In a lot of cases, these organisations would see better outcomes from building a response capability such as a computer incident response team (CIRT), and consuming the commoditised output from a managed security service provider SOC capability.
The challenge in building a SOC With the security landscape being what it is today, many organisations are recognising the need to improve their ability to identify and respond to security incidents. With the rapidly changing threat landscape, getting better visibility and understanding the security events and incidents that are taking place within an organisations’ environment is a high priority for security execs. One of the prime mechanisms which many turn to is to establish a SOC. While on the face of it this seems like a positive move, in many cases the challenges involved in such an exercise are underestimated. Firstly, an SOC is not a small undertaking; to develop the capability requires a strategy and focus on security in several areas. The first is the traditional commodity service set of platform management, change management and reporting. At the next level, there are operational management services which provide an organisation with a better ability to understand and respond to security within their environments, these include aspects such as monitoring, alerting and incident handling. Finally, there are the higher value, intelligence-driven SOC services such as threat intelligence, analysis and response. These services provide the organisation with the ability to better understand and deal with the security incidents that are identified within their environments. As with most things in security, the initial technology selection and deployment is relatively straightforward, however developing the processes, recruiting the staff and maturing the capability take significantly longer to achieve. The cyber skills shortage, much talked about in the press, is very real and particularly so in relation to security analysis and the other skills required to run an effective SOC. With security budgets still being constrained, achieving the maturity gains required to really deliver value from the SOC is a slow process. The difference in a response capability One of the major hurdles which a large number of organisations overlook, is how to actually consume the output from a SOC capability. Regardless of whether the SOC is internal or external, the ability to consume and make use of the output of the SOC is vital for businesses to be able to derive value from the associated investment. This is where organisations should be focusing their efforts, to build a CIRT or a response capability will enable organisations to consume the output of the SOC services; to apply contextual understanding to that output; to determine the appropriate actions to take; and to make more informed business decisions as a result.
A CIRT will provide a much quicker return of value to the stakeholders within an organisation as it requires significantly less effort and resource to create an effective and efficient capability. Focused primarily on taking the different forms of output from a SOC, such as threat data, security incident data, or vulnerability data, the CIRT activities include interpretation of that data to apply context and ensure relevance to the organisation. The interpretation of threat data in an organisational context allows a transition from reactive through to proactive activity, while better handling of incidents through incident management driven by the CIRT team leads to reduction in key metrics such as mean-time-to-resolve (MTTR). If blended with additional capabilities such as risk analysis and interpretation the CIRT can form the foundation of, and be a driving force for a broader security improvement programme. Deriving benefit from a hybrid approach Organisations have a vital asset within staff; the understanding of the business itself, and this is something which can never be “handed over” to a security service provider or configured into a tool. At the same time, many security service providers have invested significant amounts of money and time in building mature and effective SOC capabilities. These have visibility of much broader threat landscapes thanks to their view across multiple organisations and sectors. By integrating these services from mature services organisations with business focussed response capabilities developed in-house, organisations can make rapid gains in security maturity while exploiting the high value intelligence that exists within their staff. This combination of integrated services from service providers, such as monitoring, alerting and threat intelligence enables the response capability within an organisation to develop a more proactive approach to security, and at the same time, through the intelligent consumption of the output of SOC-based services, to improve their security maturity.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.