Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/6/2016
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Diagnosis SOC-atrophy: What To Do When Your Security Operation Center Gets Sick

Whether it's due to lack of attention, poor capital planning or alert fatigue, there are lots of reasons why an SOC can become unhealthy. Here's how to make it better.

Congratulations, you’re the new CISO! Whether you have served in the role previously or it’s new to you, you’ll be asked to observe your new organization, to develop a 100-day plan, to evaluate people, processes, and technology, and of course you’ll need to tell the CEO where you would attack the organization and how you will protect against that. It’s a daunting and exciting task to be the new CISO. 

There is so much to observe, learn, and then you have to formulate a plan of action. You are inundated with learning the new organization from the CISO’s chair. Finally, the day comes when you tour the Security Operations Center. You are looking forward to this, because it’s operational; it’s where you fight the adversary—hackers with various forms of capabilities, motives, and sponsorship. 

Of course you want to see the chess match in action between your cyber analysts and threat actors. You look around: it looks like a SOC (analysts at monitors), and then your SOC Director briefs you on manpower, processes, technology, annual budget, measures and metrics. As the briefing continues your smile transitions to furrowed eye brows. As you investigate, and question, and seek to understand, you can see what has happened, your SOC is sick. You have seen the symptoms before and you know the diagnosis, it’s SOC-atrophy.  

SOC-atrophy: An omissive noun. 1. When your technology has remained dormant too long. 2. Unrefreshed cyber technology. 3. The absence of intelligence and heuristics. 4. Plagued by false positives.

Your SOC became sick for several reasons.

  • The technology you have is antiquated and completely signature-based, best suited for static threats, not advanced threats. While signature-based solutions have a role, it’s a secondary protection role.
  • The organization failed to keep up with technology and the evolving threat. For years, the organization has relied on incremental funding. This budget strategy has a typical result; a disparate mix of capabilities purchased individually as security silos without consideration for how the capabilities will work together. The tools don’t work together.  It’s an integration nightmare!

But SOC-atrophy is not a technology problem
As you sit down with your analysts, you observe that each analyst must be knowledgeable about several different tools and that they spend a lot of time collecting data and alerts. You observe the waterfall of alerts overflowing your analysts with data -- mostly false positives. The analysts have alert fatigue; they just can’t keep up.

The bottom line: the organization didn’t see the evolution of the threat, didn’t keep up with technology, and has not figured out how to use threat intelligence, much less integrate intelligence as a key enabler. The old technology in your SOC was the right decision for a different time, but not for today. 

Capital planning for cyber investment has also been a challenge. Typically SOCs are developed and funded piecemeal, a silo of capability at a time. This has a cause and effect, the tools are hard to integrate or don’t integrate at all, which in turn make it virtually impossible for an analyst to perform. Whether it has been lack of attention, inadequate measurement of effectiveness, poor capital planning, or alert fatigue, there are several ways for a SOC to become sick. Your goal now is to bring it back to a healthy state. Here are five strategies to overcome SOC-atrophy.

  1. Research to understand all SOC investments. You need to analyze the costs of each tool, effectiveness, and cost, and then prioritize the value of what you have. You will want to keep the best value, and get rid of the lower value, higher cost, solutions. This is your available trade space.
  2. Perform a SOC-focused assessment. This will gauge operational effectiveness and highlight gaps. Knowing your current health is a relatively low-cost endeavor and helps you in building a business case for investments to close the gaps.
  3. Study the threat landscape. From CEO to cyber analysts, your organization needs to clearly understand the threat landscape and how the threat is escalating. This understanding will help you focus on the technology, expertise, and intelligence you need to protect your organization.
  4. Resist the urge to fund your tools piecemeal. Develop the business case for an integrated platform with the ability to visualize web, email, file servers, endpoints, mobile, and SIEM, in one picture, enabling the ability to detect and remediate threats earlier in the kill chain. The board needs to understand the business case for an integrated platform.
  5. Encourage cross-organizational collaboration. It’s critical to build partnerships for vetting the business case and gaining consensus on your SOC plans. Spending quality time with your fellow IT executives and other business leaders to discuss -- at a strategic level -- what you are working on, your timeline, and your forthcoming proposal. There is no greater feeling than going into a board meeting with many of the members clearly in your corner.

Related Content: 

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Lance Dubsky, CISSP, CISM, is Chief Security Strategist, Americas, at FireEye and has over two decades of experience planning, building and implementing large information security programs. Before joining FireEye, he served as the Chief Information Security Officer at two ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.