Ensuring access to a reliable feed of threat intelligence through a security operations center (SOC) is an essential element of many organization’s security strategy today. However, establishing a SOC is a complicated endeavour, particularly when it comes to balancing budget and resource limitations in an increasingly complex security landscape. Even businesses that have already set up a SOC can find it challenging to know how best to prioritise investments to mature the SOC and evolve to the next level.
A common issue encountered by organizations is too much focus on investing in technology to solve the problem while not accounting for people and process costs. Technology traditionally is an area that is much more easily quantifiable than elements like personnel, making it easier to request funding for from the board. However, simply spending all the security budget on the Ferrari of tools will do little to combat threats without accounting for the people and process.
Instead, organizations should start with the following five key considerations if they are to get the most out of their SOC.
1. Understanding intelligence inside-out
A SOC is only as good as the fidelity and trust of the data that feeds the tooling and operation. Whether maturing an existing, or planning the design of a new SOC, it is critical to define the availability and trust of intelligence that will be leveraged internally and externally of the organization.
Intelligence data can range from traditional security tools, such as perimeter firewalls, to the more contextually elaborate, including user and entity behaviour characteristics. Importantly, threat intelligence also falls into categories of the tactical, strategic and operational as different audiences inside the organization may have varying priorities of the intelligence they need per their roles.
Each source of data has strengths and weaknesses, whether these are blind spots or biases. Breadcrumbs of intelligence mean little without sufficient context allowing an individual to take the appropriate action. The technical clues of an attack paint a picture but, for example it is understanding the human behaviour of the attacker(s) that can help tie the clues together to action a suitable response.
Tactical data becomes meaningful when applied to the strategic knowledge the team can gather about the tools and tactics used by attackers. Operational intelligence uses context and tactical intelligence to put a solution in place to help prevent, detect and respond more effectively.
Understanding the organizational value and gaps in threat intelligence may benefit greatly by taking into account the recorded actions taken by the analysts throughout an investigation. A post-mortem, following security incidents, also provides incredible value of intelligence to drive improvements to technologies and processes.