How to modernise your SOC

The role of cyber security operations centres (SOCs) is becoming more and more critical. But the obstacles they face aren’t getting any smaller. SOCs may find their daily work dominated by incident response, chasing false positives and repetitive tasks, while they struggle to find time for threat intelligence, architecture planning and assessment of vulnerabilities. They face constantly evolving threats through phishing attacks and data leaks, while the increased adoption of cloud computing, remote working and the internet of things (IoT) means the landscape they manage gets more complex by the hour.

How SOCs can stay ahead of the game

Given that context, it’s no surprise that many SOCs struggle to stay on top of their laundry list of responsibilities. Alongside the pressures of new technologies and ambitious goals, SOCs at many organisations face staffing issues and communication problems with other departments. Too many SOCs find themselves playing a never-ending game of catch-up.

It doesn't have to be this way. Through alignment, automation and better tools, SOCs can raise their game and modernise their way of working. To do so, they first need to build internal partnerships and nurture skilled, resourceful teams.

Automation can help your team focus on what matters

One vital step in freeing up an overwhelmed SOC is to automate more security processes. Measures such as automating basic alert analysis and executing scripts to gather evidence can help your organisation deal with threats faster. Weeding out false positives through automation will allow experienced analysts to focus on serious threats and longer-term goals. Here, automation is not about replacing people, but about getting more value from the people you have.

Use the power of machine learning to level up your SOC security

Automation alone may not help you manage the sheer volume of incidents your company faces. Machine-learning (ML) tools can help by looking out for wayward behaviour on your networks and broader infrastructure. ML can use existing data or algorithms to flag deviations from normal behaviour, allowing your team to quickly identify and manage threats.

Make sure your SOC is aligned with the rest of the IT unit

As well as looking at their own processes for efficiency savings, SOCs seeking to modernise must evaluate relationships with other parts of their organisation. SOCs often find that senior executives struggle to understand their needs. Tussles between the IT group at large and the SOC are common, especially when it comes to resource allocation.

Clear communication at CTO, CIO or CISO level can help ensure that the SOC’s scope is well-defined and well-understood. The respective responsibilities of IT and the SOC must be clearly mandated, and SOC performance should be frequently re-evaluated against key metrics. Collecting the right information, and sharing it widely, is key to getting the right support. Tooting your own horn now and then is not necessarily a bad thing.

Get visibility on specifics, but keep an eye on the big picture

For your SOC to share relevant information, it helps if your analysts can find it in the first place. Centralising your organisation’s data and integrating it with the SOC will increase visibility and really speed up threat detection.

The right Security Information and Event Management (SIEM) software or Security Analytics and Operations Platform Architecture (SOAPA) can bring data together into an integrated interface that is far more efficient than sorting out a tangled mess of different tools or systems. Higher levels of visibility mean quicker threat detection, and should free up senior analysts to focus on the bigger picture, rather than spending hours clicking through alerts.

Over 50% of Australian businesses now use cloud services, and if a proportion of your storage and applications are cloud-based, cloud analytics and tools will be a vital part of your security mix. A next-generation SIEM will still be able to monitor your systems and help you stay on top of things.

Invest in education and training

Staff turnover and difficulties hiring the right person in a highly competitive market put a ton of pressure on SOCs. Some organisations turn to managed services, and if you can align an outsourced SOC with your needs, this is a solution that may suit your business.

But modernising your SOC network doesn't mean you have to rely on external resources. Getting the right tools and automating appropriate processes can go a long way in reducing the strain on staff. But don't forget about the humans in the SOC who are keeping the whole place running. Offering your team clear opportunities to progress, encouraging skill enhancement and offering job rotation can help individuals feel involved and engaged, prevent burnout, and ensure that analysts have a broad skill base. A flexible, well-trained team – not to mention a wider workforce that gets where the team is coming from – is the greatest resource any cybersecurity department can have.

How SOCs can excel in a changing world

As the role of the SOC evolves, so do the challenges SOCs face. Yet alongside the hyper-modern threats are age-old problems: turf wars with other departments, budget issues, poor reporting and overstretched teams.

An effective SOC can manage these obstacles by:

1. using automation and machine learning to offload some of the strain
2. ensuring it’s working in partnership with the rest of the organisation
3. setting clear goals and monitoring progress
4. using the right tools to give easy visibility across all systems
5. nurturing a flexible, highly skilled SOC team

Changes can be introduced incrementally, helping your SOC take the present in their stride – and ensuring it’ll be ready for whatever threats may be round the corner.