Security Operations Centers (SOC) provide businesses with the ability to see what’s going on in order to respond accordingly. SOC teams rely on the ability to learn skills and processes on-the-fly to meet expectations from stakeholders across the business and combat an ever-evolving persistent cyber threat. One of the critical contributors to any SOC’s success is skill availability. While technical experts and vendors have done great work building cybersecurity solutions, a SOC is nothing without the right people.
The majority of SOCs today struggle to justify their value to the business. Cybersecurity represents a vague and fairly intangible field of work that cannot be quantified through profit margins and in the absence of compromise or breach businesses are prone to undervaluing a SOC’s criticality to the business. This business reality coupled with the inherent challenge associated with safeguarding businesses physical and logical assets makes running a SOC an incredibly daunting task. And so it should come as no surprise that the most challenging and critical roles for a SOC to staff are its leaders.
SOC leadership (director, manager, shift leads, senior analysts, etc.) must be able to understand the larger cybersecurity picture, translate security into the language of the business, and hold some degree of deep technical knowledge matured over a long cybersecurity career. The wrong leadership in a SOC can lead to over-promising, under-delivering which effectively defeats a SOC from within especially if they have yet to develop a track record of success. Throughout my career, I have witnessed SOC leadership either succeed or fail based on how they navigate through three very common pitfalls found within a SOC.
Here are the three most common pitfalls SOC leaders should avoid:
1. Negative Reinforcement
The SOC leadership team has a responsibility to ensure they are providing the appropriate level of training and mentoring to the younger and less experienced security analysts. They must be sensitive and actively aware when they reward, discipline, or punish any individual on the team. For a SOC that’s ever-evolving, discipline and punishment tend to reduce the free thinking successful SOC’s depend on. Disciplining or punishing a security analyst that took liberties with data to improve their work efficiency could decrease the likelihood that they would innovate or improve upon operation processes in the future, even if it represents a positive step forward in operational maturity. It is imperative that a SOC’s leadership team be cognizant of how they apply positive and negative reinforcement as to not steer an individual away from innovating on security tools and processes, which may result in better operational practices and instead explore methods that provide constructive reinforcement and help analysts learn how to make better decisions.
2. Muddled Communication
A very simple and quick win for any SOC leader is to apply simple communication practices into their daily activities. For instance, if a leader is making a decision on behalf of a security analyst then it is very important that the leader communicates their intent and thought processes to the security analyst. Little things like data normalization and timestamp assumptions can make a world of difference. Maintaining a transparent level of communication with your team will help them understand their role in the larger picture and enable them to better position themselves for success. Time is extremely valuable in a SOC and less abstraction from data is critical to understanding the intricacies of complex systems and improving response times.
3. Unrealistic Expectations
The phrase “real-time detection” has become commonplace marketing lingo for cybersecurity tools but it has also created a new paradigm that puts the quality and accuracy of analysis at risk. While systems and tools may provide real-time detection and analysis over data, human interpretation operates at a slower speed. Most SOC leaders today believe that if an analyst receives an alert and is presented with some degree of data that they will then be able to make a rapid decision on whether or not a breach has occurred, and to what extent. This places immense pressure on the SOC team and the mandate for a quick and final decision is not grounded in the needs of the situation at hand, but rather, the unrealistic expectation placed on the team. It is logically unreasonable to expect to detect and ascertain all of the pertinent details of a potential compromise in any kind of manner that resembles real-time or near real-time. Even if a security analyst is able to determine that malware has been installed and C2 communication is present, they still don’t know how the attacker got in, what other machines they are interacting with, the nature of the attacker (structured or unstructured), or if an attack if ongoing. The average statistics on real-world cyber attacks illustrates that attackers will often persist within a network for up to a year before executing the attack. As a SOC leader, it is critical that you consider the sheer volume of planning and preparation that the attacker is bringing to the table and that you respond calmly and ensure analysis quality, efficiency, and consistency across the team.