Risk Score KPI Lets Your SOC Rock Your Cybersecurity
In the good old days, a security operations center (SOC) was basically a room full of live camera feeds to let the organization see what’s going and to take action if necessary. It started with government agencies, defense departments, followed by financial institutions. Today, is also used for managed services. Its purpose is still the same - being a centralized hub for continuously monitoring of and managing the security status of an organization. Its main task is to enable better incident detection, investigation, and response capabilities using data from endpoint devices, logs, security systems, and network flows.
For today’s SOC to rock, it needs to embrace a three-pronged approach and a Risk Score KPI.
Detection and modularity
- Cybercriminals use automated tools (such as Autosploit) for their attacks, which makes it hard for SOC analysts to detect such obfuscated attacks. Most SOCs have a Security Information and Event Management (SIEM) in place to check logs, but this is not enough for advanced security monitoring. SOCs also have a hard time keeping up when the organization rolls out a new infrastructure with advanced rules and configurations which requires modularity.
Correlation and analysis
- As mentioned above, checking logs is an important task, but it is not enough. For a modular approach, additional structured and unstructured data from multiple sources (e.g., endpoints, gateway, or networked devices) must be analyzed. However, relying on SIEM is risky when multiple devices are compromised, especially when the severity of the attack is underrated. In short, a SOC team needs to move away from log driven security and opt for intelligence driven security.
Incident workflow and prioritization
- SOC analysts might have the tools to identify and analyze attacks, but they still struggle to prioritize them. An incident workflow provides SOC analysts with guidelines on what incidents they must investigate, and how to escalate and prioritize them for mitigation. In short, SOC analysts need to know how a security incident happened, what was done and if the organization is secure.
A SOC normally monitors for incidents without managing the organization’s security resiliency. But what SOC analysts really need, is a proactive approach which enables them to manage exposures before those can be exploited. That’s where Cymulate comes in. With this BAS platform, the SOC team can schedule automated assessments which can be conducted at any predefined time (e.g., every night, early in the morning, in the middle of the day etc.) and find vulnerabilities and gaps in the organization’s security framework, its multiple security solutions as well as security controls. In other words, it gives a comprehensive overview of the security posture of the organization since it shows the weak spots (the one with a low risk score KPI).
By showing the current vulnerabilities, the SOC team can step in and solve those issues before a real attacker can exploit them to attack the organization. Cymulate’s assessments reports also make suggestions for mitigation to help the SOC team to solve each and every one. Since the results of each assessment are presented in a KPI Cymulate Risk Score, the SOC team can also prioritize which issue to solve first. This Cymulate Risk Score KPI is based on well-known and widely used risk methodologies such as NIST 800-30, Microsoft DREAD, and CVSS3. These are calculated by an algorithm which takes a number of factors into consideration that are relevant to each attack method and payload used in the assessments. The impact and probability of each one is taken into consideration, and factors such as capabilities of the attacker, abundancy of the attack tools etc. are also calculated. The SOC team can set thresholds for each Key Performance Indicator (KPI) and once those are crossed, the Cymulate dashboard will alert the SOC team. The platform will also notify the team regarding the latest global cyber threats that are out there in the wild. This allows the SOC team to test the organization’s security posture at once before it might be compromised.
Once the SOC analysts have the Cymulate Risk Score KPI in front of them, the SOC team can take a well-informed decision based on the results and the organization’s internal prioritization. The IT and Security teams can then fix the gaps quickly if deemed important.
The Cymulate Score Overview below shows the results of the Cymulate platform assessment. It gives the SOC team a comprehensive overview where the organization’s infrastructure is vulnerable. As we can see, the WAF and end point security are quite vulnerable, while the organization employees are well-trained against phishing attempts.