Hybrid SOC – 7 steps approach to be successful
TrainingCyber Security is one of the most dynamic businesses. Technology is changing so rapidly one can’t imagine and consider this in mind. There is always a conflict, especially in the case of Hybrid SOC, as to when a new technology will be introduced and who will be responsible for training remote SOC analysts? Have we documented it in the Statement-of-Work? Who will pay to train the SOC Analyst? Security training is a costly proposition, and we all know that very well. Articulating clearly in the statement of work is a must-have requirement. To avoid any discrepancies as to who will bear the cost and also the mode of training. Some methods of training could be through video conferencing, or someone from the client-side has to travel to the remote site. Then again, running a 24×7 operation to train all the analysts at the same time is a challenge. Let me walk you through a typical scenario, say, a client decided to roll out Sysmon into their environment to detect advanced endpoint threats. This is a fair decision to make, but will it be falling on the client to provide each analyst with the required training or the service-provider. Another example, say a client enables a good number of cloud security use cases. What if the existing team at service provider end have no clue as to how do they handle it. If it’s part of the Statement-of-Work, this creates less discrepancy at a later stage else it will be a complete mess. Changes in the business model bring changes at all front, so foreseeing such challenges in advance will help as to how we tackle these issues when it comes.
Site visitIt should not be the case of signing a contract for say three years and leave it like that. In other words, there must be equal due diligence performed by both the client and the service provider, where key designated folks travel at least twice a year. It also gives visibility if the working environment is conducive or not. Face-to-face meet helps develop trust and transparency easily and proven to be most effective. We can also make a provision for a remote SOC analyst to work from client premises for a week or two, to get the first-hand experience working closely with the in-house CIRT team.
GovernanceStrong governance is a foundation to build a successful SOC and to deliver operational excellence. It’s deemed necessary that key people from the client, as well as service-provider end, must be involved consistently. There must be regular monthly/quarterly meetings to understand if the operation is running as efficient as its documented in the Statement-of-Work.
Culture of AppreciationAppreciating SOC analysts for their achievements/accomplishments must be handle appropriately both from the service provider end as well as at the client end. Being in Security from an analyst’s stance is a tough business, and without appreciation, no one can feel valued. Satisfaction and productivity increase when someone gets a true appreciation for their work.
Turnaround timeIf the turn around time for a security analyst is less than a year or so, then please pay serious attention. This means SOC is failing, and something is not right, which needs to be understood and fixed. On average, it takes about six months to be in agreement that an organization will go with a specific vendor and setting up a particular SOC model. It’s a huge body of research work and a project on its own before an org takes a decision. The question is, why are SOC analysts leaving so early? Is he/she not getting enough training? Is there an issue of alert fatigue? Are they not getting appreciated? Are they finding it hard to maintain a work-life balance? Sickness? Too much absenteeism creating an extra overhead on the other folks?? Are they underpaid?? or initial hiring was the major issue? Whatever the reason is, it must be identified and a strategy to fix it at earliest.
Business ContinuityWhat if there is a plan for the site moving to a different location? How to maintain business continuity must be thought through and documented. How to deal with a natural calamity? Can we ship at least a few resources from the service provider end to the client location to run the show? How about placing at least 2-3 resources on the client-side? Working on these thoughts will help in advance and better dealt with the crisis.
Maintain privacy during an IncidentImagine a situation where a breach happens at the client end, and remote SOC analysts spread the news to the entire floor. Can this situation be avoided? Privacy must be protected at all times, and such kind of situation must be fully documented in an agreement and well understood by both parties.
Start on a Guided Career Path: