Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM
Gordon Lawson
Gordon Lawson
Connect Directly
E-Mail vvv

5 Big Lessons from the Work-from-Home SOC

Accustomed to working in the same room, security teams now must find ways to operate effectively in the new remote reality.

If managing a security operations center (SOC) under normal conditions isn't hard enough, adjusting operations during the COVID-19 crisis has been particularly hard on those who run information security operations centers. 

Not too long ago, we moved much of the security team into the same room to overcome the challenges of stovepiped organizational structures. Now we must find ways to operate effectively in the new remote reality. Below are some best practices I've collected over the past week from customers in the midst of transitioning their SOCs to work remotely in healthcare, education, finance, and technology. In addition to focusing on the health and safety of their team members, some of the best practices I have heard involve re-deploying people where they're needed most, continuously upgrading skills, and fostering a security-supportive culture. 

1. Adopt a Supply Chain Model for the SOC
Supply chains move materials from source to production to sale, a process that occurs with amazing efficiency in companies like Walmart and Ford. Behind the movement of materials is an advanced system of data communications across multiple organizations that are commonly located all over the world. By nature, supply chains could never have the type of centralized operation we have created in moving security into the SOC. 

Multiple companies that are part of a supply chain need to optimize processes and integrate systems at levels never dreamed of by security teams. When you distribute your security team at the individual level you impose the limitations of space and time that supply chain processes were created to overcome. One CISO suggested that SOC leaders should look at process flow optimization as applied to incident detection and response, with a specific focus on critical information delivery (inputs and outputs) across systems and teams, service-level agreement definitions, decision-making processes, and data quality. Make sure you apply quality goals to analyst level output on incident investigation and response, especially for more junior members of the team.

2. Keep Open a Virtual Communication Channel, 24/7
A major benefit of moving security team members into the SOC in the first place was to support open and informal communications. Now that teams have gone remote, those communication lines can break down. One SOC manager from a large manufacturer keeps open a video chat call round the clock, with at least one team manager monitoring the session at all times. Analysts check in and out throughout the day, reporting on what they are working on, share screens, and when an incident arises that needs immediate attention, the manager in charge quickly sends text/Slack messages to required people, who jump on to address the problem in a virtual "tiger team."

3. Cross-Train Staff to Account for Changes in Focus
One best practice at top companies has involved cross-training IT and security teams to be ready to jump in and help at any stage of an attack. Cross-training makes additional sense when your company moves to a remote model. The corporate network is suddenly not the safe haven it was, with hundreds, even thousands, of laptops and edge computers. Endpoint monitoring becomes critical because endpoint security teams can become quickly overwhelmed. 

One client we spoke with was planning to train up network security pros — who now have less to do — on endpoint security in order to have more effective eyes on glass, watching for endpoint attacks to unfold. One of the most common training themes I have heard involved training more people to understand and administer VPN systems to ensure that more administrators understand how to configure multilayer IP addresses protection and ensure proper encryption.

4. Do Everything Possible to Maintain Your Security Culture
Security leaders spend a lot of time creating a collaborative and successful culture across teams. The advice from an experienced CISO with stints at multiple top financial institutions is, "Don't do anything to screw up that security culture you worked so hard to create. Also, as an extension of that culture, protect your top talent at all costs." Now is not that time to make any significant organizational shifts, he said. Instead, focus on building stronger leaders within the existing organization.

Keep lines of communication as open as possible. If a junior analyst was comfortable asking questions to a seasoned veteran that sat nearby, find a way to keep that line open. Multiple customers reported freezing all organizational changes and instructing team leads to check in weekly with each team member through one-on-one calls. Another company holds weekend online "hackathons" to keep team member social bonds as strong as possible.

5. Increase the Quality of Your Cybersecurity Team Output
As teams work from home, distractions and the loss of camaraderie and easy sharing of information can hurt the quality of the services provided by the security team. Take this opportunity to increase the quality of each member's work through training. Online training programs for cybersecurity professionals are easily accessed and of high quality.

One customer I spoke with is focusing training on junior analysts. The concern is that the less experienced members of the team are more likely to make errors without an easy ability to have their work checked by others in the SOC. They're also concerned that other team members may not trust their decision-making and outputs, and want to upgrade the skills of these workers and share their improvements (in the form of micro-certification achievements) across the team to maintain trust. Examples of training for these analysts include basic malware analysis, use of regular expressions, and learning SUID executables. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Gordon Lawson is president at RangeForce, a SaaS-based cybersecurity simulation and skills analysis platform that helps enterprises qualify their new-hires, train up devops, IT, and security staff, and run cybersiege simulations to evaluate team skills. Lawson has nearly two ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...