Finding the Right Tools for Response and Visibility in the SOC – Source: securityboulevard.com

One of the more difficult tasks for a cybersecurity professional—from the CISO to the person responsible for log management in the SOC—is to convey the importance of security, compliance and governance to those within the company who aren’t cybersecurity professionals.

The biggest problem comes at the board level, according to David Ellis, SecureIQLab’s VP of research and corporate relations, and Randy Abrams, senior analyst. During a conversation at RSA Conference 2023, the two pointed out how difficult it is to talk to a company’s board of directors about security. Boards don’t intuitively understand the importance of having the right tools as opposed to the latest and greatest product on the market. You can put it in terms of ROI—the dollars and cents language they best understand—but it is better to put it in terms of return on security investments, or ROSI. And one of the most important investments to make in the SOC is in tools that will improve response and visibility in the SOC.

Alerts Vs. Noise

A great product doesn’t do a whole lot of good if you don’t have visibility into how it is working, said Abrams, so if a mediocre tool offers a good dashboard that proves to do a good job, that’s the product to use—regardless of the market hype around it (or lack thereof).

The biggest metric to consider when determining tools and budgets is the alerts-to-noise ratio.

“We’re seeing a lot of fatigue,” said Ellis. “You can burn out on the noise and then miss the alerts.”

Anything that can reduce the noise is a big plus. An even bigger bonus is when you have tools that will aggregate, correlate and triage the alerts for you.

When looking at new tools and when talking to the decision-makers and financial arbiters about what your SOC needs, the alert-to-noise ratio will be a prominent selling point. But how do the analysts in the SOC determine what they’ll need? Ellis and Abrams suggested using a checklist that includes the following security concerns (this list can be modified to your organization’s specific needs):

• What alerts do you have to act on immediately? Not every vulnerability or alert will require a ‘fire drill’ response, but you need to be able to differentiate between mission-critical alerts and everything else.

• What type of response time is required for the different levels of alerts?

• Do you have a playbook for alerts? A playbook will define what is mission-critical and offer a guide to the organization’s most valuable data. It will offer metrics around what has to be protected and eliminate the desire to give equal protection to everything.

“You want metrics around what’s most important instead of trying to drive the metrics around everything,” said Ellis. Yes, the temptation to consider everything important is great—it’s in your organization, so it must be important to business operations—but Ellis compared that to the old saying, ‘When you have a hammer, everything looks like a nail.’

You want to avoid looking at SOC tools as the hammer and all assets as the nail, which is often the tech side’s default. Instead, here’s where you build a partnership with business and financial leaders to learn from them the value levels of corporate assets. They should be brought in to help create the playbook; then the tech and SOC teams can build the response.

Visibility Into Your Infrastructure

Tools are a necessary component of the SOC. Having the right tools makes the SOC more efficient and will provide better security to the organization as a whole. However, Ellis and Abrams pointed out that you shouldn’t create a SOC to fit the tools but instead tools that fit the SOC. Tools should complement and build on the processes and people already in place. “Don’t pick the tool, then pick the person,” said Ellis. “Tools should organically flow into your process and the capabilities and skills of your people.”

The processes, people and tools should be centered on offering the best visibility into your entire infrastructure and system. That means going beyond the traditional perimeters and selecting tools that will offer visibility into hybrid environments with thousands, if not millions, of endpoints.

In the end, your organization’s ROSI will depend on knowing where your assets are and what assets are most critical and building response times that are appropriate to the level of importance. If a tool isn’t able to keep your SOC abreast of alerts and discern between alerts and noise, it isn’t the right tool.