The beating heart of almost everyone’s cyber operation is the Security Operation Centre and its analysts. Whether you have outsourced some or all of the layers in a SOC, three things remain consistent.
Making the SOC effective is the single most important function in detection and protection controls. The Security Operation Center needs to be greater than the sum of its parts, or it will drown under the weight of data. To help analysts decide what data is interesting and not, enrichment tools have been created to help that triage process.
One methodology to help an analyst build or follow hypotheses around interesting events is the Diamond model for intrusion analysis. The Diamond Model has four sides, Adversary, Capability, Victim, and Infrastructure.
The stream of data coming into the Security Operation Center can be applied to each of the sides of the diamond to see if any patterns have a security context. This process has largely become the dominion of Threat Intelligence. Being able to boost the volume, accuracy, and speed at which alerts are triaged in the SOC is always one of the key metrics, if not the only metric.
SOC acumen, the ability to make good decisions, faster is the core to SOC effectiveness. We can build a measure of SOC acumen around the diamond model. Each side of the diamond model has the ability to give the analyst access to a “playbook” a playbook is an essential tool for the analyst as a prescribed set of actions to follow to determine the nature of an alert. Selecting the right playbook is critical to ensure an alert can be triaged correctly and quickly.
When we look at the maturity organizations have in playbooks from a diamond model perspective, we can see that the nature of the Threat intelligence industry has driven a bias towards some of the sides of the diamond. This bias can be attributed to the “indicator of something” industry largely focusing on adversarial or capability-based indicators.
This bias forces the SOC analysts down a path with a limited set of playbooks, which often are not the most efficient playbooks to resolve an alert. If the analyst had access to a balanced portfolio of playbooks with equal victim and infrastructure data, it would give the analyst a clearer picture of the alert and allow the analyst to choose an entirely different and the most appropriate playbook, increasing the SOC acumen.
This bias has been recognized in a recently commissioned Ponemon report into SOC effectiveness as the single biggest issue. The number one answer to the question. What can make the SOC ineffective?. There was a lack of visibility into the attack surface. The attack surface directly relates to the infrastructure side of the diamond model, and the number one answer to the question, “What is the main barrier to successfully operating a Security Operations Center?”
Was a lack of visibility into the IT security infrastructure. Again highlighting a deficiency in the infrastructure side of the diamond model as the primary cause of the SOC being ineffective. Building a world-class SOC requires a balanced capability across all sides of the diamond model, enabling the analyst to select the most efficient playbook to optimize the triage process’s time and certainty.