Rising above the daily firefighting to actually measure the effectiveness of your security operations is easier said than done. This, in part, is because security analysts traditionally have worked across dozens of products and consoles. The enuing lack of integration has been a major pain point for SOC teams when it comes to reporting, especially when you receive random requests for data in a variety of formats.
But today, with the advancement of security orchestration, automation and response (SOAR) technology, analysts can perform the vast majority of their work in one central platform, so the opportunity for measuring your day-to-day operations is unprecedented. You can drill into any known SOC parameters gathered across your technology stack. This spans across alert types, product categories, analyst groups, threat indicators, time to detect, time to resolve – the list goes on. Combining this centralization with data visualization functionality gives you virtually limitless flexibility to analyze and report on your security operations from a single location.
But simply counting your alerts and rapidly generating reports doesn’t make you more effective. While gathering, analyzing and reporting on your SOC’s data is simpler than ever, it doesn’t change the need for establishing metrics and KPIs to answer the right questions. Building these measurements alongside the stakeholders in your organization, such as the board of directors, senior executives or business unit leaders is where the hard work needs to get done up front.
The next challenge is delegating this task to an owner who can serve as a business interface on your team. After all, since cybersecurity now has a place at the board leve, it makes sense to have an interface between your team and the business (your internal customers).
Now that you have defined these metrics and a process owner, you are ready to begin measuring and improving your operations. While there are a wide range of benefits to consider for the implementation of SOAR, specifically the business intelligence feature of the Siemplify Security Operations Platform.
Here are a few highlighted areas of immediate impact:
While reporting once meant asking security analysts for arbitrary data and slowing your operations, you can now take this on directly or designate this to a specific managerial function to streamline reporting requests (aka that daily firefighting mentioned earlier).
Make Intelligent Tool Consolidation and Vendor Rationalization Decisions
Say you are undergoing tool consolidation within your SOC to remove a ‘shelfware’ issue you have. With SOAR, can see what product types the alerts are originating from. Then as a further layer of analysis, you can drill into the specific products being most used under these categories, or more importantly, determine which aren’t necessary for your most critical investigations.
Demonstrate the Value of the SOC and Make a Case for Resources
Enterprise SOC teams can show the value of your team across the organization. This can be done by demonstrating analyst utilization, threat response times or how increased capacity can help address a surge in, for example, phishing attacks due to the remote work surge. The result is a more objective, data-driven conversation with HR and finance about your team’s resource gaps.
Make Analyst Performance Reviews More Objective
Without seeming too “big brother,”you can use your team’s data to demonstrate where time is being best (or worst) used to drive objective performance reviews. In an era where SOC talent is in high demand, assessing employees with unbiased, objective reviews will help keep your top performers happy.
Invest in More Targeted and Practical Training
Perhaps you have a situation where your team is proficient on tools that are outdated. You can use your SOC metrics to make forward-leaning training investments and send your all stars for external instruction on the tools you use instead of some outdated technology or topic. Again, keeping your team ahead of their peers will positively impact turnover rates and retention.
Value for Service Providers
Using a multi-tenant SOAR platform helps service providers enhance your customer experience by hosting more data-driven business reviews, whether they are quarterly, monthly, weekly or even daily. You can also stand out from competitors in your industry that are known to receive complaints from customers about the lack of visibility into their operations.
No matter what kind of SOC you are running, having a SOAR platform integrated with business intelligence at your fingertips helps you drive overall performance improvements, make smarter security technology investments and deliver smarter analyst training for your SOC team.
The best example in the market today of this dynamic technology combination is Siemplify Security Operations Platform, powered by Tableau, a best-of-breed data visualizaton tool. This video illustrates how Siemplify aggregates data from across your tools into a single API-connected workbench and leverages Tableau for advanced reporting and analysis.
Dane Disimino is director of product marketing at Siemplify.