Many organisations are centralising and concentrating their cyber-security efforts in Security Operation Centres (SOCs). The aim is to provide a more coherent and comprehensive view of the organisation’s neyworks, and enable a focused and timely response in the event of an attack.
But are they doing it right? And will these SOCs bring the benefits that organisations imagine they will? We spoke with Luke Jennings, head of research and development at Countercept by MWR InfoSecurity about the benefits and pitfalls that creating a SOC can entail.
The traditional image of the SOC is of a room lined with large screens and ranks of earnest techies monitoring them. But with the right technologies and skills, it’s just as likely to be a virtual team. With the right capabilities, it’s possible to go actively hunting for signs of compromise, rather than waiting for alerts. And the investigative capabilities are as crucial as the alerting ones.
But it’s not all about technology, says Jennings. Having people with the right skills is just as crucial. And one of the most important skills is the ability to think like an attacker and to have a good understanding of the techniques used by your adversaries.
When setting up SOCs, one common failure is that people have a fixed idea of how it should look. They focus on acquiring technology to feed lots of data into a Security Information and Event Management (SIEM) system, and then are overwhelmed by the results.
“It’s about collecting the minimal amount of correct data to achieve your goals,” says Jennings.
You need to know what you’re trying to achieve, and what data you need to do that.
For example, endpoint threat detection data can be far more valuable that logging what’s happening on your servers or crossing your network. For one thing, with so many end-user devices – laptops, phones and tablets – being mobile, you need to monitor what’s happening outside your network.
Finally, unless you have advanced security skills in-house and can justify the cost of having a SOC that will, hopefully, spend the vast majority of its time responding to nothing more than false alarms, there’s a very strong case for outsourcing the whole deal, reckons Jennings.