The perspective you get running an incidence response team is very different from the one you get as a Security Operations Center director. I refer to it as a “press box view” of cyber security, based on my experience as former head of the U.S. Army Cyber Command's SOC and, more recently, as a civilian CSO at FireHost.
In these roles, I wasn’t responsible for securing any one infrastructure, but I came to understand how many of us were “playing defense” in security ops. I started keeping a notebook of root causes for the security breaches my team worked. From these root causes, I developed what I believe are the five most common SOC pitfalls.
Pitfall 1: Centralized planning and execution
Too many large multinational organizations try to accomplish both centralized planning and centralized execution. This causes a big data problem that cannot be solved, no matter how much artificial intelligence and computing power you throw at it.
Our approach in the global U.S. Army SOC was centralized planning and decentralized execution. Our global SOC pushed out our defensive countermeasures based on threat research but left it to the regional security operations centers to apply those threat indicators and manage the alerts from their security stacks in their regions. The regional teams also had the flexibility to exceed the security posture of the global posture if the regional situation dictated that approach. The security information and event management (SIEM) data did flow to the global SOC for analysis. However, the regional SOC took the first swing at the SIEM events to filter and tune out false positives.
Pitfall 2: Outsourcing the SOC mission and responsibility
In particular, I’ve witnessed two major trends: Companies outsource to managed security service providers and/or offshore their SOCs to high-value regions. In and of itself, it’s not a problem to outsource a portion of your SOC’s capabilities. However, you should never transfer the responsibility of security operations to a third-party provider. This model does not work. A company can and should outsource the alerting, and in some cases the managing of their security devices, but the SOC responsibility of overseeing the incident management of those alerts should remain in-house. I suspect that’s the inherent goal when companies outsource SOC capabilities, but invariably the in-house expertise that can drive action based on those alerts winds up mistakenly being let go or reassigned as part of a cost savings strategy. I recommend that any security team make a special effort to retain the incident handling function within the organization.
Pitfall 3: A belief that technology alone provides effective security
While picking the right technology is important, trained personnel and the right processes to leverage the technology are equally essential. I have a saying I use with my team: “Tiger Woods could play scratch golf with my golf clubs, but I cannot play scratch golf with his clubs.” The point is, you have to focus on leveraging the security tools and applying a methodical approach to analyzing the results from those tools. If you unpack every major breach from the past couple of years, you’ll see that often the technology detected the indications of compromise, but the right people and processes weren’t in place to address them. Don’t make training and process development the trade off for buying new technology; it’s a losing strategy.
Pitfall 4: Equating incident management and problem management
Many SOCs that I’ve visited both in my military and civilian career have a lot of activity but no real direction or objectives. They have plenty of data analysis and open tickets, but no discussion on how to get ahead of the threat and reduce their attack surface area. Before I transitioned to a security focus in my military career, I spent time in CIO and infrastructure provider roles and became very familiar with the ITILv3 framework used by most IT service providers. I noticed that most security teams can perform basic incident management, but they have a gap in their understanding of problem management.
If you are tracking the right metrics and doing trend analysis, you can see when security controls and strategies aren’t working. Very few security teams have the bandwidth to do this type of analysis, but it is the reason our threat actors continue to have the same success with the same techniques, tactics, and procedures.
Pitfall 5: Protecting everything (which, in most cases, protectings nothing)
Threat actors are only interested in probably two percent of your data and infrastructure, but they use the other 98 percent to get at that two percent. The smarter strategy I have seen from some of the most innovative CISOs is they treat their networks as “contested space” as opposed to a castle with an impenetrable wall around it. These innovators are aggressively segmenting their networks and moving their most valued data, applications, and VIP users to a more hardened, protected infrastructure. In fact, most of our clients are moving their difficult-to-protect and regulated data and applications to hardened cloud providers so there is a focused effort on guarding these critical assets.
Another thing we do within our security operations is to focus our security and vulnerability management efforts on what we determine is “key terrain.” The threat playbook has not changed much in the past 10 years. Generally speaking, threat actors compromise a host, elevate privileges, and then look for opportunities to use the victim’s infrastructure against them. Our approach is to ensure that infrastructure, such as Active Directory, software distribution systems, and other key terrain are hardened and audited regularly for threat activity.
These five pitfalls are not a comprehensive list by any means. But they are where my security team puts investment and focus. Our goal is to protect our critical assets, quickly know when they have been compromised and respond with immediate action to contain and eradicate the threat. If anyone believes they are going to create the perfect secure environment, let me save you some pain in discovery: It does not exist. However, if you can narrow your attack surface area through smart security operations that fully integrate the right people, the right processes, and good technology, then you drive up the skill required by an attacker to the point where most threat actors will give up and go after easier, softer targets.