Ten Strategies for Becoming a World-Class CSOC

December 16, 2014
Active Threat-based Defense: Post by Carson Zimmerman

During a decade of helping government sponsors with computer network defense (CND), my MITRE colleagues and I noticed that the same questions kept coming up from others involved in cybersecurity operations—"what data should I collect," "how many analysts do I need," and “where does my shop belong on the org chart?" Specifically, they wanted to know what organizational structure works best, how to design effective policies, what data sources to tap, and what technologies to invest in.

Since the answers to these questions seemed to come from many sources, the time seemed ripe to bring together all that we had learning from supporting Cybersecurity Operations Centers (CSOCs or just "SOCs") into one document we could share with others.

The most pressing concerns coalesce around ten common themes—the inspiration for Ten Strategies of a World-Class Cybersecurity Operations Center. Here's a summary.

  1. Consolidate CND under one organization

This is the most obvious, but least likely to happen. Entities, both public and private, sometimes tend to divide their core CND functions (incident monitoring; detection; response; coordination; and CND tool engineering, operation, and maintenance) into separate units. But fragmentation fosters distrust and undermines effectiveness. Not only should all these functions be brought into one organization—the SOC—they should also be physically co-located.

  1. Achieve balance between size and agility

The SOC faces competing needs—it must be large enough to cover the entire enterprise, yet agile enough to react swiftly to adversarial actions. To strike the right balance, the SOC has to decide on the best organizational model, where to place SOC functions with line managers in the command structure, and where to physically locate. Particularly in large enterprises, this may mean that CND functions are broken into tiers, with distributed execution and centralized coordination.

  1. Give the SOC the authority to do its job

Every SOC needs written policies to grant it the authority to exist, procure resources, and effect change. Solid policies regarding supporting IT and cybersecurity functions are also key. SOCs that lack written authority often spend more time begging for help, than in making a positive impact. The book provides a policy template that can be modified to fit different organizational models and capabilities.

  1. Do a few things well

Favoring quantity over quality can undermine the SOC in the eyes of the very entities it depends on for mission success. The SOC needs to determine which of a host of responsibilities (from threat assessment and forensic artifact handling, to security consulting and media relations) to assume and at what level (basic, advanced, or optional). As the SOC matures, it may build upon its successes, mature along various paths, and take on additional roles in network defense.

  1. Favor staff quality over quantity

People are the most important element in cybersecurity. But who do you hire, how many people do you hire, and how do you get them to stay? Mindset and skillset are key in individual hiring. Determining the right number of analysts can be tricky. The book provides some general considerations, points out areas where automation and streamlining are possible, and lays out a plan for minimizing turnover.

  1. Maximize the value of technology purchases

The SOC needs to consider every technology purchase in light of its relevancy to the constituency, its longevity, and its operator feedback, among other things. Resources should be dedicated to continuously improving tools as well as integrating them into one coherent architecture and workflow.

  1. Exercise discrimination in the data you gather

Collect too little data and you can't find the intrusions; collect too much and the red flags are lost among the nonessentials. The SOC must gather the right data in the right amounts from the right places—with a thoughtful approach to effort and expense. This means knowing where to place your sensors and how to select and hook up your data feeds. A prag­matic, operations-driven approach helps prioritize resources.

  1. Protect the SOC mission

A SOC must function even when its constituency's assets have been compromised. The best ones operate in an out-of-band fashion that isolate passive monitoring systems, analytics, and sensitive data storage from the rest of the enterprise. They must also achieve near zero packet loss at designated monitoring points of presence and prevent the adversary from detecting (and evading) their monitoring capabilities. Yet at the same time they must provide a measured degree of transparency and reporting to their customers to maintain trust and maximize impact.

  1. Be a sophisticated consumer and producer of cyber threat intelligence

Today's defenders must constantly adapt their techniques, tactics, and procedures to respond to a changing threat environment. This proactive approach involves creating cyber threat intelligence based on observations and analysis and trading in cyber threat reporting with other SOCs. A cyber threat analysis cell (a group of analysts who focus on the advanced persistent threat) can facilitate this intel exchange, and we provide a roadmap for creating one.

  1. Stop, think, respond … calmly

The typical SOC has to respond to thousands of threats a year, and each response must be delivered in a professional, trustworthy, and effective manner. Among our recommendations, we suggest: develop, refine, and follow a set of standard operating procedures, be the "level head" that manages concerns and excitement when a big incident does arise, do your best to understand the full extent of the intrusion given time and resource constraints, and use that knowledge in the context of your specific mission or business.

I'm happy to answer any questions or guide you to other resources. You can email me at tenstrategies@mitre.org. And please download the full book from the MITRE website.