Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/28/2020
04:00 PM
Gordon Lawson
Gordon Lawson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

5 Big Lessons from the Work-from-Home SOC

Accustomed to working in the same room, security teams now must find ways to operate effectively in the new remote reality.

If managing a security operations center (SOC) under normal conditions isn't hard enough, adjusting operations during the COVID-19 crisis has been particularly hard on those who run information security operations centers. 

Not too long ago, we moved much of the security team into the same room to overcome the challenges of stovepiped organizational structures. Now we must find ways to operate effectively in the new remote reality. Below are some best practices I've collected over the past week from customers in the midst of transitioning their SOCs to work remotely in healthcare, education, finance, and technology. In addition to focusing on the health and safety of their team members, some of the best practices I have heard involve re-deploying people where they're needed most, continuously upgrading skills, and fostering a security-supportive culture. 

1. Adopt a Supply Chain Model for the SOC
Supply chains move materials from source to production to sale, a process that occurs with amazing efficiency in companies like Walmart and Ford. Behind the movement of materials is an advanced system of data communications across multiple organizations that are commonly located all over the world. By nature, supply chains could never have the type of centralized operation we have created in moving security into the SOC. 

Multiple companies that are part of a supply chain need to optimize processes and integrate systems at levels never dreamed of by security teams. When you distribute your security team at the individual level you impose the limitations of space and time that supply chain processes were created to overcome. One CISO suggested that SOC leaders should look at process flow optimization as applied to incident detection and response, with a specific focus on critical information delivery (inputs and outputs) across systems and teams, service-level agreement definitions, decision-making processes, and data quality. Make sure you apply quality goals to analyst level output on incident investigation and response, especially for more junior members of the team.

2. Keep Open a Virtual Communication Channel, 24/7
A major benefit of moving security team members into the SOC in the first place was to support open and informal communications. Now that teams have gone remote, those communication lines can break down. One SOC manager from a large manufacturer keeps open a video chat call round the clock, with at least one team manager monitoring the session at all times. Analysts check in and out throughout the day, reporting on what they are working on, share screens, and when an incident arises that needs immediate attention, the manager in charge quickly sends text/Slack messages to required people, who jump on to address the problem in a virtual "tiger team."

3. Cross-Train Staff to Account for Changes in Focus
One best practice at top companies has involved cross-training IT and security teams to be ready to jump in and help at any stage of an attack. Cross-training makes additional sense when your company moves to a remote model. The corporate network is suddenly not the safe haven it was, with hundreds, even thousands, of laptops and edge computers. Endpoint monitoring becomes critical because endpoint security teams can become quickly overwhelmed. 

One client we spoke with was planning to train up network security pros — who now have less to do — on endpoint security in order to have more effective eyes on glass, watching for endpoint attacks to unfold. One of the most common training themes I have heard involved training more people to understand and administer VPN systems to ensure that more administrators understand how to configure multilayer IP addresses protection and ensure proper encryption.

4. Do Everything Possible to Maintain Your Security Culture
Security leaders spend a lot of time creating a collaborative and successful culture across teams. The advice from an experienced CISO with stints at multiple top financial institutions is, "Don't do anything to screw up that security culture you worked so hard to create. Also, as an extension of that culture, protect your top talent at all costs." Now is not that time to make any significant organizational shifts, he said. Instead, focus on building stronger leaders within the existing organization.

Keep lines of communication as open as possible. If a junior analyst was comfortable asking questions to a seasoned veteran that sat nearby, find a way to keep that line open. Multiple customers reported freezing all organizational changes and instructing team leads to check in weekly with each team member through one-on-one calls. Another company holds weekend online "hackathons" to keep team member social bonds as strong as possible.

5. Increase the Quality of Your Cybersecurity Team Output
As teams work from home, distractions and the loss of camaraderie and easy sharing of information can hurt the quality of the services provided by the security team. Take this opportunity to increase the quality of each member's work through training. Online training programs for cybersecurity professionals are easily accessed and of high quality.

One customer I spoke with is focusing training on junior analysts. The concern is that the less experienced members of the team are more likely to make errors without an easy ability to have their work checked by others in the SOC. They're also concerned that other team members may not trust their decision-making and outputs, and want to upgrade the skills of these workers and share their improvements (in the form of micro-certification achievements) across the team to maintain trust. Examples of training for these analysts include basic malware analysis, use of regular expressions, and learning SUID executables. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Gordon Lawson is president at RangeForce, a SaaS-based cybersecurity simulation and skills analysis platform that helps enterprises qualify their new-hires, train up devops, IT, and security staff, and run cybersiege simulations to evaluate team skills. Lawson has nearly two ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...