If you build it, will it be the Security Operations Center (SOC) you need?
Original post for HPE Security Research Blog 9/1/2015
Growing up, my mom used to tell me, “You get the guy you think you deserve.” Luckily, I found one who is better than I deserve, but the same principle applies to many aspects of life. During a conversation at Black Hat, an insurance organization security manager asked me about extending his SOC on a budget. Thinking back to my mom, I asked him a simple question.
Are you building the SOC you want or the one you can afford?
Needless to say, that stopped him in his tracks. There are many variables and many ways to build your security operations organization. At times, there is the temptation to stretch a budget to try and cover as many functions and security ground as possible. Unfortunately, this often leads to organizations that fail to cover anything effectively. In my experience, I see this far too often.
SOC is an important function and as much as security managers “get it”, sometimes those who control the purse strings do not understand the expenditure. High-profile breach headlines help start the security conversation, but many organizations still imagine it won’t happen to them. Alternatively, some organizations see the amount spent on a SOC without a major breach and believe the money was wasted. Having the “security talk” with those who don’t understand security can be challenging, but it is something that must be done every single day to protect the business.
Two methods to increase visibility that have worked for many SOCs are metrics and success stories.
What are you seeing in your environment? If the SOC is new and still working on hygiene issues, then tell that story, and yell it from the mountain top. Across the board, operations has a difficult time with communicating their value to an organization. But to consistently ask for and receive the funding necessary to build the SOC you want, you must convince the organization of the value. To paraphrase the bumper sticker: If you think analytics are expensive, try ignorance. There are several security metrics books — a quick search shows the most popular. There are many resources available to help get you started. I have found that those just starting a metrics program and needing to understand theory benefit from Security Metrics: A Beginner’s Guide. In addition to the higher ranked security metrics books available, another work I feel gets overlooked too often is Pragmatic Security Metrics: Applying Metametrics to Information Security. Additional SOC metric recommendations are detailed in previous HP Protect Conference presentations including this one on SOC maturity available at Protect724. Registration is open to everyone.
I won’t belabor what makes sense for your team to report – there are too many variables between differing organizations. However, don’t focus solely metrics, another beneficial tool is success stories. Some cases, such as an executive traveling who picked up a data stealing Trojan, can also be used to show value to the organization. The SOC detected it, helped him get it cleaned, and forensically verified no data was stolen. That’s a compelling story. Detecting the accounts payable group passing around a .gif cartoon that actually contained malware is another example success story. Weave a short narrative around detection and protection that shows how the SOC provides real value to the business. If you have detected something big, it is easy to convey that value, but don’t pass up small opportunities to tell your story. It’s even better if you can use the metrics you’ve collected to add a dollar amount of both real and potential losses. Executives might not be able to tell rootkit from a router, but they understand dollars, Euros, and yen.
Once you receive funding, focus. Prioritize what you believe will add the most value and spend an insane amount making your organization better at it than anyone. Detect bad things, report the results, get more funding, lather, rinse, repeat.
Build the SOC you want, because ultimately, it will be the one the organization needs. They just might not know that.
Yet.