The latest research shows that more than half of all existing cyber security incident response centres are considered ineffective in the opinion of their owners. Organisations lack the expertise to properly build a SOC or analyse current assets and make adjustments in line with goals.
MITRE has developed a practical guide of 11 strategies, which is a strategic framework for building a SOC and will be useful both for experienced operators to analyse activities and structure knowledge and for anyone who is just thinking about creating a cyber security centre as a roadmap for its proper implementation.
MITRE provides an overview of typical SOC technologies, policies and procedures, as well as general organisation, human resources management, etc.
Here we will only provide general conclusions from the 11 strategies, but we strongly recommend (especially if you are building or planning to build a SOC) to readthe full document.
Strategy 1. Understand what you are defending and why.
The cyber security function exists to support the organisation’s mission. It determines the answer to the question “What do we have to defend?” In turn, the analysis of the internal (technical means and users) and external (threats) environment provides the answer to the question: “What should we do to ensure this defence?”
The first question we ask our customers at Octava Defence is what assets they need to defend. The first document that results from the cooperation describes the most crucial services and services with access to the Internet.
Strategy 2. Empower the SOC team to do their job.
This requires: formalised authority and lines of authority, supported by policies and communication at all levels of the organisation.
In Octava Defence’s experience, the approach where strategic management of cyber security and IT is centralised and operational management is divided into areas of responsibility has proven to be effective. It is important to have dedicated specialists to work in the SOC. Do not try to supplement the functionality of a system administrator with cyber analyst tasks. A compromise where monitoring is performed on a residual basis (if I have time, I look at the indicators, if I don’t, I do not look at them) can play a cruel joke on you because cybercriminals are not limited in time.
Strategy 3. Create a SOC structure to suit your organisational needs.
The most important thing that MITRE pays attention to is that the structure of the SOC largely depends on the size of the organisation it is in charge of. At the same time, even if it is a small business that does not have a cyber security centre as a dedicated organisational unit, the company must answer for itself the question of who can perform this function externally in the event of a threat or how this function is distributed within the organisation. The organisational structure should also reflect your requirements for the SOC’s working hours: 8/5, 24/7, etc.
In any case, engaging a SOC service provider can significantly reduce the cost of forming and maintaining a team through outsourcing.
Strategy 4. Ensure the professionalism of the SOC team.
Ensure that the skills and experience of your cyber analysts match the scale and importance of your tasks. The quality of staff is crucial to the quality of the function implementation. Without people capable of working with complex technologies and interpreting data, technical means of defence will be a “white elephant” and investments in them a “black hole”.
Given the shortage of qualified staff, it is advisable to organise a development process in the workplace.
Strategy 5. Prioritise incident response.
Often, the speed and quality of response are the key indicators of SOC effectiveness.
To ensure their proper level:
- Prioritise and define incident categories, response steps and escalation paths, codifying them in standard operating procedures and playbooks.
- Allocate resources to the response.
- Give the team sufficient authority to ensure that expectations are met, such as consistency, timeliness, and elimination of analytical bias, as well as the freedom to act on their intuition and experience.
Strategy 6. Be proactive with Threat Intelligence
Adversary analysis is needed to anticipate the adversary’s actions, predict the likelihood of an event occurring, how it will be implemented, and ultimately to plan defence.
MITRE recommends using their ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) guide, which describes and classifies attacker behaviour based on real-world observations.
The organisation emphasises that the Threat Intelligence process should be adapted to the needs of a particular organisation based on an analysis of the relationship between information about the adversary’s actions, the relevance of this data to the organisation, and the capabilities of the customer’s technical environment.
In Octava Defence projects, we have seen that an effective Threat Intelligence process cannot be created in the absence of reliable data for analysis from specific technologies (e.g., EDR systems) and the skills to interpret them. While using the services of a SOC operator, Threat Intelligence can be provided as an additional service. At the same time, your infrastructure will be enriched with specific technical solutions, and your cyber security system will receive the necessary additional information that will significantly improve the quality of protection.
Strategy 7. Select and collect the right data.
The SOC must collect data from everywhere, such as on-premises data centres, cloud environments, mobile infrastructure, or IoT devices. However, there is a compromise to be made between too little data (and therefore a lack of relevant information) and too much data (when tools and analysts become overwhelmed).
