Select Page
SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an imperative to respond to the second trend. While bringing business experts into a SOC function might help security professionals get a better alignment with the business and strategize the SOC, it will not address all the scalability and agility problems inherent in a SOC.

Automation is the obvious solution. And that’s the reason why we see most SOCs prioritizing Security Orchestration Automation and Response (SOAR) projects are a great foundation for automating your SOC playbooks. Some CISOs even see SOAR as the key foundation for DevSecOps. To me, this makes sense, as most traditional SOC analysts lack a software engineering or developer background. In this case, a low- or no-code SOAR platform is the perfect tactical solution to automate SOC playbooks and keep pace with DevOps or the growing business demand for monitoring and IR.

Introducing automation in the SOC will turn your security operating model on its head.

The first question in the automation journey is usually: how do I set the focus? Unfortunately, I see too often SOCs taking their existing playbooks and baking them into automated platforms without making many changes. Perhaps the existing playbooks are good enough to automate without much change, due perhaps to some regulatory requirements or other commitments. On the other hand, this approach has a foundational flaw, which we saw already with some other transformational journeys in the past. For example, the rush to the public cloud and urgency to deliver pushed a lot of CIOs to adopt a “lift and shift” strategy, rather than refactor the applications to inherit all advantages of the public cloud. The result was a fast delivery, but it only scratched the surface of possible benefits.

Introducing automation in the SOC will turn your security operating model on its head. A SOC which can automate most of its tasks not only has the potential to become more efficient by getting everything done much faster, it has the potential to revolutionize the way your security operations work. With automation, you can execute your playbooks at speed of light instead of hours and maintain an endless scalability to provide a tailored experience for every employee and customer.

Over time, the ‘O’ and ‘C’ in ‘SOC’ will slowly disappear.

Let’s look at some examples of how industry leading security operations centers are approaching this automation journey.

  • Amazon AWS has claimed for a while that they don’t have a centralized SOC. All alerts are escalated directly to staff members and there is only one engineer on duty to watch the monitoring systems. This sounds like fantasy to most organizations, but most also don’t have the privilege of starting with a greenfield approach and an army of engineers.
  • At Palo Alto Networks, we have a small group of security operations engineers who apply what we call the 30/30/30 model. The analysts spend 30% of their time on triaging high fidelity signals, 30% building and tuning detection analytics, and 30% threat hunting and performing retrospective analyses. Most alerts go initially to affected employees for triage and the SOC analyst won’t engage unless a specific feedback or alert threshold is reached. This method has distinct cost advantages; you don’t necessarily need an expensive 24/7 rotation model. Most alerts are covered by automation, and in case an alert reaches the threshold outside of business hours, there is an analyst on duty to cover it.
  • Last but not least, Google, known for its strong and diverse group of security experts, recently published a whitepaper on this topic. They shared their lessons learned running security internally and transforming traditional SOCs into Autonomic Security Operations. In this whitepaper, Anton Chuvakin and colleagues argue that cloud adoption is a key driver for transformation of security operations strategies. Over time, the “O” (operations) and “C” (center) in “SOC” will disappear. The results will be pretty similar to the above concepts: a SOC-less organization.

The security community has been banging around this automation topic for a while. So why then is it still such a big deal for SOCs to automate? Ask some reluctant CISOs and they’ll tell you their hesitation is is technical in nature, e.g. “we’re still trying to instrument our controls” or “according to our playbooks, automation might cause some stability issues”. However, the feedback is mostly centered about the requirements of the SOC itself and not the requirements of the business teams or workforce.

This might be the core of the automation problem. Too often we forget to zoom out and revalidate the problems and requirements established by our internal customers. As SecOps heroes, we believe (incorrectly) that most employees don’t understand the problem and we arrogantly assume that only we can get it right; we are the wizards and all employees are the muggles. But let’s not forget that most of the problems with traditional SOCs are associated with one single problem: alerts with lack of a business context.

