It’s Cybersecurity Awareness Month, and in that spirit, we’re offering a number of tips and tricks small security operations center (SOC) teams can use.
I started my career working as part of a small SOC team, and working with other security experts here at Logz.io, we’re happy to offer these to small SOC teams who can often use all the help they can get!
In the last post, we talked about managing security talent and building processes. This time, let’s get more into cybersecurity tooling for the small SOC, and how to keep your talent in place in an area where retention isn’t always easy.
Review your tooling. Make sure that everything you use–not just security tooling–but every operational tool that is designed to do something, is the right fit for what you’re doing. Once you start getting into that process of reviewing what you have and then figuring out what needs to be improved, versus what you can work with now—that’s important too.
Determine the best tooling model. Related to the tooling: there’s always the classic single-vendor, multi-vendor question. Do you want a single throat to choke, as they say? Are you going to get better pricing? Does that vendor carry every type of product that you would ever want?
On the flip side of that consideration is, technologically, do you want the freedom to select the best of breed, given that most vendor tool sets were built by acquisition and loose integration? There’s not much of an advantage to having them all together. Whereas, you can build out the stack yourself, given what you prefer. Cost is obviously a huge question there as well, and must be considered.
Get your alert trending in order. Figure out what’s triggering across a lot of different environments, and at what volumes, and get visibility into that. That’s not something that’s native to every SOC and doesn’t always exist. You get into a flow where you have a familiarity with what certain alerts mean and what they do, and you’re only getting so much information from a single alert.
As somebody who’s going through that process, you’re not really doing too much in terms of making sure that the underlying issue with outliers is being fixed. Something that massively improved our quality of life at my previous company was going through a huge alert trending process. That involves setting up our own alert stack, sending all of those alerts to the ELK stack and using those digitalization tools.
Make a call on in-house vs. outsourcing. Decide how much you want to do in house, and how much you want to outsource. Work with vendors who give you a lot of support at the right price tag. See if they’ll take on management for your tooling, and make sure you’re getting a lot of content from them.
If you do outsource, do your research and get references. Don’t believe you can automatically solve all your problems with outsourcing because, if you do, you’re potentially inviting a whole other set of problems.
There are things such as tuning alerts, going through alerts, seeing data for yourself, reading blog messages—that’s how you figure out what’s going on in your environment that nobody’s going to tell you on Google. It’s a process you have to go through and you can’t necessarily just outsource that forever.
Do fun stuff. Once you’ve got your ducks in a row, and you have some semblance of processes in place of how to respond, organize, and escalate to things, then you can start doing fun stuff. You can do exercises where you’re setting up honeypots, where you’re almost getting into the research area of security. That’s an evolution of your standard SOC, where you just have people monitoring things.
Once you’ve done all the boring grunt work of creating the right processes and documentation, tuning your alert fidelity, a lot of which is the boring basics that you need to get to a minimum level of effectiveness. From there, you can get to the promised land where you can allow your non-tiered analysts to add this new stuff to their daily life.
If you want to keep your talent—because retaining SOC talent is really hard—get the basic stuff taken care of and then make the cool stuff part of their day-to-day as well, which will just further mitigate any burnout factor.