To do this, choose the data to collect based on its value. For example, data and tools from endpoints are generally considered to be more informative and provide greater clarity than network traffic data.
In Octava Defence practice, we classify data according to its criticality and the stages of (1) providing observability and (2) investigation and response.
The first type of data is characterised by being sufficient to detect incidents, i.e. to form controls and detect deviations (alerts and incidents). The second is used for investigation and response.
It is clear that the investigation requires additional information from additional sources, which should be taken into account when designing the SOC’s technological landscape.
At Octava Defence, we divide technologies into 4 levels:
- technologies of (1) basic defence and (2) SOC-ready defence – allow the creation of a “shield” preventing simple cyberattacks and provide additional useful data on notifications or incidents;
- (3) technologies supporting SOC monitoring provide 24/7 event monitoring and detection of potential complex threats (notifications and incidents);
- (4) and the technologies required to implement SOC-MDR – allow for proactive work and prevention of cyber attacks (TI, TH, SOAR, etc.) and advanced investigation and response.
The Octava Defence SOC technology model is available here.
Strategy 8. Use automation to support processes.
Each SOC uses its own set of technologies to enhance the work of analysts. Automation offers many benefits, but like all tools, it has its own implementation and usage challenges.
You can learn more about our experience in automating processes with the SOAR class system, which allows us to process 5000+ notifications per day, here.
Strategy 9. Communicate, cooperate, share experiences.
MITRE emphasises the need to build interaction with different circles of influence: between staff within the SOC itself, within the organisation as a whole, and with the wider cyber community. The bigger the company, the more extensive the interaction should be to understand the overall context, share experiences, and contribute to the cyber security ecosystem in general.
To increase the efficiency of cooperation within the SOC team and with customers, we at Octava Defence use a project-based approach, organisational measures such as regular online meetings, and reporting based on SLAs. The regularity of the formats allows us to ensure the necessary interaction, adaptation to customer approaches and, ultimately, the efficiency of service delivery.
Strategy 10. Analyse and improve performance.
Define qualitative and quantitative indicators to be able to analyse what is working well and what needs to be improved.
Link SOC metrics to business goals and build a transparent framework that provides insight into the impact of SOC data on the business through decision-making.
MITRE recommends building a culture of transparency and creating three groups of indicators:
- Internal parameters for assessing performance, such as the number of events, notifications, incidents, or the quality of work of individual analysts or the team as a whole..
- Indicators that describe the SOC’s performance to stakeholders, such as the mean time to detect a problem (MTTD) and the mean time to resolve (MTTR).
- Additional indicators that go beyond the SOC’s tasks, however, characterise the cyber security status of an organisation..
The process of cooperation between Octava Defence and its customers begins with the agreement of a list of key performance indicators. Subsequently, these indicators are monitored as part of the service quality analysis process and reported on a regular basis.
Strategy 11. Continuously expand the functionality of the SOC
Achieving high quality and speed of incident response should not be a sign that you can rest on your laurels. Cybercriminals are evolving, technology is changing, and you need to keep up with these changes.
Focus on building a proactive system that can detect and defend against experienced attackers. For example, using threat hunting and threat deception tools. Test your ability to detect the adversary through simulations and exercises.
The challenge lies in the fact that technologies are constantly evolving, and the traditional integrator approach to implementation does not allow the customer to unlock their full potential (we wrote more about this here). That is why Octava Defence offers our customers an operational approach with support and continuous improvement because cyber security is a process.
Conclusions from the MITRE report
Defending a modern digital enterprise from experienced cyber threats requires strategy, timely analysis, information and round-the-clock vigilance. It is important to understand that any organisation should not encounter this challenge alone. Cooperation for protection is crucial both at the level of national security or critical infrastructure protection and for maintaining business stability.
At Octava Defence, we work to equip our customers with modern solutions through managed services based on our Security Operations Centre. Without significant capital expenditure, you get a set of security technologies, access to experienced cyber analysts and the processes required for their work.
Get the benefits of continuous monitoring, investigation, and rapid response to cyber threats with the Security Operations Center as a Service.