Most organisations, after being impacted by a cyber-attack, began looking at the design of their Security Operations Center (SOC) operating model – their existing engagement with the managed service provider or their in-house SOC program – to identify the missing link because business challenged their effectiveness. This is a reality.
Here is my perspective on how your SOC program can establish this effectiveness proactively and bring value to the business through a couple of measures, though these are not the only measures to strengthen the governance of your SOC program.
Under a well-defined structure, SOC gets initial visibility on the threats from the business, risk management and intelligence function. These (top) threats get translated to specific use cases. These specific use cases will map to business systems – both critical and non-critical relevant data sources.
Now let’s look at two different types of the threats to get a practical view, one of which dictates the availability of the system (DDoS attack), and the other that steals the sensitive information (malware/APT attack).
When the SOC monitors the threats, they should map these threats and their monitoring to kill chain, where these threats are intercepted using a specific KPI – stage of threats intercepted on kill chain. The outcome of this mapping helps SOC advise IT/security/business whether the preventive control in place is effective or not. For example, a malware caused by a spear phishing attack through a zero day exploit on the user browser, operating on a business critical system within retail banking, is passed through on stage 1 of kill chain. This scenario clearly indicates that either the advanced malware protection control on the end user machine did not detect it, or the local event manager did not raise an alert within Security Information and Event Management (SIEM), and hence these controls are not effective.
This type of advisory augments the role of SOC beyond just monitoring the security incidents. Also, the SOC teams have the knowledge of the underlying impacted systems. To that end, the SOC can provide a full visibility on threats, from use case scenario to kill chain stage to the underlying business system that is under attack.
Another KPI is linked to response time to threat incidents. By conjugating these two KPIs, business gets visibility on how SOC is able to protect business systems, which is a primary goal of SOC program by intercepting the threat early and responding to the incident in an agreed time frame (KPI on response time will indicate if time to respond was more than the agreed timeframe). Finally, SOC should provide the estimated value of impact that was safeguarded by the SOC, taking into account the underlying asset value, though this exercise involves a bit subjectivity.
Sometimes business leaders demand that the SOC team should tell them the downtime of critical business systems during an attack, especially in the situations when the organization experiences DDoS attacks. This is a reason some SOC structures have allocated dedicated team to DDoS monitoring. Apart from the above approach, the SOC will use an established process which checks the heartbeat of the underlying data source/asset, which is mapped to the use case(s) in this category. In case of DDoS, when a critical business system is not available, an alert is generated based on this event. When a report is generated from the SOC, business gets visibility on the downtime of the system due to a DDoS type of attack. This report can be compared with one from the IT/business continuity function, which generates a report on non-availability of the system.
In summary, SOC programs are maturing to augment their role beyond serving just as an operational entity to bring in value to the business by implementing business KPIs and SOC processes. Mapping the use-case scenarios to kill chain is a crucial step in building this value by increasing the possibility of intercepting threats at an early stage.
Manohar Ganshani, Associate Partner, IBM Security
[ISACA Now Blog]