The recent SANS 2018 Security Operations Center (SOC) Survey, which was designed to identify the areas of SOCs that need improvement to reach consistent levels of success, revealed several significant deficiencies. These challenges can be overcome with several proven best practices. This blog post will focus on the top four identified SOC deficiencies, the core causes behind them, and the actions that should be taken to the end of improving them.
Lack of automation/orchestration, integrated toolsets and processes/playbooks
Most SOCs fall behind with automation and orchestration mainly because they aren’t aware of the processes that should be automated. This issue can be fixed by performing employee interviews and conducting risk and security assessments.
The employees are the first line of defense in an organization. Those processes that are repeatable can be easily discovered by interviewing employees and find out what tasks they are responsible for.
Interviewing employees to find out what tasks they are responsible for can identify repeatable processes. These processes, such as evidence gathering during an incident (IP/URL reputation, information, etc.), are time-consuming but can be easily automated with SOAR technology. By automating time-consuming processes, employees can better utilize their time with more urgent matters which will benefit the overall organization.
Performing risk assessments and other security-related tasks will naturally lead to the strengthening of a security program by identifying assets (asset management), identifying vulnerabilities (vulnerability management), providing metrics to monitor and improve (security metrics program), and highlighting areas to be included in a security monitoring program. Identifying these areas of an organization’s security landscape means additional repeatable processes will be exposed, and this not only provides automation opportunities but also aids in overcoming the other deficiencies today’s SOCs are struggling with.
Additionally, the lack of integration between security tools can be attributed to the security vendor space becoming more and more saturated and organizations are forced to layer their security defenses to protect from multi-threaded attacks. This has left security teams with a vague knowledge of their product lines and what they can do in concert with each other. However, there is no easy fix here – some alternatives may include performing Proof of Concept (POC) engagements and encouraging security vendors to “lean in” and gain a better understanding of the organization’s environment. By doing so, these organizations can test drive the product, identify possible gaps, and correct them before deploying it to the environment.
Finally, SOCs that fall behind in terms of processes and playbooks typically have a low maturity security program. In these situations, working with a managed security service provider or managed detection and response service seem to be good alternatives.
Asset discovery and inventory tool satisfaction was lowest of all SOC technologies
The main reason for this finding is simple: asset inventory and management is hard. Even with an asset management or inventory system in place, the technology staff will be left doing the heavy lifting. The initial upfront investment of time and energy is what usually causes organizations to become dissatisfied. In a world of instant gratification, we expect that if we spend a certain amount of money on any product that it should accelerate us to our end goal. But unfortunately reality sets in and we are still faced with dynamic business landscapes and a rapidly evolving technology curve which forces us to roll up our sleeves and get our hands dirty.
Any asset management program requires planning and a full understanding of the environment. Without these crucial steps, any tool that is purchased will fail to meet your requirements. As mentioned earlier, perform risk and security assessment against your environment. A lot of security assessments, particularly vulnerability assessments, have a discovery phase. This phase will produce a list of assets as well as their vulnerabilities which an organization can use as a jumping off point. And as always, keep in mind there is no single solution good enough for everyone. There will be some pain and heartache when standing up an asset management solution, but when done correctly will be worth it in the long run.
Despite the use of SIEM and big data tools, most event correlation is still manual
This seems counter-intuitive, but there’s a good explanation. When standing up a SIEM, it is not as simple as turning it on and pointing log sources towards it. Organizations should have a grasp of their log sources and the overall visibility they provide into the environment.
In order to do this correctly, an organization should perform a network audit. This will highlight where network taps should be located, what devices consistently speak to each other, and if there are any gaps or obstacles which must be resolved. Obstacles, for example, web proxies masking a true source, or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization’s SIEM from conducting the proper correlation between events. Understanding where these gaps lie and the limitations a chosen SIEM product may have can help investigation teams better understand areas where manual correlation may still be necessary.
Effectiveness of SOC/NOC integration is low
This deficiency is a cultural problem, SOC teams have one agenda (detection and protection), while NOC teams have another (maintaining uptime and availability). These are usually at odds with each other, take for example the age-old conflict of least privilege. Network teams want to have the keys to the castle and be able to move freely through the environment, while SOC teams are focused on locking down the environment to better identify anomalies which may indicate malicious activity.
Meanwhile, to add to this misaligned agenda, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the surmounting responsibilities these teams face when maintaining and securing a network. To bridge the gap, organizations will want to institute processes and procedures that outline rules of engagement between the teams. By creating rules of engagement, both departments know what their responsibilities are and the processes and procedures which are in place for their interactions leave little doubt as to how the partnership should function.
These Security Operations Centers (SOC) deficiencies in most organizations can be easily overcome with timely planning and with the right processes in place. A good option for those that lack appropriate resources or security program is to use a managed security service provider, or managed detection and response service.