grown project (you need data scientists for that) or using a commercial product like RSA Security Analytics. These tools consume data from various data lakes in your organisations that collect and manage both structured or unstructured data. Examples of these data lakes include SIEM, Network forensics, DLP, HR systems etc. The behaviour analytics tools run mathematical algorithms on it to find anomalies. The use cases for behaviour analytics can be focused on users, systems and networks. These tools will save your analysts lots of time to find threats and will help them connect dots easily.

Hunting is about proactively looking for threats in the existing data. This data can take form of event logs, network metadata, flows, end point data etc. Hunting can be done by pivoting into the data and using advance visualisation techniques. The hunting team performs data exploration to find any indicators that can link to a breach. This approach is the most effective technique to enhance the analyst's knowledge. they will learn who to identify new indicators during every hunting exercise.

c) SOC Governance Processes:

SOC governance is about building workflows for managing security incidents,and putting a breach management program in place.

Most mature SOC already use run books today for regular SOC operations. However they are not focused on managing incidents and breach management. Ex- What should be done if a ransomware is reported by an end user vs a DDoS attack.

Breach management is about building effect procedures and notifications methods in case a breach is detected. Key questions are: who should be notified when a breach happens. Periodic table top exercises should be done for breach management. These exercises will make your analyst focus on critical steps during a breach.

All the techniques mentioned above will make your analysts quickly navigate through mountains of data, perform relevant investigations and handle breaches effectively.