Too often we forget to zoom out and revalidate the problems and requirements established by our internal customers.

So, how can we consider a more customer-centric view in the automation journey? One of my CISO colleagues summarized it this way: “Today, employees or business functions want to have the freedom of choice on the visibility and the number of alerts they get from their security teams. As long as they stay responsible and understand the risks, we will provide them this comfort, but still do our spot checks to verify”. In practise, such a democratized SOC model could look very different for every organization, but there are some good examples for this strategy:

  • Data Leakage Detection is potentially the most difficult to deploy and often the noisiest cybersecurity control that ever existed. Central reviewing of DLP alerts is not only ineffective and cost-intensive, but also significantly impacts data-privacy. Statistics tell us most data leaks are not intentional, hence escalating those alerts straight to the respective employees and their manager and helping them to understand the problem will eventually create the best return on investment for the company. Improving your data security culture can be a game changer.
  • Application flaws or configuration issues. You don’t really believe your SOC analysts can consistently bridge the gap between the application security issues and DevOps teams, do you? Every DevOps team understands the simple principle: you build it, you run it. As CISO, we have to add “you secure it” to this principle. CISOs and their teams add value to the SOC by defining and configuring the right prioritized policies and guardrails as part of the SDLC or CI/CD pipeline. All alerts go straight to the respective DevOps teams for review and handling. Example: A new project going live on Google Cloud with a bad configuration will be automatically shut down and escalated back to the DevOps team for remediation. No exceptions!
  • Phishing. Yes, it’s 2021 and everybody should be aware of phishing and how to handle it. Empowering employees and escalating the alerts back to them for non-blocked phishing emails, e.g. thru an interface in your mail program, additional emails, robo-call or corporate message, etc., will not only release your analyst to do more important tasks, but also increase awareness among your employees.
  • Compliance Monitoring. Some industry regulators mandate monitoring of system administrator activity or access attempts to critical applications. While there are obvious risks like insider threat of escalating those alerts directly to the respective team, I would argue that it’s crazy to assume your centralized SOC will ever be in the position to interpret these activities without the help of SME. So, why not escalate those alerts directly to tribe leads or dedicated security experts on those teams?
  • In the end, you are still left with traditional SOC alerts like Network Intrusion and Malware events, which can be handled only by your SOC expert. On the other hand, most modern IPS/Sandbox technologies are in the position to translate those alerts directly into preventative signatures. Consequently, there is no need to review and triage every single alert. The only centralized operational function your SOC might keep is Incident Response and a dedicated threat hunting/forensics team looking retroactively into data and malware for successful intrusions and improving your policies and analytics.

The list of democratized SOC use-cases can go on and on, but the point I am trying to make is that an automated SOC will always have to start its journey with reevaluating the problem it’s trying to solve with its customers. Democratizing a process always requires a two way approach. Educate your workforce, get their buy-in on the scope and only then start to leverage them as your extended SecOps analysts.

Ideally, you do this before introducing automation into the SOC. You’ll be surprised by what you do differently or not do at all. As a result, some organizations might even achieve the vision of a SOC-less organization, but the reality is that most organizations would still require a centralized team to manage their legacy infrastructure or processes. At the same time, more and more traditional SOC responsibilities will be transitioned to your company’s workforce, making them responsible for their own security operations. This is a democratized SOC.

RELATED POSTS

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: Episode 4

Stagehand: Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: Episode 3

Stagehand: Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Five Best Practices to do Supply Chain Security Right

Five Best Practices to do Supply Chain Security Right

Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...

Stagehand: Episode 2

Stagehand: Episode 2

Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...

The Dark at the Top of the Stairs

The Dark at the Top of the Stairs

Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the...

The Risk of Banking

The Risk of Banking

I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...

Effective Board Communication for CISOs

Effective Board Communication for CISOs

Know Your Board If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision,...

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operation center. All complex missions or operations are high risk and...

Mitre Disrupting Advanced Persistent Threats
Share This