Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Excerpts from Building a High Speed SOC: People & Process Problems

timeline-high-speed-soc-card
Rick McElroy
sean_blanton
November 30, 2017 / Rick McElroy Sean Blanton

Carbon Black recently published an in-depth guide on what it takes to develop a “high speed” security operations center, or SOC; this is an excerpt from that guide, which you can find here. For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.


Good Help is Hard to Find

Building a high-performing SOC can be challenging with a scarcity of skilled defenders. In a recent survey, 46% of organizations said they noticed a “problematic shortage” of cybersecurity skills, and 87% claimed that it is difficult to recruit and hire new cybersecurity talent. While it is becoming increasingly clear that advanced technical skills are in demand, many organizations also understand that every environment is different.

In order for an analyst to properly defend your infrastructure, there is a great deal of on-the-job learning that must take place, both in regards to the people and assets being protected, as well as all the tools being used to protect them. This does not necessarily mean that new analysts are all unqualified, but rather there is an opportunity for them to learn as your SOC grows.

As roles change and the hierarchy of the SOC evolves, the most basic triage falls on entry-level analysts who spend most of their days minding a steady flow of alerts. If the analyst is lucky, the alerting has been tuned and the tools he or she is using minimize false positives that muddy the waters of threat prioritization. However, there is a strong chance that analyst’s situation resembles the 37% of organizations who cite keeping up with the volume of alerts as one of the biggest incident response challenges. The analyst is forced to rely on their limited experience to guess at how serious each alert is, but to keep up with the sheer volume, these decisions must be made quickly. Without extensive experience actually responding to investigations, your first line of defense is this overwhelmed analyst.

 

______________________________________________

 

For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.

Watch Now

______________________________________________

 

Tiering Up

Lacking sufficient context to address any worrisome alerts, a tier one analyst will pass off their findings to the next tier and return to their alert queue abyss. The in-depth learning and analysis will be done by someone with more experience, and the new analyst’s understanding of the attack remains unchanged. This problem is further exacerbated as the team scales. A growing SOC adds more tiers to handle more alerts and the bureaucracy thickens, with the lowest level analysts losing scope with every new cog added to the triage machine. Given the level of fatiguing and tedium that comes with pure alert triage, can you blame that analyst for leaving after a year to pursue a development role somewhere else instead?

If this issue sounds familiar, consider that this scenario only highlights the plight of a new analyst. In the case of a more experienced analyst, add to the deluge of alerts each additional step for which he or she is responsible, including the actual investigations and remediation. With thousands of alerts being generated daily, it should be concerning yet unsurprising to hear that nearly one-third of organizations claim they ignore at least 50% of all security alerts because they simply cannot keep up with the volume. What ensues is a frantic game of catch-up that only increases the probability of human error over time.

Achieving Speed

As an industry veteran and market leader of the endpoint detection and response (EDR) space, Carbon Black has spent years redefining the very economics of security operations. When people and processes fall victim to today’s tumultuous cyber landscape, Cb Response continues to reduce the cost, complexity, and time of traditional security operations and incident response.

Working with some of the most experienced and highly-efficient SOCs internationally, Carbon Black has purpose-built Cb Response for SOC and IR professionals to enable them to proactively hunt for threats in real-time. Over the years, Cb Response has consistently empowered SOCs to make the most of the people and resources they have by leveraging automation and orchestration for rapid security decision-making.

A high-speed SOC must excel in many different areas of security operations to ensure that valuable time is not handed over to the adversary. It is crucial for security professionals to understand that the ability to operate an agile, intelligence-driven SOC is dependent on your organization’s answer to the following five questions…

 

______________________________________________

 

For more information on building high speed SOCs, including how to eliminate the “response gap,” check out the Transform Into a High Speed SOC hosted by IBM and Carbon Black.

Watch Now

______________________________________________

 


Join us next week as we continue to explore “Building a High Speed SOC,” our in-depth guide on what it takes to develop a “high speed” security operations center. If you can’t wait until next week, however, you can click here to get a copy of the full report.

TAGS: Cb Response / Excerpts / High Speed SOC / security operations

Related Posts