Enterprises Can Gain Significant Efficiencies and Increased Effectiveness through NOC/SOC Integration
Approximately 80% of organizations with a security operations center (SOC) also have a network operations center (NOC). While these two groups ultimately serve different functions for an enterprise, significant overlaps do exist and SOCs and NOCs will typically need to collaborate in the event of an incident or emergency. Yet, despite the somewhat symbiotic relationship that exists between the NOC and SOC only a small percentage of enterprises truly integrate these functions.
The Most Used Playbook Of 2018series brings you the production playbooks noted by our professional services team as being most utilized and favored by customer SOCs. These playbooks implement best practice workflows for alert handling, alerts investigation, incident response and automation plans.
Machine learning holds great promise for security operations
Over the past two years machine learning has found its place firmly in the cybersecurity industry and its benefits are indisputable. Through machine learning, we’ve seen great improvements implemented into technology that can make tangible improvements to our cybersecurity posture.
Establishing organizational and security operations metrics improves management and reduces company risk
An organization's ability to discover and reduce risk in a more preventative manner rests heavily on having clear cybersecurity and security operations metrics.
Understanding the overall security posture of your enterprise is determined by creating a baseline of select organizational and security operations metrics. With baseline numbers established, you can then begin to increase visibility, education and improvement to both technology and processes within your program. Metrics should be garnered from critical assets with risks and improvements presented to key stakeholders within the organization. These metrics help determine where particular areas of a program are running smoothly and where additional insight should be applied.
Defining the cybersecurity metrics that matter to your organization
Start by understanding your organization's critical assets. This could include everything from sensitive customer data and company IP to users and devices. I almost always suggest starting with anything compliance-related or having to do with public assets. These are the areas where you should be building metrics first. Ultimately, you're looking to measure your ability to effectively and proactively secure your company's most valuable assets. Ensuring visibility into these areas first is vital to identifying lapses in performance that could compromise security and triggering response to get processes back on track.
After you've identified what needs to be monitored, you need to start collecting information and determining what data points are available. The process for collecting metrics is an important discussion item, since we want to limit as much manual effort as possible. Determining what information to collect and how you'll gather and analyze this data is a crucial step in your metrics journey. You'll also want to gut-check your identified metrics with a risk-based team, if available, to determine prioritization of the remediation efforts when those needs arise.
Baselines set the stage for goal-setting and measuring progress
Creating baselines is what you’ll use to determine the current cybersecurity maturity of your organization overall as well as your SOC. Baselines also help you identify any outliers or blatant concerns which require urgent attention. By creating this foundation and setting standards reflecting what’s normal within your organization, you create a basis for setting goals and milestones. Included in your baselines should also be an understanding of industry standards and your organization's appetite/tolerance for risk. Without these, identifying future goals is destined to be a fruitless exercise.
As an example, let's say you set a goal of having all Windows systems patched within one week of new Microsoft patches being released. To set this as an effective goal, you would need to have already done the following:
Baseline the current state of your patching performance - what is the current time frame for new patches to be applied?
Understand your organization's risk tolerance - how long are unpatched systems acceptable?
Only by understanding these elements can you determine if a one-week patching window is actually a good, reasonable, achievable goal.
Security automation means a more efficient SOC, improving the bottom line
The evolving threat landscape just gets more complex and brutal as time goes on. Targeted threats abound as advanced persistent threat campaigns, cyberwarfare, distributed denial of service attacks, and spearphishing. Meanwhile, zero-day vulnerabilities and exploits continue to be frequent occurrences. It’s a hostile cyber world out there, and it’s easy for organizations and enterprises to get overwhelmed. What if there was a solution that could be deployed that could cut down on the tedium that SOC analysts deal with? The right security automation tool can reduce your cases by 80%.
Lack of effectiveness metrics and orchestration/automation top list of security operations frustrations
The more things change, the more they stay the same. SANS recently released its 2018 Security Operations Survey, and we continue to see the same barriers to SOC performance and effectiveness rise to the top.
Effectively connect people, process and technology to minimize MTTD and MTTR
There's a reason it's said that what gets measured gets managed. In order to successfully achieve a goal, you have to be able to measure progress. It's the only way to know if you're heading in the right direction.
Another year, another Black Hat has come and gone. On the show floor, we saw the continued momentum and interest building for security orchestration, automation and response (SOAR). And as always, we met with a wide variety of security operations pros feeling the pressure of too many alerts, too many technologies and not enough process and automation to make it all work.
As a Boy Scout, you’re trained to be prepared - always in a state of readiness in mind and body to do your duty. And for many of us in cybersecurity, a sense of duty is what drew us to the industry in the first place. What happens when the mind and body are at the ready, but you don't have the right approach or tools to carry out your duty as you know you can and should?
The benefits of security orchestration, automation and response (SOAR) are many - if executed correctly
There’s no doubt, organizations around the globe are investing in security orchestration, automation and response (SOAR) solutions. While today, less than 1% of large enterprises use SOAR technologies, by 2020 15% of organizations with a security team of more than five are expected to leverage these tools.
Have a clear criteria list when selecting a security orchestration vendor
Security orchestration, automation and response (SOAR) vendors offer SOCs the best solution against the burgeoning problem of having too many security tools but not enough in-house talent to use them effectively. They enable security operations teams to integrate disparate cybersecurity technologies and processes into a more cohesive security ecosystem, in turn allowing these teams to work more efficiently against the growing onslaught of cyber threats.
In this era where cyber threats occur rapidly and nonstop, combining incident response and automation is becoming a necessity for enterprises and MSSPs seeking to keep their cyber defenses up around the clock. The following provides an overview covering all you need to know about automated incident response and how it can benefit your organization.
Continuously Innovating Security Orchestration and Automation
The Siemplify team is always adding and improving features based on feedback from our customers and partners. We’re excited tounveil version 4.0of our cutting-edge security orchestration and automation platform. Filled with new functionality to further improve incident response processes for enterprises and MSSPs alike, here’s a look at what you can expect from our latest release.
Much has been written about the death of the Tier 1 SOC analyst. To paraphrase Mark Twain, reports of that death are greatly exaggerated. A simple Glassdoor search yields 186 open positions that posted in just the last month. Is one of your open roles on that list?
Automating the triage and incident response for account misuse alerts
Well, here we are. Our fourth and final installment of this blog series on use cases that can benefit most from security automation. In case you've missed the prior posts, we have already covered automating the investigation of and response to phishing, malware and DLP alerts.
Automating the triage and incident response for malware alerts
Welcome to the second post in our four-part blog series where we walk through the steps to automate some of the most common SOC processes. Last week, we went through applying security automation to the process of managing, investigating and responding to phishing alerts. This week, we take a look at addressing malware.
Cybersecurity is full of terms, concepts, buzzwords and jargon that often get misused, overstated or muddled. That’s why, every now and again, we want to help you reground yourself in the true meaning of some of the most prevalent security terminology.
The demands and challenges within the scope of security operations are quite fierce. The problems plaguing security operations: alert fatigue, too many point solutions, shortage of analysts are well documented, and in many cases getting worse. These challenges are exacerbated with immense pressure driving burnout and high turnover among analysts.