RSA Looks at How to Ruin Your SOC in 5 Easy Steps

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

The word “expensive” is never too far away when it comes to the subject of an organization’s security operations center (SOC). Between the technology involved, and the people who are there to oversee that everything works as it should, the price of maintaining a SOC can be a budget breaker. And when it comes to meeting and preventing intrusions by adversaries, organizations too often find themselves in a struggle to build and maintain basic threat detection and response functions. Why does this happen?

Speaking at the RSA Conference 2021 on Monday, Ben Smith, Field CTO with RSA, addressed those topics in a session titled “How to Ruin Your SOC in 5 Easy Steps.” The purpose of Smith’s presentation was to give SOC managers and operators some expertise and advice on how to make sure their SOCs operate to the best of their capabilities, and that the people working in SOC environments understand how they are critical to a SOC’s mission.

Smith said SOC managers need to put their attention and resources in the following areas:

• Visibility. Smith said that visibility is all about how you see your logs, network, and endpoint data. Bringing all this information into a holistic view, or what’s known as the XDR space, is where an organization needs to be headed. True visibility means being able to see what’s running on each device, what’s going out outbound, and that which is also on the endpoint.
   
• Orchestration. Smith said to think of a SOC like an orchestra. You can have all the instruments and music you need, but without a conductor to guide the performance something will be missing. An online runbook, with the steps necessary to respond to today’s current threat environments, will allow for a SOC’s technology to perform as intended, and without any missed notes from the players.
   
• Automation. Too often, teams struggle with too many manual processes, which can leave a SOC team feeling overburdened instead of supported. As good as they may be at their jobs, humans have the tendency to make mistakes. Automation provides speed, reproducibility, and accuracy without the job stresses that can lead to human mistakes. But, even so, a SOC manager should have a clear understanding of how automation may result in changes to an organization’s infrastructure and know the pros and cons of adding automation processes.
   
• Analytics. You need to review and leverage your data sets and have the right tooling in place. Too many organizations don’t put these puzzle pieces together. Today’s strongest threat solutions use machine learning, and one should look for this to be delivered in a cloud-based SaaS. This will provide tremendous flexibility to add more capabilities when necessary.
   
• People. The most-important ingredients in any SOC continue to be the people. They aren’t widgets, or gears to be stripped. Employ steps like job rotations for key personnel to keep them fresh and interested in the aspects of the SOC. Don’t just talk to them about their career paths, let them shadow a higher level analyst for a day. Designate those more-experienced analysts as mentors to your up-and-comers. And remind employees that they are all members of your security team, and they are all playing a crucial role on the front line of the battle against unwanted threats.