Organisations should build a computer incident response team, not a security operations centre

In a lot of cases, these organisations would see better outcomes from building a response capability such as a computer incident response team (CIRT), and consuming the commoditised output from a managed security service provider SOC capability.

The challenge in building a SOC

With the security landscape being what it is today, many organisations are recognising the need to improve their ability to identify and respond to security incidents. With the rapidly changing threat landscape, getting better visibility and understanding the security events and incidents that are taking place within an organisations’ environment is a high priority for security execs.

One of the prime mechanisms which many turn to is to establish a SOC. While on the face of it this seems like a positive move, in many cases the challenges involved in such an exercise are underestimated.

Firstly, an SOC is not a small undertaking; to develop the capability requires a strategy and focus on security in several areas. The first is the traditional commodity service set of platform management, change management and reporting.

At the next level, there are operational management services which provide an organisation with a better ability to understand and respond to security within their environments, these include aspects such as monitoring, alerting and incident handling.

Finally, there are the higher value, intelligence-driven SOC services such as threat intelligence, analysis and response. These services provide the organisation with the ability to better understand and deal with the security incidents that are identified within their environments.

As with most things in security, the initial technology selection and deployment is relatively straightforward, however developing the processes, recruiting the staff and maturing the capability take significantly longer to achieve.

The cyber skills shortage, much talked about in the press, is very real and particularly so in relation to security analysis and the other skills required to run an effective SOC. With security budgets still being constrained, achieving the maturity gains required to really deliver value from the SOC is a slow process.

The difference in a response capability

One of the major hurdles which a large number of organisations overlook, is how to actually consume the output from a SOC capability. Regardless of whether the SOC is internal or external, the ability to consume and make use of the output of the SOC is vital for businesses to be able to derive value from the associated investment.

This is where organisations should be focusing their efforts, to build a CIRT or a response capability will enable organisations to consume the output of the SOC services; to apply contextual understanding to that output; to determine the appropriate actions to take; and to make more informed business decisions as a result.

Read more on cyber security:

• Oxford University-founded Onfido secures $25m to scale anti-fraud service globally
• Tricks of the trade to avoid cyber scammers
  
• Women urged to join fight against cyber crime and protect UK firms

A CIRT will provide a much quicker return of value to the stakeholders within an organisation as it requires significantly less effort and resource to create an effective and efficient capability.

Focused primarily on taking the different forms of output from a SOC, such as threat data, security incident data, or vulnerability data, the CIRT activities include interpretation of that data to apply context and ensure relevance to the organisation.

The interpretation of threat data in an organisational context allows a transition from reactive through to proactive activity, while better handling of incidents through incident management driven by the CIRT team leads to reduction in key metrics such as mean-time-to-resolve (MTTR).

If blended with additional capabilities such as risk analysis and interpretation the CIRT can form the foundation of, and be a driving force for a broader security improvement programme.

Deriving benefit from a hybrid approach

Organisations have a vital asset within staff; the understanding of the business itself, and this is something which can never be “handed over” to a security service provider or configured into a tool.

At the same time, many security service providers have invested significant amounts of money and time in building mature and effective SOC capabilities. These have visibility of much broader threat landscapes thanks to their view across multiple organisations and sectors.

By integrating these services from mature services organisations with business focussed response capabilities developed in-house, organisations can make rapid gains in security maturity while exploiting the high value intelligence that exists within their staff.

This combination of integrated services from service providers, such as monitoring, alerting and threat intelligence enables the response capability within an organisation to develop a more proactive approach to security, and at the same time, through the intelligent consumption of the output of SOC-based services, to improve their security maturity.

Cyber security is such an issue that one company has tackled a niche area of the marketplace by tackling revenge porn.

Rob Lay is customer solutions architect in UK & Ireland at Fujitsu

Image: Shutterstock

Share this story