Having had the experience of building a SOC in the middle of a crisis in his former post, Steve Moore, chief security strategist at Exabeam, understands the need for security and security operations to be relevant. Leading a panel discussion on "Building a Modern SOC" at this year’s Spotlight18 conference in Las Vegas, Moore questioned why – given that so many organizations now have a SOC – attackers continue to be successful.
In order to answer that question, panelists first discussed what indicators of success or failure they look for in a SOC.
Panel participant Andrew Wild, CISO at QTS, went straight to metrics. “One key for me is looking at whether you have the right people and asking whether the metrics are good. Are the metrics reliable enough to evaluate your ongoing performance?” Looking at how they are measuring and how they can improve are indicators that offer value when thinking about SOC transformation.
While metrics do have value, Ray Johnston, CISO at Inspire Brands, said one key indicator for him is looking at whether they have the right people. “How are you keeping them current? Do they have the right skill sets? We underinvest in people, and let them sit and stagnate. At the end of the day, it’s people, process and technology. People can screw up that process.
“Most often, conversations about the SOC include the issue of signal-to-noise ratio. SOCs lack contextualization, the time they need to build the story and the right resources to make decisions in a rapid fashion. We have to get better at moving the advanced threat actors into spaces where we can pick them up quicker.”
In addition to the people, there are also technical blockers, like patching, which is always an issue. Viewed by some as the easiest thing to do, panelists agree that many people do patching quite poorly, with few people understanding whether patching is even managed and maintained right or if the patches are even working properly.
“Patching is important, but what are you patching?” said Wild. “You can’t patch everything. It’s just not possible. Are they patching those software components with known exploits that are commonly used? We need to be bringing a risk-based approach into the SOC to focus on the known threats that are most likely to cause issues.”
A risk-based approach includes physical security but also knowing what and where the crown jewels are. “It’s not just in the security space but in the space around security. If you are not aware of where the consumer or business trends are taking the business, you will fail,” Wild said.