25.11.2019 | Bruno Blumenthal
In Our SOC We Trust: On the Importance of Trust
The common blueprints for setting up a Security Operation Center (SOC) often lack an important element, namely trust in the SOC by the organization it is supposed to protect. When the inevitable critical incident occurs, this is of the utmost importance because management should be able to rely on the analyses and recommendations of its SO.
Would you like to set up a SOC or introduce a managed SOC?
Regardless of whether you operate your SOC yourself, outsource it or take a hybrid approach, you will need sensors and log data, probably a SIEM to search, analyze and correlate it and, of course, qualified security analysts to process all the alarms and respond to incidents. The SOC also needs clearly defined interfaces to IT operations and management. But there is another important element that is often underestimated when setting up a successful SOC: Trust. The need for trust is usually considered in the context of the exchange of information between SOCs and CERTs. For example, CERT organizations such as FIRST or Trusted Introducers require existing members to vouch for new members. But what about the organization’s trust in its own SOC?
When the inevitable happens and you are faced with a critical security incident, it is of utmost importance that the organization and especially the management know that they can rely on the analysis and recommendations of the SOC. After all, there are difficult decisions to be made. Systems may need to be shut down, network connections disconnected or emergency changes implemented in production. You may even want to observe the attacker before intervening in order to better understand the full extent of the compromise. Ultimately, the management must decide and rely on the expertise of the SOC. But even for small incidents, a trusting relationship between the SOC and IT operations can contribute significantly to efficient handling. And if employees trust the SOC, they will report mistakes they have made and be honest when asked what they did or did not do.
However, trust can neither be commanded nor bought. Trust must be earned. So how can you build trust in your SOC? To become trustworthy, the SOC needs positive visibility, which is not easy because its job is to find things that are by definition not positive.
Three strategies how your SOC can get a positive image of a trustworthy partner
First, be reactive and communicate. When people report incidents or security issues, give rasc feedback. When users contact the SOC after clicking on a link in a phishing email, refrain from blaming and instead thank them for reporting. Talk about incidents, how you dealt with them and how they can be avoided in the future. Improved monitoring and faster response from the SOC will reduce the time it takes to detect incidents. Report this to management so that they can see the added value of the SOC. It is small things in your behavior and communication that can have a big impact.
Secondly, integrate confidence-building activities into your incident planning. Starting small and then growing is one of the success factors in building a SOC. First, you need to decide which use cases you want to address first and what capabilities your SOC needs to start with. During this initial prioritization, you should also keep an eye on positive visibility. Identify key stakeholders in management and IT operations who can benefit from a use case visibility. Where appropriate, explicitly include communication and self-promotion as activities in your playbooks. However, be careful not to disclose confidential information about security vulnerabilities and do not blame the victims (e.g. the “stupid” user) in the communication.
Thirdly, look for use cases where you can reduce preventive protection measures thanks to the new detection capabilities and thus reduce the burden on users. Finally, you now have a SOC that enables rapid detection and response. For example, identify access restrictions with many false positives (unjustified access denials) and instead look for indicators, such as unusual times or access locations, with which you can identify suspicious access. Instead of a restrictive access policy with many false positives, you can set up improved monitoring, relax the access policy and thus reduce the impact on users. Or use the monitoring capability and threat intelligence of the SOC to detect and ward off attacks on known vulnerabilities. This gives IT time to patch the system properly and without the risk of downtime.
This third strategy is more for your medium-term goals, but if you keep it in mind from the start, it will help you develop the right mindset to create effective value for your organization.
In summary, it is important to understand that in an emergency, management wants to know who to call and who to trust. If the SOC has to introduce itself first or leadership thinks they are the ones always shouting Wol, your SOC will not be able to fulfill its mission and protect the organization from further damage. So build your SOC from the ground up with the goal of being a trusted partner for your organization.
The content of this article was also presented by Bruno Blumenthal during a speech at the Swiss Cyber Storm 2019. The corresponding slides can be downloaded from our website.