How to Optimize your SOC
If you’re here, you are looking for the “3 step magic process” that will instantly optimize your Security Operations Center (SOC) to be a premier Cybersecurity SOC right? Ok let us do that together. Though to do that let us make sure we all are on the same page about what the SOC should be doing vs what the SOC is doing to protect your organization from today’s cybersecurity threats.
For that we have to turn to Lebron James. He is the best basketball player in the world right now at 35 and has been the best for at least the past 10 years. He is gifted genetically for sure. But at age 35 his genetics like all of us can only help us go so far, as younger more athletic players are in the league now. So how is Lebron the best even today at 35. One word. Training.
Training – Technology
Your SOC can be Lebron but you need to train it to be Lebron. Let’s examine how he does this. Lebron trains 6 days a week. Every day he plays and practices basketball. That isn’t all.
- Monday - weight training.
- Tuesday - plyometrics and yoga.
- Wednesday - weight training again.
- Thursday - another round of plyometrics and yoga.
- Friday – killer leg day.
- Saturday - plyometrics and yoga yet again.
So you have bought all the best security tools for your budget. Next-Generation Firewall? Check. Endpoint Security? Check. Email Security? Check. SIEM? Check. Security Orchestration, Automation, and Response (SOAR)? Check. All of this is running in your environments, and you assume it’s working well. Now let’s optimize that SOC.
We know we must train all of these tools. But how? You can wait to be attacked; or constantly tune and assume you’re doing the right thing. But training can be very different if you apply the right tools to help you train.
Breach and Attack Simulation - or BAS as coined by Gartner - can be the most effective way to do this. Here at Cymulate we use the term “Continuous Security Validation”. Like Lebron, we think training every day is essential. SOC Optimization will need all the tools we spoke about earlier to be implemented. With continuous security validation, you create the situation where all of your security prevention and detection tools, and your SIEM, get better by training every day. Every day; test out the newest Immediate Threat that is reported somewhere in the news. Don’t forget your other trainings that need to be done as well.
- Monday - Email Security
- Tuesday - Phishing Awareness
- Wednesday – Web gateway
- Thursday – Endpoint security
- Friday – Web application Firewall
- Saturday – Full Kill Chain using all of the above tactics the same way an attack would – preferably with automation so you’re not stuck working over the weekend.
Now…all of these will have some sort of remediation needed; either the defensive tools themselves, and/or the SIEM from an alerting perspective. This is where you train your people to configure the tools more effectively, while at the same time you also train your SIEM to alert and correlate better. After a few rounds of this testing and training process you will notice your prevention, detection and response, and alerting will be much more accurate and tuned to give you the “Golden Alert” – the correct correlation of events to produce the correct alarms and alerts while reducing false-positives and other noise. Such “Golden Alerts” get your team to a point where they can take high quality data and automate your responses utilizing a SOAR product – allowing them to focus on the components of security that can’t be automated fully and becoming both more effective and more efficient.
Training - Processes
Do we have the basics down? Somewhere in the first paragraph we mentioned the “3 step magic process” correct? The basics have been accomplished. Now for step 2 aka “the really hard part”: Train your people to be better.
Training your people to be better isn’t about sending them to training classes for all the security products they have and being completely up to date on every feature. It’s about their process development. Earlier, we showed you the training plan to develop more effective and well-tuned tools. Here, let’s talk about the training plan to develop more effective and well-tuned processes. Answer these questions to yourself:
- How often does our organization do a penetration test?
- Did that last change make us more secure or less secure?
- Are we susceptible to that zero day I read about on LinkedIn this morning?
Process training for cybersecurity is the next training milestone needed to answer the above questions. The annual or semi-annual penetration test is useful to every organization but, as we all know, it’s a point in time exercise. To gain true insight into what is going on within your organization’s security over time, you need a way to perform much more frequent assessments of your tools and people and a twice-per-year event. A feature set provided by the Cymulate Continuous Security Validation platform allows for security teams to develop their own pen-test capabilities and run these as either on-demand or automated, scheduled events creating a process of continually adopting a strong security posture.
Today’s Change Control is not your grandparents change control. The weekly or monthly meeting with all your changes documented, with back-out plans and multiple signoffs, are quickly becoming a thing of the past. DevOps is rapidly becoming a more mainstream adopted methodology; thus, a shift in that direction is required for security as well. Risk assessors and analysts have created a new term to help define the process of continuously validating security in the same way we’ve begun to continuously develop and validate code, “Security Assurance.” Security Assurance is a measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy according to the NIST 800-53 Special Publication. At Cymulate we encourage Security Assurance validation on a daily basis across all of your security tools. Build a change control process that does not permit you to make a change without knowing the validity of the controls before, during, and after.
Training – People
Now comes the truly challenging part, training all of your people. We all know that people are the weakest link in the constant battle that is cybersecurity. So, training must be constant, complete, and – most importantly - universal. Here at Cymulate we just went through our latest round of cybersecurity training as training all employees to be on the lookout is half the solution. We also suggest you consistently train your security professionals, who may not undergo the same level of routine training as other employees under normal circumstances. The famed business Magnate Sir Richard Branson once famously said, “Take care of your employees, and they'll take care of your business”. If we want to apply this wisdom to our cybersecurity professionals that are tasked at securing our business; we need to provide the right type of training to take care of them and enable them to do the job efficiently. The hard truth is that an attacker must be right only once; while your security team must be right all the time. At Cymulate we have developed a purple team module to help train security professionals at every level about the different attack methods that can be used against your organization. The platform makes Purple Team exercises accessible and achievable to security teams with minimal adversarial skills by leveraging out-of-the-box attack scenarios. Companies that have an in-house Red-Team or pen-testing resources can scale the expertise of these individuals by leveraging the customizability and automation that Cymulate provides, without limiting their creativity.
Today is a great day to start training for a more mature Security Operations Center. At Cymulate we believe in your ability to get better, and we are here to help you achieve your SOC goals. Reach out today and we can start your journey down the path of:
- Training your Tools
- Training your Processes
- Training your People
Don’t speculate, validate your security with Cymulate.