If managing a security operations center (SOC) under normal conditions isn't hard enough, adjusting operations during the COVID-19 crisis has been particularly hard on those who run information security operations centers.
Not too long ago, we moved much of the security team into the same room to overcome the challenges of stovepiped organizational structures. Now we must find ways to operate effectively in the new remote reality. Below are some best practices I've collected over the past week from customers in the midst of transitioning their SOCs to work remotely in healthcare, education, finance, and technology. In addition to focusing on the health and safety of their team members, some of the best practices I have heard involve re-deploying people where they're needed most, continuously upgrading skills, and fostering a security-supportive culture.
1. Adopt a Supply Chain Model for the SOC
Supply chains move materials from source to production to sale, a process that occurs with amazing efficiency in companies like Walmart and Ford. Behind the movement of materials is an advanced system of data communications across multiple organizations that are commonly located all over the world. By nature, supply chains could never have the type of centralized operation we have created in moving security into the SOC.
Multiple companies that are part of a supply chain need to optimize processes and integrate systems at levels never dreamed of by security teams. When you distribute your security team at the individual level you impose the limitations of space and time that supply chain processes were created to overcome. One CISO suggested that SOC leaders should look at process flow optimization as applied to incident detection and response, with a specific focus on critical information delivery (inputs and outputs) across systems and teams, service-level agreement definitions, decision-making processes, and data quality. Make sure you apply quality goals to analyst level output on incident investigation and response, especially for more junior members of the team.
2. Keep Open a Virtual Communication Channel, 24/7
A major benefit of moving security team members into the SOC in the first place was to support open and informal communications. Now that teams have gone remote, those communication lines can break down. One SOC manager from a large manufacturer keeps open a video chat call round the clock, with at least one team manager monitoring the session at all times. Analysts check in and out throughout the day, reporting on what they are working on, share screens, and when an incident arises that needs immediate attention, the manager in charge quickly sends text/Slack messages to required people, who jump on to address the problem in a virtual "tiger team."
3. Cross-Train Staff to Account for Changes in Focus
One best practice at top companies has involved cross-training IT and security teams to be ready to jump in and help at any stage of an attack. Cross-training makes additional sense when your company moves to a remote model. The corporate network is suddenly not the safe haven it was, with hundreds, even thousands, of laptops and edge computers. Endpoint monitoring becomes critical because endpoint security teams can become quickly overwhelmed.
One client we spoke with was planning to train up network security pros — who now have less to do — on endpoint security in order to have more effective eyes on glass, watching for endpoint attacks to unfold. One of the most common training themes I have heard involved training more people to understand and administer VPN systems to ensure that more administrators understand how to configure multilayer IP addresses protection and ensure proper encryption.
4. Do Everything Possible to Maintain Your Security Culture
Security leaders spend a lot of time creating a collaborative and successful culture across teams. The advice from an experienced CISO with stints at multiple top financial institutions is, "Don't do anything to screw up that security culture you worked so hard to create. Also, as an extension of that culture, protect your top talent at all costs." Now is not that time to make any significant organizational shifts, he said. Instead, focus on building stronger leaders within the existing organization.
Keep lines of communication as open as possible. If a junior analyst was comfortable asking questions to a seasoned veteran that sat nearby, find a way to keep that line open. Multiple customers reported freezing all organizational changes and instructing team leads to check in weekly with each team member through one-on-one calls. Another company holds weekend online "hackathons" to keep team member social bonds as strong as possible.
5. Increase the Quality of Your Cybersecurity Team Output
As teams work from home, distractions and the loss of camaraderie and easy sharing of information can hurt the quality of the services provided by the security team. Take this opportunity to increase the quality of each member's work through training. Online training programs for cybersecurity professionals are easily accessed and of high quality.
One customer I spoke with is focusing training on junior analysts. The concern is that the less experienced members of the team are more likely to make errors without an easy ability to have their work checked by others in the SOC. They're also concerned that other team members may not trust their decision-making and outputs, and want to upgrade the skills of these workers and share their improvements (in the form of micro-certification achievements) across the team to maintain trust. Examples of training for these analysts include basic malware analysis, use of regular expressions, and learning SUID executables.
- COVID-19 Drives Rush to Remote Work. Is Your Security Team Ready?
- Securing Your Remote Workforce: A Coronavirus Guide for Businesses
- A Hacker's Perspective on Securing VPNs As You Go Remote
- How Company Cultures Dictated Work-from-Home Readiness
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.