Remedies for SOC Enterprise Amnesia

In my last post, I discussed a common syndrome experienced by many organizations called “SOC Enterprise Amnesia” whereby the most valuable data (intelligence) gleaned from events/incidents is flushed and forgotten as operational fatigue sets in while the volume of security control and instrumentation data continues to overwhelms the operators field of view. The outgrowth of this state is called “Operational or Organizational Thrashing”.

So what are some approaches to take to remedy this syndrome? Before diving into the approaches, it’s important to understand the top 10 security operations readiness deficiencies commonly found in many enterprises. Below is an enumeration of the 10 most common deficiencies aligned to People-Process-Technology.

 

People
  • Infrequent user training on security hazards such as spear-phishing
  • Inadequate security staff, both in terms of numbers and training
  • Security team’s roles and responsibilities not clearly defined
Process
  • Poor patch management processes
  • Reliant on ad hoc incident response and other security procedures in the absence of well-defined processes
  • “Enterprise amnesia” resulting from responding nonstop to fire drills without taking time to improve based on post-incident lessons learned
Technology
  • No centralized or real-time monitoring and alerting—analysts must log into different consoles to collect alerts
  • Poor incident response-tracking and workflow systems
  • Insufficient tools to conduct forensic analysis
  • No threat intelligence collection or analysis capabilities

Some of the best approaches in designing for improving SOC readiness and operational efficiencies take into account the 80/20 rule whereby 80% improvements can be achieved by addressing the top 20% of the critical gaps typically discovered during a breach readiness and/or capabilities maturity assessment. Below is an example of common findings within the top 20% gap criticality.

  •  Conduct all-inclusive risk and security assessments
  • Locate and track high-value digital assets
  • Model threats and address top vulnerabilities
  • Master change management processes
  • Deploy security staff selectively and strategically
  • Integrate security processes and technologies to scale resources
  • Invest in threat intelligence capabilities
  • Quantify the impact of security investments

SOC transformation and optimization is not an overnight effort and with strong emphasis on analysis and design, organizations can achieve significant results. If you’d like to read more about this topic and others ways you can improve your breach readiness and operational maturity, check out the October, 2013 RSA Security Brief – “Taking Charge of Security in a Hyperconnected World.

No Comments