Fear Nothing: The Gamers Approach To Building a SOC

Tuesday, June 16, 2015

Seth Geftic


Cliché alert! There is no silver bullet for security (I warned you). There are also no digital versions of Bob Seger and the Silver Bullet Band albums for purchase online but that isn’t really relevant.

There is no silver bullet for security. This is something vendors have been spewing for years. Security is a complex problem and sadly no single tool can solve all aspects. Even when focusing on a specific challenge a layered approach is often recommended. This isn’t necessarily a bad thing. It’s good to understand the limitations of a technology or a particular approach but that knowledge often gives security teams the impression that they’re helpless against sophisticated attacks. You’re not helpless. While it is not a silver bullet, the security teams that are most successful at defending their organizations have done so by standing up (or at least outsourcing) their own Security Operations Center (SOC). Some might also refer to them as a Critical Incident Response Centers (CIRC) but for arguments sake lets use the two concepts interchangeably.

SOCs are a combination of talented security people, optimized and often customized tools, and a process to tie it all together. You can’t forget about the process. The more advanced teams operate like a well oiled machine; generating alerts, aggregating them into incidents, prioritizing the most important ones and using that as their jumping off point for an investigation. All of this done with speed and precision.

Why a SOC? Because there are in fact no silver bullets, no one technology or person that will solve all your problems, you need to build a security program that is focused on A) predicting threats B) identifying attacks not blocked by your preventative tools C) investigating the suspicious events so that you can get context to understand the scope and impact of the attack so that you can D) take action before the attacker does damage.

Sounds easy right? Well unfortunately its not. Growing a team, using the right technologies and building the SOC up to a top unit can be a difficult task. But it’s certainly not impossible.

When I was a kid … and according to my wife I still act like one … I played a lot of video games. Even to this day my favorites are still sports games. Specifically, I’ve been known to spend a very un-adult like amount of time playing FIFA soccer. When you first start playing the game it is really difficult. You can barely string together a few passes, defending is impossible and scoring goals seems about as improbable as me winning a Pulitzer for blogging. Let me tell you, there is nothing more humbling then getting taunted by a 12 year old from Brazil as his goalkeeper dribbles your entire team and scores on his way to an 8-0 victory. But giving up is never an option. Every time I play I get a little bit better and I start winning more matches. Eventually I’m beating 12 year olds on my way to outplaying teenagers. I try not to taunt them but sometimes the game gets the best of me. Progress.

The reason I bring this up is because some security managers can feel the same way building up their SOC program. At first the challenge seems daunting. Where do I get the talent? How do I get the budget? Who can help tie it all together? However, building a SOC is a challenge worth taking on. Many others have done so or are in the process of doing so. Some SOCs we have had the privilege to tour or help build, including our own, are really impressive. When you see them operating like a well-oiled machine you can see the power in the approach. But they didn’t start that way. It takes time and commitment and constant tuning. If you speak with a SOC manager they will all tell you the same thing: Don’t back away from the challenge, don’t fear the enemy and always focus on getting better.

Have you had success building a SOC? What were your biggest challenges to overcome? Where did you go for help along the way?

This was cross-posted from EMC's RSA Security blog.

Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.