22 October 2022 | by Xavier Bellekens
Effective SOC managers embrace data and use SOC metrics to identify and fix problems, but let’s start with the beginning.
A SOC, or security operation center, is a facility where organizations can monitor and manage their cybersecurity posture. SOCs typically combine technology and human expertise to provide 24/7 monitoring of an organization’s networks and systems. SOCs can be either physical or virtual, and can be staffed by in-house personnel or by third-party providers. SOCs typically use a range of tools and processes to detect and investigate potential security incidents. These may include SIEM (security information and event management) systems, analytics platforms and threat intelligence feeds. SOCs also typically have defined procedures for incident response, which may includes measures such as quarantining compromised systems and notifying relevant stakeholders. By providing organizations with visibility of their cybersecurity posture, SOCs can help them to identify and mitigate risks in a timely manner.
A cybersecurity incident is any event that jeopardizes the security of an organization’s information systems. This can include everything from a data breach to a denial of service attack. In recent years, cybersecurity incidents have become increasingly common, as organizations have become more reliant on computer networks and the internet. As a result, it is essential for businesses to have robust cybersecurity protocols in place to protect their data and resources. While there is no guaranteed way to prevent all cybersecurity incidents, having strong security measures in place can help to minimize the risk of an attack and the consequent damage.
When an incident occurs, security operations centers are responsible for identifying, assessing, and responding to cybersecurity incidents. They use a combination of technology and human expertise to constantly monitor for threats and take action to mitigate them. In addition to responding to incidents, the SOC also works to prevent future attacks by constantly improving their detection capabilities. By staying one step ahead of the attackers, the SOC helps to protect our critical infrastructure from the ever-growing threat of cyberattacks.
A false positive in the context of cybersecurity is an alert that incorrectly flags a benign file or event as malicious. This can cause businesses and individuals to waste time and resources investigating and responding to non-existent threats. False positives can also create a sense of “alert fatigue” whereby users become numbed to warnings and start ignoring them altogether. Unfortunately, there is no silver bullet for eliminating false positives, but there are some steps that businesses can take to reduce their occurrence. For example, they can fine-tune their security rules and settings, implement better quality control measures, and provide ongoing training for their staff.
Security operations centers face on average 72 to 80% false positive security alerts on a daily basis, due to the variety of tools they have to monitor. We’ll discuss later how to increase the number of true positives received by the SOC.
Data is one of the most valuable commodities. However, all data types do not have the same value.
As a result, understanding the value of the data we collect is essential. Appropriate telemetry and appropriate data sources can go a long way to improving response time and improving the SOC performance.
Unfortunately, measuring the effectiveness of a SOC can be difficult. This is where SOC metrics come in. By tracking key performance indicators, SOC managers can get a clear picture of the posture the SOC is in. This information can then be used to identify weaknesses and implement improvements. In other words, metrics are essential for ensuring that the efforts of the analysts are effective. Without them, it would be very difficult to make informed decisions about how to measure efficiency.
First we need to define what the metrics look like, as not all are technical metrics.
These should be revised quarterly in a Plan, Do, Check, Act fasion
When we think of the data collected, we must answer a number of questions
You can also identify the number of systems managed by your security operations center and classify them by business function, owner function, type of configuration, team ownership. These techniques can help identify rogue devices on the network and help contextualize some alerts with relevant information, as well as provide a holistic view of the organization.
False positives are notorious for creating alert fatigue and SOCs are riddled with irrelevant alerts, constantly putting pressure on the security team, security professionals and analysts.
The SOC performance is tied to the performance of the analysts, hence it’s key to understand the roles of each member of the team within the SOC.
Given we know that the average SOC yields 72 to 80% false positives, how can we improve this key SOC metric that often leads to alert fatigue.
The quality of your cybersecurity operation center is rooted in your ability to measure and obtain appropriate metrics.
Metrics provide insight into how well your team is performing and what improvements need to be made. Without metric data, it is difficult to tell whether or not your team is accurately detecting and responding to threats. Additionally, SOC metrics can help you identify areas of improvement for future training and development. Without a comprehensive understanding of metrics, it is difficult to optimize the performance of your cybersecurity operation center. By measuring and obtaining appropriate metrics, you can ensure that your team is providing the best possible defense against cyber threats.