Review your SOC: boosting efficiency and response

Contents

• As a leader I can set tone and focus
• There is often a deeper story
• It's action-centric
• It is an opportunity for the group to learn and bond
• It's an expensive asset - so maximize the investment
• Conclusion

As a leader I can set tone and focus

Sometimes the SOC pushes too hard on trivia, and at the same time can also not drive hard enough. It can get urges to 'tune-out' what it regards as false positives or it can misinterpret some of the incidents it is presented with, particularly incident tickets written by non-security people. My being on the call means I can set direction and also ensure balance and thoroughness. It is also a forum for people to challenge my ideas and the security posture I take. A good example of this is why deeply focus on a lost mobile device that's encrypted, behind MDM and contained no significant data when a few lines below is a team messing around with PowerShell because they are looking for a workaround..?

There is often a deeper story

Sometimes incidents are not what they present as, there can often be a back-story or a commonality between incidents that we can spot if there is a group discussion rather than a written report. Often there is a human angle that needs to be explored or understood. In this way, the SOC - responsible for monitoring and analyzing security incidents - can provide valuable data but also very human insight that helps our security team understand emerging threats and vulnerabilities. In addition, the SOC focuses on operational aspects such as monitoring and incident response, while the security team handles more strategic tasks like policy development and risk management. By working together, we can ensure a comprehensive security coverage.

It's action-centric

With key team members on the SOC review call I can very quickly pass an action to one of them for a quick response - a good example of this is that the Communications Lead will move quickly on taking a pattern of incidents to being a communique to key teams to prevent recurrence. When the SOC and security team operate in silos, critical information can be lost, leading to inefficient incident handling and incomplete post-incident analysis. Collaboration ensures that all relevant data is collected, analyzed, and utilized effectively.

It is an opportunity for the group to learn and bond

The SOC can provide feedback on the effectiveness of security policies and controls, while the security team can suggest improvements in monitoring and response strategies based on their broader understanding of the organization's risk landscape. In increasingly dispersed teams, the SOC review can be a very useful team activity; ours is humorous, frustrating, informative, democratic and friendly and an excellent forum for learning and debate - it plays a particularly good role in supporting new or remote members.

It's an expensive asset - so maximize the investment

Latest, but not least… By working together seamlessly, it sets a positive example for the entire organization, emphasizing the importance of collaboration and vigilance in maintaining security.

Conclusion

Organizations that prioritize this collaboration will be better equipped to navigate the complexities of today's cyber threat landscape. My advice therefore is that for the insight, the sense of team and for the opportunity to be seen visibly steering the ship, you should take the chance to review the casework of the SOC and get a view of that world beyond the dashboards!