Is my SOC making any difference?
By John Skipper, PA digital trust and cyber security expert
Information security breaches keep happening. Many of them we don’t see, but those we do vary significantly in their apparent goals and the attack methodology - depending on the nature of the organisation and service being attacked. And how you react to them depends very much on your business priorities – whether your focus is on defending critical information assets, preventing financial crime or protecting reputation. So your risk depends very much on your business.
Despite this, cyber security is often perceived as a technology thing, oriented around boundaries, controls and monitoring that are essentially the same for everyone. How can you tailor your cyber security investment to the specific needs of your business and your risk appetite?
I believe this starts in the Security Operating Centre (SOC), which for most is the heart of their cyber response capability. It means making sure you have the right threat intelligence, you are gathering the right event data, applying the right analytics, prioritising the right incidents and responding in the right way. Most importantly, your SOC team needs to have the right mindset and understanding of the business context. The threats that matter for an online payment processor will be very different from a nuclear power operator. Ultimately, if your security analysts don’t understand the business they are trying to protect, they will be chasing the wrong threats and all the money you have spent on tools such as Security Information and Event Management (SIEM) will have been wasted.
We help protect your organisation's most important assets against cyber threats
Find out more
The use of ‘security scenarios’ can really help to focus your SOC on the threats that really matter to your business, help them recognise the really serious incidents when then occur, and make sure they respond quickly and appropriately. When I’m with clients, I use three simple steps to define a set of security scenarios:
- What incidents have hit you in the past?
- What incidents have hit your peers and competitors?
- What else do you think could go wrong in the future?
By assessing the impact of these scenarios and the difficulty of detecting them, it is straightforward to prioritise them and determine where your SOC should focus to make the biggest difference to your business risk. You can then determine the event data and analytics you need to bring in to your SOC, and the play books to triage and contain potential incidents. You can also make sure you are spending your money where it will deliver the best return, in terms of risk reduction.
This approach is already helping to protect one of the UK’s most important defence businesses and has dramatically improved the effectiveness of their SOC. Could it help ensure your SOC is actually making a difference?