Running a more efficient IT security operations center: How to keep tasks on target

As businesses grow, it's wise to reevaluate how a business runs its internal security operations center, according to a new report from an industry group.

How to make high security standards a competitive advantage

IT security is one of the most important tasks a business deals with on a daily basis, and as a business grows, it's critical to reevaluate how a company's security operations center (SOC) is performing. That means looking at whether the SOC is properly staffed, whether it should be run in-house or outsourced, and evaluating if more security automation should be brought in.
It also means looking at something as seemingly small as whether SOC team members are seated near enough to one another (in a post-pandemic setting) so they work together efficiently to protect a company.
These are some of the trends and recommendations being made by the Cyber Resilience Think Tank, an independent group of industry security leaders, in a new nine-page report, "Transforming the SOC: Building Tomorrow's Security Operations, Today."
Published by email and via the data security vendor Mimecast, the report lays out strategies and questions that should be asked as organizations of any size work to create or update their SOC procedures and protections.

SEECOVID-19 demonstrates the need for disaster recovery and business continuity plans (TechRepublic Premium

For any business, an SOC is a team of IT security analysts and experts who are tasked 24/7 with monitoring, evaluating, and defending a company's security operations, and managing attack vectors that are being targeted by cybercriminals. The SOC team works together with other security staff members who handle the everyday responsibilities of protecting a company's IT systems, data, and employees from direct attacks.
Every organization is different and has different SOC needs, the report concludes, which means that businesses have to regularly look inward and evaluate how their SOCs are protecting their organizations from top to bottom.
When it comes to staffing, SOC offices are always likely running right on the edge of having the proper number of personnel who have the needed security qualifications to do their jobs well, the report states. Across the business world, shortages of skilled IT staffers are legion, and that can be even more so when it comes to having enough IT security personnel.

One answer, according to the report, is to take the opportunity to further train and promote existing staff members by providing additional education to give them the skills that are needed by an organization.
"The primary driver for us are skills," said CR Think Tank member Claus Tepper, the head of cybersecurity operations for Absa Group, an African-based financial services provider. "And I think South Africa is, as everywhere else, fundamentally challenged to getting the right people on board."
To help his company find the skills it needed within the employees they already had, Absa Group began an internal academy to develop and further train staff members to fill the IT security gaps that existed.
As businesses grow, it's also wise to evaluate whether an existing in-house SOC might be better suited to being outsourced for operational efficiencies, the report states. That won't always be the case, of course, and will depend on each company's needs and situations, but taking the time to do a periodic evaluation is smart and can help ensure that the proper structure of an SOC is in place.
Those decisions on whether an SOC should remain in-house or be outsourced is based on many factors, including business needs, the selection of a third-party SOC service provider, the company's IT security needs and more, according to the report.

When outsourcing is done successfully in a true cybersecurity partnership, an external SOC team can be an important partner for a company's overall SOC strategy and operations, the report concludes. One risk, however, is that miscommunication or trust issues can develop that are harmful to the business if the outsourced team is not housed in the same offices with other IT workers.

SEEDevOps: More must-read coverage (TechRepublic on Flipboard

Another trend highlighted in the report is how increased automation can help make SOC workers and teams even more effective by broadening their tools and strategies that can be used to better protect a company's IT assets. When automation is built in ahead of time, before work tasks get heavier and more complex, it can be even more valuable.
"Software developers build based on APIs, and then build UI on top of APIs, which is worthy of exploration in SecOps teams," said Shawn Valle, the chief information security officer for CR Think Tank and vulnerability risk management vendor Rapid7. "That strategy of building automation from the beginning, we believe, makes analysts stronger and better versus using fewer people."
At the same time, companies shouldn't just automate and leave out the human touch, said Sam Curry, the chief security officer at Cybereason. 

"Automation itself is a form of vulnerability," Curry said. "You have to check your blind spot at pseudo-random intervals to see who's hiding there because the machine will become predictable and therefore exploitable. So, the mission is not to automate for the sake of it, but to make the humans more effective, improving the value of their output without weakening the whole."
Also worth evaluating regularly in a company's SOC are the minute details, such as whether SOC analysts are literally sitting near enough to each other to promote the greatest operational efficiency in the department, the report said.

Where SOC team members are located in an office can make a big difference, the report adds, such as situating tech and security teams next to each other to foster creativity, agility and better communication. In another example, locating the SOC teams next to a product team can promote new efficiencies and create new ideas for tool building and more.
And don't forget remote workers, who also need good and frequent communications with internal teams to be sure they are all on track with team priorities and objectives.
When it comes to regularly examining SOC departments and operations, the time is worth the efforts because of the huge security benefits of the SOCs.
"Data is the lifeblood of the SOC," said Michael Madon, the senior vice president and general manager of security awareness and threat intelligence products at Mimecast. "These preventive systems are key data sources for the SOC to meet their success metrics, drive detections and context for integrations, and enable faster threat blocking."

Also see


Image: Melpomenem, Getty Images/iStockPhoto

By Todd R. Weiss

Todd R. Weiss got into technology journalism after asking his former newpaper editor to let him create and cover a new technology beat at the paper. "No one cares about technology," the former editor told him in response. Apparently, that editor was ...