Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/28/2020
04:00 PM
Gordon Lawson
Gordon Lawson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

5 Big Lessons from the Work-from-Home SOC

Accustomed to working in the same room, security teams now must find ways to operate effectively in the new remote reality.

If managing a security operations center (SOC) under normal conditions isn't hard enough, adjusting operations during the COVID-19 crisis has been particularly hard on those who run information security operations centers. 

Not too long ago, we moved much of the security team into the same room to overcome the challenges of stovepiped organizational structures. Now we must find ways to operate effectively in the new remote reality. Below are some best practices I've collected over the past week from customers in the midst of transitioning their SOCs to work remotely in healthcare, education, finance, and technology. In addition to focusing on the health and safety of their team members, some of the best practices I have heard involve re-deploying people where they're needed most, continuously upgrading skills, and fostering a security-supportive culture. 

1. Adopt a Supply Chain Model for the SOC
Supply chains move materials from source to production to sale, a process that occurs with amazing efficiency in companies like Walmart and Ford. Behind the movement of materials is an advanced system of data communications across multiple organizations that are commonly located all over the world. By nature, supply chains could never have the type of centralized operation we have created in moving security into the SOC. 

Multiple companies that are part of a supply chain need to optimize processes and integrate systems at levels never dreamed of by security teams. When you distribute your security team at the individual level you impose the limitations of space and time that supply chain processes were created to overcome. One CISO suggested that SOC leaders should look at process flow optimization as applied to incident detection and response, with a specific focus on critical information delivery (inputs and outputs) across systems and teams, service-level agreement definitions, decision-making processes, and data quality. Make sure you apply quality goals to analyst level output on incident investigation and response, especially for more junior members of the team.

2. Keep Open a Virtual Communication Channel, 24/7
A major benefit of moving security team members into the SOC in the first place was to support open and informal communications. Now that teams have gone remote, those communication lines can break down. One SOC manager from a large manufacturer keeps open a video chat call round the clock, with at least one team manager monitoring the session at all times. Analysts check in and out throughout the day, reporting on what they are working on, share screens, and when an incident arises that needs immediate attention, the manager in charge quickly sends text/Slack messages to required people, who jump on to address the problem in a virtual "tiger team."

3. Cross-Train Staff to Account for Changes in Focus
One best practice at top companies has involved cross-training IT and security teams to be ready to jump in and help at any stage of an attack. Cross-training makes additional sense when your company moves to a remote model. The corporate network is suddenly not the safe haven it was, with hundreds, even thousands, of laptops and edge computers. Endpoint monitoring becomes critical because endpoint security teams can become quickly overwhelmed. 

One client we spoke with was planning to train up network security pros — who now have less to do — on endpoint security in order to have more effective eyes on glass, watching for endpoint attacks to unfold. One of the most common training themes I have heard involved training more people to understand and administer VPN systems to ensure that more administrators understand how to configure multilayer IP addresses protection and ensure proper encryption.

4. Do Everything Possible to Maintain Your Security Culture
Security leaders spend a lot of time creating a collaborative and successful culture across teams. The advice from an experienced CISO with stints at multiple top financial institutions is, "Don't do anything to screw up that security culture you worked so hard to create. Also, as an extension of that culture, protect your top talent at all costs." Now is not that time to make any significant organizational shifts, he said. Instead, focus on building stronger leaders within the existing organization.

Keep lines of communication as open as possible. If a junior analyst was comfortable asking questions to a seasoned veteran that sat nearby, find a way to keep that line open. Multiple customers reported freezing all organizational changes and instructing team leads to check in weekly with each team member through one-on-one calls. Another company holds weekend online "hackathons" to keep team member social bonds as strong as possible.

5. Increase the Quality of Your Cybersecurity Team Output
As teams work from home, distractions and the loss of camaraderie and easy sharing of information can hurt the quality of the services provided by the security team. Take this opportunity to increase the quality of each member's work through training. Online training programs for cybersecurity professionals are easily accessed and of high quality.

One customer I spoke with is focusing training on junior analysts. The concern is that the less experienced members of the team are more likely to make errors without an easy ability to have their work checked by others in the SOC. They're also concerned that other team members may not trust their decision-making and outputs, and want to upgrade the skills of these workers and share their improvements (in the form of micro-certification achievements) across the team to maintain trust. Examples of training for these analysts include basic malware analysis, use of regular expressions, and learning SUID executables. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Gordon Lawson is president at RangeForce, a SaaS-based cybersecurity simulation and skills analysis platform that helps enterprises qualify their new-hires, train up devops, IT, and security staff, and run cybersiege simulations to evaluate team skills. Lawson has nearly two ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27348
PUBLISHED: 2020-12-04
In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43...
CVE-2020-16123
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
CVE-2018-21270
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
CVE-2020-26248
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
CVE-2020-29529
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.