At RSA Conference in San Francisco, RSA’s Ankush Baveja made a case for a SOC effectiveness framework
SOC effectiveness is hard to measure without a valid framework, argued RSA’s presales engineer, Ankush Baveja. “Senior executives and senior leadership teams don’t get to see the results of what the SOC team is doing.” The solution, he argued, is simple: Create a framework to showcase a SOC’s maturity.
“You need to identify the SOC capability and link that to metrics. The metrics then have to link to the outcome,” explained Bajev. “Set your objective and within those you can have multiple goals. Further, develop questions around each goal to help you to identify the current state of that goal.” Your metrics must be something that is actionable, he added.
“Link your business objectives to the goals you are trying to achieve,” continued Baveja, who listed operations, engineering and IT and the blue and red team as the ‘SOC Capability Triad’.
RSA’s Baveja set out the following six-month plan for choosing and auctioning a SOC metrics framework:
- First, choose a framework and download and use the framework sheet
- Define capabilities for your SOC – both current and a roadmap
- Identify metrics for each capability and use the GQIM methodology
- Define how these measurements affect your decisions
- Define stakeholders and assign ownership to monitor/alert
- Create your SOC Dashboard
- Set periodic checkpoints to review the goals
- If “A” metric doesn’t add value or lead to a decision, dump it
Finally, Bajeva echoed the opening remarks of Rohit Ghai by warning information security professionals against focusing on the most catastrophic threats, and instead prioritizing the most likely threats. “Look at the most likely threats to your organization and build your content around that,” he concluded.