Measuring SOC effectiveness – An Integrated SOC
Security Operations Center (SOC) is an integral function of the information security operations for most of businesses that heavily depend on online transactions. This is not just because of statutory or regulatory mandates but also organisations want to continuously assess their security postures and monitor threats to their IT infrastructure. Even consumers of the services or products want providers to take complete responsibility of securing their data and transactions.
Most of the SOC implementations that I came across during my service tenure, however, are observed to be implemented as one of the functions of the security operations which is disintegrated or loosely coupled with other security functions. Conventionally, the effectiveness of such SOC is measured through the metrics which are identified by knowing the objective of SOC deployment.
I’m sure that senior management of any organisation will like to see all security functions are tightly coupled with SOC in terms of technology, processes and people so that they complement each other to ease the operations, enable multiple level tracking and share the responsibilities. This will increase the overall effectiveness of security operations and reduce the operating cost as well.
Below are my views with respected to Integrated SOC. I’ll appreciate your comments on the same.
It is said that effective SOC need to achieve right balance of People, Process and Technology components. So, let’s look at missing integrations in many of the deployments as per my observations.
In general, all IT Infrastructure & security components are integrated with SIEM tool for centralised logging and events correlation. However, not all functions are integrated with SOC.
- Vulnerability Management: This function is mostly handled by separate team and follows up with other teams responsible for remediation of observed vulnerabilities. SOC is minimally appraised of its impact while it is critical for them to understand threats for the critical assets.
- Threat Intelligence: Most of the times threat intelligence is fed into SIEM tool and leveraged to SOC teams. However, it can be well leveraged to benefit Incident Response and Vulnerability Management teams in addition to SOC teams.
- Digital Forensics: SIEM/logging tools are equipped with digital forensics capability to store the evidences, use of the logs for analysis purposes and features for reporting. However, an effective digital forensics strategy is complementary and an enhancement of many information security functions such as Asset Management, Risk Management, Incident Response, Security Monitoring, Security Trainings and DR/BCP.
- GRC: Some metric/compliance reports are taken as inputs from SOC for GRC and other reports are extracted from different tools for senior management presentation/review. Ideally all inputs should go integratedly from SOC.
In general, SOC processes are devised to manage daily SOC operations efficiently.
There is need of defined and documented processes among all relevant security teams those are integrated with SOC, such as:
- Direction: to set objectives for each team
- Analysis: of the data
- Dissemination: of the information to the relevant teams
- Feedback: formal feedbacks from relevant teams
Generally, different teams and roles are formed within SOC to perform specific tasks and to manage technology specific functions. This leads to fragmented security responsibilities and need to work hard to coordinate their efforts.
Integrating all functions with SOC improves the shared responsibilities of the teams and multiple level tracking of issues.
Creating role specific dashboards or views can also be considered.