Every security operations center (SOC) team is different, and for smaller teams, even small challenges can seem big.
I started my career in cybersecurity as part of a smaller team, and eventually grew into a SOC role. During that time, I gained a good deal of knowledge about the dos and don’ts of what a small SOC team needs to do in order to be successful.
October is Cybersecurity Awareness Month, and in that spirit, I worked with other members of the security team here at Logz.io to offer you a number of tips and tricks small SOC teams can use.
These can be relevant for teams as they organize their security practice, approach security challenges, maintain the right kinds of tooling and processes to get the job done, and keep the members of those teams together for the long haul.
In this post, I’ll talk about tips around managing security talent and building processes. We’ll have more in a future post.
Start with someone senior. Get someone in an organizational role for your SOC who is doing more than just responding to each customer individually over time. You can’t have a mentorship program for newer team members unless you have a mentor. Hire your most tenured person first and then work your way around the talent pool from there.
Grow your own talent. Earlier this year, my colleague Eric Thomas wrote extensively about how to grow your own cybersecurity talent. You should read his entire piece if you haven’t, but to summarize: Don’t get hung up on finding people for your small SOC team who have a technical background. Find a collaborative security training model that works for your team. And, do right by your people to ensure they stay, which we’ll discuss more in a future post.
Structure your team correctly. Don’t rush into tiers for your analysts. Treat everybody as peers and equals, and divide their time among the types of tasks that would otherwise be handled by tiered analysts. In other words, everybody has a certain percentage of event investigation time, alert fidelity analysis, data visualization, etc. This helps keep your staff happy, because they won’t be tied up in as much monotony.
Partner with your IT staff. When you have a very close relationship with IT, or DevOps, you have a whole other set of eyes that can explain what’s going on in your environment. They can help explain the function of a particular system, or help you with gaps in your asset inventory, and potentially even spot weird or unexpected things going on. You want those teams to feel like a trusted partner with your SOC. You’re working to develop a culture of serving the needs of IT and the business, as opposed to being the cops.
Plan for tools to be instrumented in partnership with IT. Develop a plan for how to figure out what assets you need to instrument in partnership with IT. A lot will come from IT/DevOps directly (i.e., “this is what we want logged, and this is what we care about,” etc).
It’s hard to keep track of machines that are being turned on and off, and knowing what’s coming into the environment. It’s a constant process, just like anything else in security. It’s not an easy thing to solve for, but a smaller company by its nature should have less stuff to find. Either way, planning that tooling with other entities is critical.
Document everything. Keep them in one centralized location, such as Confluence or a similar tool. At my previous company, we had “philosophy” articles being posted to our Confluence page. These were things like: Why do we tune alerts? What is the philosophy behind suppressing alerts?
Start documenting early on, because things very quickly can spiral out of control otherwise. It can set you up for failure in the future when you’re hiring more and more people while building up your SOC. It’s much harder to go back and correct it than it is to start the right way from the beginning.
Stay tuned for more tips and tricks next time!