In a lot of cases, these organisations would see better outcomes from building a response capability such as a computer incident response team (CIRT), and consuming the commoditised output from a managed security service provider SOC capability.The challenge in building a SOC With the security landscape being what it is today, many organisations are recognising the need to improve their ability to identify and respond to security incidents. With the rapidly changing threat landscape, getting better visibility and understanding the security events and incidents that are taking place within an organisations environment is a high priority for security execs. One of the prime mechanisms which many turn to is to establish a SOC. While on the face of it this seems like a positive move, in many cases the challenges involved in such an exercise are underestimated. Firstly, an SOC is not a small undertaking; to develop the capability requires a strategy and focus on security in several areas. The first is the traditional commodity service set of platform management, change management and reporting. At the next level, there are operational management services which provide an organisation with a better ability to understand and respond to security within their environments, these include aspects such as monitoring, alerting and incident handling. Finally, there are the higher value, intelligence-driven SOC services such as threat intelligence, analysis and response. These services provide the organisation with the ability to better understand and deal with the security incidents that are identified within their environments. As with most things in security, the initial technology selection and deployment is relatively straightforward, however developing the processes, recruiting the staff and maturing the capability take significantly longer to achieve. The cyber skills shortage, much talked about in the press, is very real and particularly so in relation to security analysis and the other skills required to run an effective SOC. With security budgets still being constrained, achieving the maturity gains required to really deliver value from the SOC is a slow process. The difference in a response capability One of the major hurdles which a large number of organisations overlook, is how to actually consume the output from a SOC capability. Regardless of whether the SOC is internal or external, the ability to consume and make use of the output of the SOC is vital for businesses to be able to derive value from the associated investment. This is where organisations should be focusing their efforts, to build a CIRT or a response capability will enable organisations to consume the output of the SOC services; to apply contextual understanding to that output; to determine the appropriate actions to take; and to make more informed business decisions as a result.
Read more on cyber security:
- Oxford University-founded Onfido secures $25m to scale anti-fraud service globally
- Tricks of the trade to avoid cyber scammers
- Women urged to join fight against cyber crime and protect UK firms
Cyber security is such an issue that one company has tackled a niche area of the marketplace by tackling revenge porn.
Rob Lay is customer solutions architect in UK & Ireland at Fujitsu
Share this story