CyberProof’s latest report, the 2022 Cyber Defenders Playbook, provides insight into how to implement effective Security Operations Center (SOC) procedures, by illustrating CyberProof’s collaborative approach to incident detection & response. The report provides six examples of how CyberProof’s Managed Security Services team tackled real-life cybersecurity incidents during 2021.
The goal of this report is to provide insight into our SOC methodology, which can be applied by other SOC teams to improve their SOC operations. Our methodology combines a reliance on high-level, individual expertise, with real-time collaboration and ongoing teamwork. We believe that leveraging diverse kinds of expertise in a collaborative effort creates a powerful force for cyber defense.
If you’re a SOC leader, the following sections have been written with you in mind; we outline how to implement CyberProof’s approach to detection & response, creating more effective SOC operations and improving the pace of threat detection & response within your own organization. Our methodology has the potential to transform SOC work processes and make a significant difference to your risk profile.
We believe that leveraging diverse kinds of expertise in a collaborative effort creates a powerful force for cyber defense.
How to Apply CyberProof’s Approach to Your SOC
Incident mitigation can best be described as a team sport – one where each of the players has a unique set of skills. For example, at CyberProof our SOC team includes: L1 analysts, L2 analysts, SIEM engineers, Digital Forensic and Incident Response (DFIR) specialists, threat hunters, vulnerability management experts, Endpoint Detection & Response (EDR) experts, and Cyber Threat Intelligence (CTI) analysts.
Of course, not all SOCs have access to such a wide range of resources. But even if your SOC environment is composed exclusively of Level 1 and Level 2 analysts, you can adopt this dual concept – of developing a degree of individual expertise in different areas of cybersecurity, and leveraging that expertise internally by promoting greater real-time collaboration. Let’s explore how.
Step 1: Map Out the Skills That You Need
As the SOC leader, it’s crucial to gain insight into the individual strengths of each person on your SOC team. This will help you figure out who is best equipped to master a new area of knowledge.
Of course, experienced SOC analysts already come with in-depth security training, a background in security operations, and an understanding of network protocols, Operation Systems (OS) security, log analysis, and more. Generally, they also have strong teamwork skills. This is a very good starting point. But the next step involves getting to know the unique capabilities of each member of the SOC team, and this will help you figure out the best match.
Every area of cybersecurity expertise requires a specific set of personal characteristics and professional skills – for example:
- Threat Intelligence – Requires an ability to conduct in-depth research online, make connections between different types of information and pull together the “pieces of the puzzle” under pressure. Threat intelligence analysts are eager learners and good listeners.
- Threat Hunting – Relies on curiosity – an inquisitive mind and an interest in searching for patterns, identifying the anomalies and uncovering the key points hiding in data sets. Threat Hunting also requires flexibility to adjust and develop as required by changing circumstances.
- Digital Forensics & Incident Response (DFIR) – Must thrive on juggling multiple critical tasks, handling not just the technical and analytical perspectives but also business-related areas. Aside from fluency in primary cybersecurity technologies, DFIR experts need to be self-starters with a strong drive – but also must be cooperative, open minded, focused, and able to work under pressure.
- Endpoint Detection & Response (EDR) – Needs strong logical capabilities in emergency situations, a high-level of understanding of endpoint security, and the type of critical thinking that – when applied to technical analysis – supports rapid problem solving. EDR specialists should have an interest in testing and gaining expertise in a variety of EDR products.
Every area of cybersecurity expertise requires a specific set of personal characteristics and professional skills.
Step 2: Take A Closer Look at Your SOC Team
As a SOC team leader, perhaps one of the most important decisions you can make is the choice to dedicate resources to developing in-house expertise. To do so, first you’ll want to identify who on your team might be interested in gaining new skills. Then, speak with each of these individuals about taking responsibility for a specific area of knowledge. For example, here’s one way to do it:
- One analyst starts training in threat intelligence; this individual will start providing information about IoCs to the rest of the team.
- Another analyst studies threat hunting; this person can start proactively searching for information about threats and create hunting hypothesis relevant to the environment.
- A third analyst focuses on intrusion detection; this person learns how to detect threats across data sets and identify exploitation attempts.
Step 3: Invest Time in Training
Individuals who have been selected to undergo training should create a schedule that allows them to use 15–20 percent of their work time to develop their new areas of expertise.
While this might sound like a big investment, keep in mind that supporting training is a “Win-Win” situation: By providing opportunities for professional growth, you end up creating a team that’s capable of faster, more sophisticated detection & response.
It’s also likely that you will improve the SOC’s retention rates. Individuals receiving time or money for training might be asked for a commitment to stay with the company for a specified period, after training is completed. And even without this in the contract, you may see improved retention rates anyway – because self-development tends to encourage a greater sense of professional satisfaction and loyalty. Where people feel valued, they are more likely to stay.
By providing opportunities for professional growth, you end up creating a team that’s capable of faster, more sophisticated detection & response.
Step 4: Use the Available Educational Resources
There are many ways to gain expertise in areas such as threat intelligence, threat hunting, incident response, vulnerability management, and more. Videos, articles, and different types of guides are freely available online.
Build an internal knowledge base using available resources and develop a curriculum around it that can be used by multiple people.
Where more in-depth knowledge on a particular topic is necessary, paid courses may be an option. Generally, an analyst will be asked to commit to staying for a defined time, in exchange for the company covering the cost of an advanced course.
Step 5: Create Simulation Scenarios
The old adage, “Practice makes perfect,” applies here.
Investing in SOC simulations will make analysts sharper by giving them additional practice with various processes and procedures. Create testing playbooks that will help keep your team in shape.
Step 6: Automate Repetitive Tasks
In almost every SOC environment, there are simple tasks and processes that are repeated over and over. Consider building automated processes that eliminate these burdensome tasks – leaving SOC analysts with more time to handle significant incidents and explore true positive attacks.
You can use SOAR platforms, Jupyter Notebooks, Azure Logic Apps, or other types of automation systems.
Step 7: Consider Working with an Advanced MDR Provider
In some situations, you may find you need to consult with external experts who have encountered a broad range of incidents. That’s where an advanced Managed Detection & Response (MDR) provider, where the team has a wide range of experience, can fill the gap.
Working with an MDR provider like CyberProof has the added advantage of leveraging our unique CyberProof Defense Center (CDC) platform, which provides full transparency into security operations in real time – and supports ongoing collaboration between your team and CyberProof’s team.
Step 8: Leverage Expertise in Your Daily SOC Operations
To some extent, it’s a question of definition: Once you have someone on the team who is responsible for threat intelligence, for example, your team will naturally start to turn to that individual with related questions. However, if you want to get the most out of having in-house expertise, it needs to go further than that. Formalize and integrate the existence of specific experts within your SOC’s standard procedures.
If you want to get the most out of having in-house expertise, formalize and integrate the existence of specific experts within your SOC’s standard procedures.
Read about how CyberProof’s SOC team collaborates across teams and shares information and expertise in real-time in the 2022 Cyber Defenders Playbook for further insight. This report provides examples of how to build up your security processes to take full advantage of real-time collaboration across the team, leveraging the knowledge provided by each kind of cybersecurity expert.
Learn more about how teams within a SOC collaborate to mitigate risk in CyberProof’s 2022 Cyber Defenders Playbook. Click here to download the report.