Improving the Responsiveness of Your SOC
When we think about improving efficiency in the SOC, we can often focus on tooling. Then why does it take so long to integrate new tools and get them up to speed?
Check out this post by Geoff Belknap , CISO, LinkedIn , that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Steve Zalewski . Joining us is our sponsored guest Spencer Thompson , CEO, Prelude .
Focus on outcomes
No one wants a security solution. They want the outcome it promises to provide. Focusing on those outcomes rather than getting bogged down in categories is key to improving the SOC. "Get out of the habit of thinking in acronyms. What you need isn't SOAR. You need ‘to automate the querying of additional context from some type of alerts in my EDR.’ Scope your efforts not around a single product from a vendor, but around use cases," said Maxime Lamothe-Brassard of LimaCharlie . Although as Erik Bloch at Atlassian reminds us, acronyms aren’t entirely useless, saying, "Outcomes achieve goals you can measure, acronyms get you a free dinner from the vendor when they come to town."
Tooling is key but not the only factor?
It’s no surprise that an effective SOC needs to balance people, process, and technology. The SOC needs tooling, but not to the detriment of the other two. “A major portion of our investment is in tools so far and we have reached the point of diminishing returns. Any new investment in tools will move the needle marginally," said Mihir Mohanty . That’s easy to say, but Aqsa Taylor of Gutsy points out, organizations often can’t quantify their own processes, saying, "You can have the best tools and people but without a secure consistent process that leaves no gaps or inefficiencies, it's difficult to improve. But rarely do companies have visibility into the processes themselves."
Context is king
The idea that “data is the new oil†can pollute the SOC. Focusing on just collecting data doesn’t tell you much without understanding how it relates to the rest of the organization."We have to fundamentally change how we operate in the SOC. The SOC is based on the faulty concept of collecting more information and feeding the Garbage Factory (a.k.a SIEM). We are not lacking data or visibility, what we are lacking is proper context to use that data effectively,†said Yaron Levi , CISO at æœæ¯”实验室 . A lack of context means we can’t gain efficiencies and move from treating individual incidents into larger trends and categories. "We need much stronger correlation tooling. We focus too much on singular events and we need to be faster and more accurate around the broader picture of chained sequenced events," said Joshua Boyce, MBA, CISSP at æ€ç§‘ .
Moving to a proactive SOC
If we want to see big efficiency gains with the SOC, we need to reframe how it operates. As long as it only works proactively to respond to incidents, the SOC will always have an efficiency ceiling. David Ratner of HYAS outlined what this new vision of the SOC looks like, saying, "If you want to make your SOC more efficient, information needs to be able to bridge the gap and go from ‘what happened’ to ‘what is going to happen next.’ The threat intelligence and other tools at their disposal need to allow the SOC to get proactive in adapting defenses and getting prepared against the nature of the threats and risks that they are actively facing vss always looking in the rear-view window."
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
Huge thanks to our sponsor, Prelude
Join us TOMORROW, Friday [03-22-24], for "Hacking Effective Third-Party Risk Management"
Join us Friday, March 22, 2024, for?“Hacking Effective Third-Party Risk Management: An hour of critical thinking of going beyond questionnaires and ratings.â€
It all begins at 1 PM ET/10 AM PT on Friday, March 22, 2024?with guests Paul Valente , CEO and co-founder, VISO TRUST and? Arkadiy Goykhberg , CISO, Branch .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, VISO TRUST
领英推è
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be ???? Gerald Auger, Ph.D., chief content creator, Simply Cyber. Thanks to Vanta.
Thanks to our Cyber Security Headlines?sponsor, Vanta
Jump in on these conversations
"6 months ago I had to quit my Cybersec Engineering job b/c of psychosis. What can I do to get back in the field?" (More here)
"How do I learn to do secure code reviews?"?(More here)
"Made a mistake at work and I’m nervous. Advice needed."?(More here)
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
- [03-22-24] Hacking Effective Third-Party Risk Management
- [03-29-24] Hacking Detection and Response
Save your spot and register for them all now!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
CvCISO, Information Security Guidance & Management for SMBs by an SMB.
12 个月Yes, proactive, efficient and please - for free of possible! I’m sure anyone would like that ??
Thank you for having us on the show! ??