To level up your SOC game, take one logical step at a time
January 13, 2020
Sales pitches promising to shut down insider threats, advanced attacks and zero-day exploits are tempting. Who doesn’t like the idea of embedding deception technology and active defenses?
Just keep one thing in mind: While new security technology can be very effective, buying tools and technologies before you have foundational security elements in place can be a recipe for failed expectations and wasted money.
To quickly take your SOC’s (security operation center’s) game to the next level, first you should consider solidifying your core capabilities. Once you master the basics, you’ll get a lot more out of advanced technologies such as automation, machine learning, advanced analytics and artificial intelligence.
One of the best ways to level up your capabilities is to first gauge your current capabilities, then develop a methodical road map for upgrading capabilities. One key is ensuring you actually complete each level before moving up and on to the next. Another is working with an experienced managed services security provider—one that has made the capital investments necessary to help you level up, with qualified staff ready to work hand-in-glove with your SOC team. Of course, you can also self-help if you have the resources and people to get there.
Figure 1 shows a next-gen SOC progression model we developed after analyzing our clients’ SOC capabilities across multiple industries.
<<< Start >>>
<<< End >>>
The recommended way to use this model is to self-identify your current capabilities in order to plot your next upgrade in capability. Aside from the big banks and large defense integrators, most organizations’ SOC capabilities are often in Level 2, with some SIEM (security information and event management) or data lake capability and use cases. This would be the second logical step of enterprise security, after organizations have adopted prevention and remediation controls. In other words, table stakes for most industry segments is establishing a SIEM or log management capability.
A SIEM or data lake provides the ability to look across the data logs from the enterprise for indications of compromise. Benefits include centralized logging and retention, query/search capabilities and the ability to conduct investigations. The lesson here: you should not pass go until you have the core components of Level 1 in place as shown in Figure 1. However, please keep in mind that if you have already made investments in the most advanced ‘silver bullets’ in Levels 4 and 5, no need to fret. To maximize that investment, it is time to shore up your Level 2 and 3 capabilities in security programs, tools and staffing.
Once your SOC has established Level 2 capabilities, you’re on your way to a capable SOC. The next logical progression is to security automation, which is where most mature SOCs are developing capabilities. This is a natural evolution from Level 2, where disparate security tools report log information into a common SIEM or data lake. With security automation, your SOC can now detect and act seamlessly on security events across the enterprise. Effective security automation will rationalize alerts into attacks and automate operations playbooks to make timely responses.
Purchasing a SOAR (security orchestration, automation and response) tool means only that the SOC is establishing the core tooling for security automation. Achieving automation requires collection of data, codifying the incidents that need to be triaged and orchestrating responses that need to be taken into the SOAR tool. This means understanding the threat landscape and checking your security sensors and controls (such as your EDR tool from Level 2 and firewalls from Level 1) are integrated into the SOAR tool for command and control. Most importantly, you should have playbooks in your automation tool that define the sequence of actions to take when threats hit your network. Standard playbooks are a good starting point because they usually address the generic attacks, you’re likely to experience regardless of industry. However, mature Level 3 capabilities require playbooks tailored to your industry and your organization, based on your threat environment and your specific tool stack.
With successful Level 3 capabilities, you’re nearing the front of the pack. You now have a high-performance, well-tuned machine to triage alerts from security devices using standard and tailored playbooks in your SOAR tool. With the trains running on time, metaphorically speaking, your key performance indicator dashboards are trending in the right direction. Now you’re ready for graduate level SOC work. Think of Level 4 as your master’s and Level 5 as your PhD. Incidentally, not everyone needs a PhD. Don’t sweat it if you don’t get there.
Preferably, Level 4 capability begins with a data lake or a SIEM with raw log sources. With searchable raw log sources, you can now look for attackers missed by your security devices because, for example, they were lurking in the noise. Some people call this threat hunting. It doesn’t matter what you call it. The main idea is to be able to leverage analytics, including machine learning, statistics, link analysis, advanced searches, threat intel and integrated analysis to identify adversaries on your network. In other words, an enterprise-wide view across multiple log sources.
This, for example, gives you the ability to detect the lateral movement of adversaries who might be trying to access credentials, evade defenses or exfiltrate data from legitimate user accounts. The beauty of this approach is you are no longer manually threat hunting on individual machines for indicators of these activities. Now you have analytics running across raw logs over long retention times to automatically identify issues and generate event alerts—which then drives orchestrated SOAR engine responses. If you can begin to identify attacks your security tools haven’t, you’re doing true graduate-level SOC work.
Extending your capability further means getting ahead of the adversary. You want to be able to predict where they are likely to strike next, using attack graphs for example. Instrumenting these paths and proactively blocking the movement of attackers is PhD-level SOC work. You may also wind up using deception or "honey" docs to get adversaries to reveal themselves or, at minimum, make them spend additional time and resources, disrupting their plans. Keep in mind that these capabilities are aspirational for many and not well suited for organizations still trying to get through Level 2.
Understanding both where you are and the path forward in establishing operational excellence in SOC capability will change your posture from reactive to proactive against threats. Then, and only then, reach for those silver bullets to slay those advanced persistent threats. A good managed services provider will partner with you to help you graduate to the next level of maturity more quickly and less expensively.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks