We’re delighted to have had the opportunity to present at InfoSecurity Europe 2021! Jaimon Thomas, Global Head, Security Solutions at CyberProof, and Sinu Peter, Principal Security Architect, presented on the topic of “Smarter Security Operations with a Hybrid SOC.” You can listen to their presentation on-demand here.
Some of their key points included:
Transparency and Collaboration
Sinu emphasized how important transparency and collaboration are to the success of cyber security operations, saying, “There is a need for greater collaboration in security operations; that’s why CyberProof developed its own, SaaS-based, co-sourced service delivery platform. We believe in the significance of having complete transparency of SOC activities - and real-time collaboration with a range of experts - using ChatOps functionality. CyberProof’s clients leverage this single pane of glass to collaborate with our analysts as well as the client’s analysts. The platform also enables security teams to orchestrate their disparate security tools, decrease alert fatigue (by reducing false positives), and enrich alerts during the investigation by using our virtual analyst SeeMo.”
Adopting an Agile, Risk-Based Approach to Use Cases
Jaimon talked about how organizations can’t detect threats that they don’t really understand. What’s required is a top-down approach – looking at the risk, then determining the most significant threats and building responses around that. “Organizations frequently don’t have a clear view of what their coverage is, and even if they do, there are constant changes to the cyber security landscape – new vulnerabilities and threat actors coming in daily,” he said, continuing, “You need an agile process to keep up with changing attacker techniques and to be aligned with industry frameworks, to have more accurate benchmarking. Reaching this point requires having a mature process, skilled resources, and the right technologies in place – but you want to do all of this without relinquishing control to a third party.”
Jaimon then explained how CyberProof leverages its unique Use Case Factory (UCF) – an agile detection & response framework. “It’s a unique model designed to handle the ongoing evolution of threat conditions – and it helps reduce the organization’s cyber risk on an ongoing basis. As part of our UCF process, first we conduct scenario workshops – to help you understand the cyber threats faced by an organization and figure out which events need to be prioritized and detected. We employ threat intelligence capabilities, as well, to help build a strategy for defining threat detection rules.
“From here we determine the logic – the response procedures that need to be defined, the containment that is planned, and the KPIs and dashboards that will be used to provide more visibility. We determine the rules and playbooks, as well as the integrations that will do all the automations for proactive containment. And we test this before it goes into production and fine-tune it to make sure it’s providing the value we need.”
Measuring Cyber Security through KPIs, not SLAs
Sinu and Jaimon both emphasized the fact that SLAs don’t actually provide that much value to customers when it comes to a SOC service. That’s why CyberProof has focused on building KPIs.
KPIs can provide an effective indication of:
- Improvements in visibility and coverage – Measuring the number of events, alerts, and incidents, and the percent of alerts that result in cyber security incidents.
- Time and efficiency – Understanding how quickly an alert is acknowledged, how quickly it is escalated to the customer – as well as the average time to close the incident, and the average time for Level 1 or Level 2 to escalate it (where necessary).
- Accuracy – Measuring the accuracy of mitigation efforts in response to alerts that come in.
Here is a sample of the key KPIs mentioned in the presentation:
- Mean Time to Acknowledge – Evaluates staffing capacity
- Mean Time to Respond – Shows improved response workflows and priority automations
- False Positive % - Reflects updates and fine tuning of SIEM/EDR detection rules
- Average Time to Close Incident – How long it takes from the time an incident comes in
- Average Time for Level 1 to Escalate an Incident to Level 2 and Average Time for Level 2 to Respond to Escalation from Level 1 – Indicates improved response workflows and automations
KPIs can measure your organization’s visibility and coverage across the estate - evaluating your time, efficiency, and accuracy in cyber security operations.
Do you have questions about how CyberProof can help you develop a hybrid SOC model? Contact us today!