Seven lessons from building a high-value SOC
Bonus: seven security controls to focus on
March 2022
$~:whoami
Seven lessons
(caveat: every organisation is different, your mileage may vary)
Prioritize highly skilled people over tooling
- Invest in getting and keeping the right people
- Smart people will automate whatever they can
- Be smart about outsourcing
- Tools are force multipliers
Work closely with engineering
- Just finding things to fix sucks if they don't get fixed
- Your highky skilled people will know how to fix as well
- Enhances security awarenness and willingness to cooperate
Prioritize
- Doing everything will mean you will do nothing good enough
- Base priorities on risk analysis
- You are not Google
- Adopt priorities to corporate security maturity level
Monitor in depth
- Host-based (e.g. EDR, sysmon, osquery) AND network-based (e.g. netflow, firewall, DNS, DHCP)
- Ensure you can detect an attack at multiple stages
- MITRE Att&ck and D3fend framework
- Log for detection, hunting AND IR
Fight security theatre
- E.g. rotating passwords every month is silly and no, you do not need AI-enabled next-gen XDR
- Most security value lies in the basics
- Be the voice that puts security threats and vendor bullshit into perspective
Report effectively to management
- Communicate in terms of business risks and opportunities
- Provide management with an actionable plan for improvement
- Report periodically on progress in the security programme
- Provide data from your SOC metrics to give a data-driven view on the state of security
- Be consistent
Organise and utilise an external feedback loop
- Gets management attention
- Security audits
- Employ periodic quality penetration testing or security advice (e.g. Outflank, Outsidersecurity, Falcon Force, Thice Security, Security Minded)
- Follow through on fixing the issues
7 focus security controls
Ensure visibility in what you own, how it is connected and who (or what) has which rights
