Improving the Responsiveness of Your SOC

Improving the Responsiveness of Your SOC

When we think about improving efficiency in the SOC, we can often focus on tooling. Then why does it take so long to integrate new tools and get them up to speed?

Check out this post by Geoff Belknap , CISO, LinkedIn , that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Steve Zalewski . Joining us is our sponsored guest Spencer Thompson , CEO, Prelude .

Focus on outcomes

No one wants a security solution. They want the outcome it promises to provide. Focusing on those outcomes rather than getting bogged down in categories is key to improving the SOC. "Get out of the habit of thinking in acronyms. What you need isn't SOAR. You need ‘to automate the querying of additional context from some type of alerts in my EDR.’ Scope your efforts not around a single product from a vendor, but around use cases," said Maxime Lamothe-Brassard of LimaCharlie . Although as Erik Bloch at Atlassian reminds us, acronyms aren’t entirely useless, saying, "Outcomes achieve goals you can measure, acronyms get you a free dinner from the vendor when they come to town."

Tooling is key but not the only factor?

It’s no surprise that an effective SOC needs to balance people, process, and technology. The SOC needs tooling, but not to the detriment of the other two. “A major portion of our investment is in tools so far and we have reached the point of diminishing returns. Any new investment in tools will move the needle marginally," said Mihir Mohanty . That’s easy to say, but Aqsa Taylor of Gutsy points out, organizations often can’t quantify their own processes, saying, "You can have the best tools and people but without a secure consistent process that leaves no gaps or inefficiencies, it's difficult to improve. But rarely do companies have visibility into the processes themselves."

Context is king

The idea that “data is the new oil” can pollute the SOC. Focusing on just collecting data doesn’t tell you much without understanding how it relates to the rest of the organization."We have to fundamentally change how we operate in the SOC. The SOC is based on the faulty concept of collecting more information and feeding the Garbage Factory (a.k.a SIEM). We are not lacking data or visibility, what we are lacking is proper context to use that data effectively,” said Yaron Levi , CISO at 杜比实验室 . A lack of context means we can’t gain efficiencies and move from treating individual incidents into larger trends and categories. "We need much stronger correlation tooling. We focus too much on singular events and we need to be faster and more accurate around the broader picture of chained sequenced events," said Joshua Boyce, MBA, CISSP at 思科 .

Moving to a proactive SOC

If we want to see big efficiency gains with the SOC, we need to reframe how it operates. As long as it only works proactively to respond to incidents, the SOC will always have an efficiency ceiling. David Ratner of HYAS outlined what this new vision of the SOC looks like, saying, "If you want to make your SOC more efficient, information needs to be able to bridge the gap and go from ‘what happened’ to ‘what is going to happen next.’ The threat intelligence and other tools at their disposal need to allow the SOC to get proactive in adapting defenses and getting prepared against the nature of the threats and risks that they are actively facing vss always looking in the rear-view window."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Prelude


Join us TOMORROW, Friday [03-22-24], for "Hacking Effective Third-Party Risk Management"

Join us Friday, March 22, 2024, for?“Hacking Effective Third-Party Risk Management: An hour of critical thinking of going beyond questionnaires and ratings.”

It all begins at 1 PM ET/10 AM PT on Friday, March 22, 2024?with guests Paul Valente , CEO and co-founder, VISO TRUST and? Arkadiy Goykhberg , CISO, Branch .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, VISO TRUST


Cyber Security Headlines - Week in Review

Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino.?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be ???? Gerald Auger, Ph.D., chief content creator, Simply Cyber. Thanks to Vanta.

Thanks to our Cyber Security Headlines?sponsor, Vanta


Jump in on these conversations

"6 months ago I had to quit my Cybersec Engineering job b/c of psychosis. What can I do to get back in the field?" (More here)

"How do I learn to do secure code reviews?"?(More here)

"Made a mistake at work and I’m nervous. Advice needed."?(More here)


Coming up in the weeks ahead?on?Super Cyber Friday?we have:

  • [03-22-24] Hacking Effective Third-Party Risk Management
  • [03-29-24] Hacking Detection and Response

Save your spot and register for them all now!


Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com.

Interested in sponsorship,?contact me,?David Spark.



George Bakalov

CvCISO, Information Security Guidance & Management for SMBs by an SMB.

12 个月

Yes, proactive, efficient and please - for free of possible! I’m sure anyone would like that ??

赞
回复

Thank you for having us on the show! ??

赞
回复

要查看或添加评论,请登录

David Spark的更多文章

  • HEADS UP! UPDATE your CISO Series Newsletter subscription - We're moving

    HEADS UP! UPDATE your CISO Series Newsletter subscription - We're moving

    TL;DR - Subscribe to the newsletter's new location This newsletter is moving to CISO Series page. To continue receiving…

    10 条评论
  • CISOs DO Own the Risk

    CISOs DO Own the Risk

    CISOs often feel excluded from company leadership. But do they need to step up and own risk to do so? Check out this…

    15 条评论
  • Why Bother Helping Users When We Can Complain About Them?

    Why Bother Helping Users When We Can Complain About Them?

    If you want to annoy a security professional, just point out the nearest sticky note on a monitor with a password…

    1 条评论
  • How Can Organizations Strategically Address Technical Debt?

    How Can Organizations Strategically Address Technical Debt?

    In our last Super Cyber Friday, "Hacking Technical Debt: An hour of critical thinking about strategically modernizing…

  • How Can We Fix Alert Fatigue?

    How Can We Fix Alert Fatigue?

    Useful alerts are critical in cybersecurity. But getting inundated with useless alerts wastes resources and our…

    1 条评论
  • Join us Friday, 12-13-24, "Hacking Technical Debt"

    Join us Friday, 12-13-24, "Hacking Technical Debt"

    Please join us on Friday, December 13, 2024, for Super Cyber Friday. Our topic of discussion will be “Hacking Technical…

  • Can’t Our Employees Just Go Back to Stealing Pens?

    Can’t Our Employees Just Go Back to Stealing Pens?

    A CISO can't shake a stick without finding a solution for managing excessive privileges. Yet years of data in the…

    2 条评论
  • How Can Organizations Secure Their AI Supply Chain?

    How Can Organizations Secure Their AI Supply Chain?

    In our last Super Cyber Friday, "Hacking the AI Supply Chain: An hour of critical thinking about what's new and…

  • Vulnerability Management ≠ Vulnerability Discovery

    Vulnerability Management ≠ Vulnerability Discovery

    Why have we conflated vulnerability discovery with vulnerability management? There are lots of tools that classify…

    1 条评论
  • Join us Friday (12-6-24) for "Hacking the AI Supply Chain"

    Join us Friday (12-6-24) for "Hacking the AI Supply Chain"

    Please join us on Friday December 6, 2024 for Super Cyber Friday. Our topic of discussion will be “Hacking the AI…

社区洞察

其他会员也浏览了