An efficient security operation center (SOC) is at the heart of any effort to scale your security operation.
In this post, I want to give you some insights on the various ways we’ve achieved SOC efficiency—what we term in-house, our ‘SOCe’—and how some of our techniques may generalize to your own operation.
But, this article comes with a spoiler alert: we had to undergo a complete reimagination of the SOC to achieve this efficiency. This was somewhat easier for us because we were already on the path to a non-traditional SOC, thanks to both a geographically distributed team and the necessities brought about by the COVID-19 pandemic. See my post “The traditional SOC is dead, long live the Remote SOC” for full details.
I want you to take away from this piece an understanding of the factors necessary to achieve true SOCe and how this applies to the small to midsize enterprise. I’ll lay out what elements of our approach you can borrow for your purposes and which you’ll need to come to a provider like ActZero to help with.
What is SOCe?
As a security provider, SOCe is measured by the number of environments (and endpoints therein) we can manage per Threat Hunter. Your measurements, of course, might differ if you’re assessing efficiency in-house.
That being said, you can be efficient at ‘doing very little.’ For this reason, it’s helpful to assess your efficiency in other ways to ensure you’re getting a full measure of your SOCe. For example, consider other metrics like security outcomes, risk reduction, mean times, and signal-to-noise ratio. (For more on the value of signal-to-noise ratio versus mean times, check out our white paper in collaboration with Tech Target, “Contextualizing Mean Time Metrics to Improve Evaluation of Cybersecurity Vendors.”
How ActZero achieved superior SOCe
As hinted at above, part of our success in building an efficient SOC was our plans to reinvent our SOC. Originally, this flowed from our integration with IntelliGO and the reality of having security experts working quite far apart geographically. The needs of our collaborative culture meant we needed to find and optimize the best ways for our SOC to run given this new reality. So, when the pandemic hit in 2020 and staff had to begin working remotely, we were ahead of the game and just accelerated many of the plans we already had set.
The first thing we had in place that boosted our SOCe was advanced assessment and automation tools. The use of artificial intelligence (AI) to augment the skills of human Threat Hunters has been a growing trend in SOCs. For us, it provides the ability to have more intelligent and actionable output from our SOC (which means increased efficiency).
Likewise, the second element in our SOCe strategy was machine learning (ML) detections. As with AI, machine learning has revolutionized the SOC in recent years. With ML, we vet and assess routine low-level alerts (which tend to be mostly false positives anyway), freeing our Threat Hunters to deal with more complex problems that need the human touch. Automation and ML detection has helped reduce the need for so many people on 24/7 shifts and ensures that those who are on call only have to deal with the most serious alerts that ML can’t handle by itself.
Our third technique for achieving SOCe wasn’t technological at all. It was workplace psychology.
Once we implemented new automations, processes, and tools, we began looking for ways to reduce tech frustrations and unnecessary complexity while maintaining interesting, challenging, satisfying work. We experimented with context switching, time to task versus productivity of that task, type of work related to time of day, workday randomization, and a mix of scheduled and ad hoc tasks to help find the right mix of productivity and job satisfaction for our Threat Hunters.
Coaching and mentoring become priorities, as did increasing and maintaining employee engagement and satisfaction. We took an interest in their general wellbeing and created SOC mandates to avoid work/life balance challenges and protect their time and wellness.
As a result of these changes, we saw notable, measurable increases in efficiency even during periods where we introduced no new automations, processes, or tools. What happened was a “more than the sum of its parts” moment. The SOC employees became active agents of change and continuous improvement. They could relate each of their tasks to the overall company goals. Therefore, they started approaching their supervisors with ideas for greater efficiency or wanted to brainstorm solutions to inefficient or painful tasks and processes.
This, again, required a rework of our SOC. For scalability, we had to first wholly deconstruct security operations, building them back up from scratch. A complete this included creating new processes to achieve aggressive hyperscale-specific goals on both accuracy and efficiency.
What you can take from ActZero’s experience
Unless you’re prepared to reevaluate and rescope your entire SOC (and have a vast source of data to make it possible), some of the options discussed above will be inaccessible to you. In that case, check out what ActZero can offer to shore up those elements you can’t do yourself.
But other parts, including the assessment, automation, and workplace psychology changes, are items you can adapt for your needs - boosting your SOCe and freeing up time for your analysts to tackle more threats and reduce risk to your organization.
For more information about how SOCe enables scalability, read our white paper, The Hyperscale SOC and the Minds Behind It: A Machine-learning Foundation for Effective Cybersecurity.