Having worked in many different security environments, I've picked up on more than a few phrases that you hear only in the security operations center (SOC). These catchphrases frequently need translation — especially as CISOs and the entire C-suite look to get more involved with their organizations' security practices.
Below are a few to listen for, along with what they mean for the business.
"That's not the true source."
The true source? When you hear this, someone is likely performing an investigation and has hit a confounding barrier. The translation: "I'm analyzing network traffic whose origin is other than what's listed in the Source IP field." The cause is likely one of these conditions:
If you hear "not the true source" a lot in your SOC, you may have visibility blind spots that are inhibiting the investigative process.
"Clear the channel before you start hunting."
OK, full disclosure: This one has been directed at me quite a bit, and I've heard this phrase in every SOC where I've worked. It translates to: "We have more alerts than we know what to do with and not enough analysts to deal with them. Please attend to all the alerts before you explore the data looking for your own outliers."
SOC managers who find they are uttering this phrase often should take a step back and consider:
Your very best analysts want to hunt. If these analysts move on to different opportunities due to job dissatisfaction, you'll be saying this phrase even more.
"Just ask Stu."
Well, replace Stu with the gold-star guy/girl in your organization who has all the answers. Here's the translation: "Our daily activities and processes are so complicated and have evolved so rapidly, there's only one guy who knows how the whole thing works. His name is Stu — go talk to him." Every place where I've worked had a "Stu," and in fact, Stu is the real name of one of them. (He knows who he is — hi, Stu!) If you're a manager and hear this phrase, you must do two things:
If you're a colleague of Stu's, learn everything you can. Shoulder surf him. Steal his bash history. Read the books on his desk while he's not there. Whatever it takes. Study him.
"I've got a bad feeling about this."
Your analysts are developing an intuition! This is great! Translation: "I can't describe it yet, but this (IP address, user-agent string, URI, username, etc.) just looks wrong." When you spend enough time as an analyst slogging through the mundane task of reacting to events that turn into nothing burgers, there will come a time when you see something where you sit up in your chair and goosebumps appear on your arm. This is analyst intuition, and it's very hard to code and train for (although some companies are getting there). Here are the best ways to foster it:
Ask any SOC team, and members are sure to tell you they've heard these phrases at one point or another. The question is, which ones are they using at your organization? By keeping an eye out for these essential phrases and understanding the true meaning behind them, business leaders can overcome the barriers that get between them and their security teams.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Save $200 off your conference pass until March 23 with Promo Code DR200.Daniel Smallwood is senior security engineer at JASK, the company modernizing security operations with its Autonomous Security Operations Center (ASOC) platform. Prior to JASK, Daniel spent more than 16 years in security and software development for companies including Alert ... View Full Bio