Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM
Gordon Lawson
Gordon Lawson
Connect Directly
E-Mail vvv

5 Big Lessons from the Work-from-Home SOC

Accustomed to working in the same room, security teams now must find ways to operate effectively in the new remote reality.

If managing a security operations center (SOC) under normal conditions isn't hard enough, adjusting operations during the COVID-19 crisis has been particularly hard on those who run information security operations centers. 

Not too long ago, we moved much of the security team into the same room to overcome the challenges of stovepiped organizational structures. Now we must find ways to operate effectively in the new remote reality. Below are some best practices I've collected over the past week from customers in the midst of transitioning their SOCs to work remotely in healthcare, education, finance, and technology. In addition to focusing on the health and safety of their team members, some of the best practices I have heard involve re-deploying people where they're needed most, continuously upgrading skills, and fostering a security-supportive culture. 

1. Adopt a Supply Chain Model for the SOC
Supply chains move materials from source to production to sale, a process that occurs with amazing efficiency in companies like Walmart and Ford. Behind the movement of materials is an advanced system of data communications across multiple organizations that are commonly located all over the world. By nature, supply chains could never have the type of centralized operation we have created in moving security into the SOC. 

Multiple companies that are part of a supply chain need to optimize processes and integrate systems at levels never dreamed of by security teams. When you distribute your security team at the individual level you impose the limitations of space and time that supply chain processes were created to overcome. One CISO suggested that SOC leaders should look at process flow optimization as applied to incident detection and response, with a specific focus on critical information delivery (inputs and outputs) across systems and teams, service-level agreement definitions, decision-making processes, and data quality. Make sure you apply quality goals to analyst level output on incident investigation and response, especially for more junior members of the team.

2. Keep Open a Virtual Communication Channel, 24/7
A major benefit of moving security team members into the SOC in the first place was to support open and informal communications. Now that teams have gone remote, those communication lines can break down. One SOC manager from a large manufacturer keeps open a video chat call round the clock, with at least one team manager monitoring the session at all times. Analysts check in and out throughout the day, reporting on what they are working on, share screens, and when an incident arises that needs immediate attention, the manager in charge quickly sends text/Slack messages to required people, who jump on to address the problem in a virtual "tiger team."

3. Cross-Train Staff to Account for Changes in Focus
One best practice at top companies has involved cross-training IT and security teams to be ready to jump in and help at any stage of an attack. Cross-training makes additional sense when your company moves to a remote model. The corporate network is suddenly not the safe haven it was, with hundreds, even thousands, of laptops and edge computers. Endpoint monitoring becomes critical because endpoint security teams can become quickly overwhelmed. 

One client we spoke with was planning to train up network security pros — who now have less to do — on endpoint security in order to have more effective eyes on glass, watching for endpoint attacks to unfold. One of the most common training themes I have heard involved training more people to understand and administer VPN systems to ensure that more administrators understand how to configure multilayer IP addresses protection and ensure proper encryption.

4. Do Everything Possible to Maintain Your Security Culture
Security leaders spend a lot of time creating a collaborative and successful culture across teams. The advice from an experienced CISO with stints at multiple top financial institutions is, "Don't do anything to screw up that security culture you worked so hard to create. Also, as an extension of that culture, protect your top talent at all costs." Now is not that time to make any significant organizational shifts, he said. Instead, focus on building stronger leaders within the existing organization.

Keep lines of communication as open as possible. If a junior analyst was comfortable asking questions to a seasoned veteran that sat nearby, find a way to keep that line open. Multiple customers reported freezing all organizational changes and instructing team leads to check in weekly with each team member through one-on-one calls. Another company holds weekend online "hackathons" to keep team member social bonds as strong as possible.

5. Increase the Quality of Your Cybersecurity Team Output
As teams work from home, distractions and the loss of camaraderie and easy sharing of information can hurt the quality of the services provided by the security team. Take this opportunity to increase the quality of each member's work through training. Online training programs for cybersecurity professionals are easily accessed and of high quality.

One customer I spoke with is focusing training on junior analysts. The concern is that the less experienced members of the team are more likely to make errors without an easy ability to have their work checked by others in the SOC. They're also concerned that other team members may not trust their decision-making and outputs, and want to upgrade the skills of these workers and share their improvements (in the form of micro-certification achievements) across the team to maintain trust. Examples of training for these analysts include basic malware analysis, use of regular expressions, and learning SUID executables. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Gordon Lawson is president at RangeForce, a SaaS-based cybersecurity simulation and skills analysis platform that helps enterprises qualify their new-hires, train up devops, IT, and security staff, and run cybersiege simulations to evaluate team skills. Lawson has nearly two ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...