5 minute read 12 May 2023
Man working at server

How could your security operations center (SOC) reach its true potential?

Tom Schmidt
By Tom Schmidt

Partner, Financial Services Cybersecurity Competency Leader | EMEIA, Cybersecurity Leader, Financial Services | EY Switzerland

Focusing on all aspects of Information Security, Cybersecurity, and IT risk management. Passionate about traveling the world and engaging in various sports.

5 minute read 12 May 2023
Related topics Cybersecurity Financial Services
Upvote

Show resources

You may not have control over when security incidents occur, but an effective and mature SOC can stop threats before actual damage occurs.

In brief
  • As the threat landscape continues to evolve and attackers are using new strategies, it is important to know whether your defences are strong enough to stop them getting through.
  • The security operations center (SOC) at the core of your cyber offense should be mature and advanced enough to keep up with anything which comes along its way.
  • Cybersecurity leaders should critically review their SOC setup to realize its full potential and head towards the next generation of SOC.

Disruptive technology, like the Internet of Things (IoT), AI, 5G, the metaverse and quantum computing make hacktivism, ransomware and other cyber attacks a very real threat. The task of securing your organization has never been more complex – or important in leading transformational change and innovating at speed.

Although organizations cannot control when and where security incidents occur, they can position themselves to address threats and opportunities effectively. Whether a small team or a 24x7 operation center, maturing your SOC will improve your organizations detect and respond metrics in your fight against the evolving Cyber threats.

EY SOC Maturity Assessment two pager

Please fill the form to download.

Download

EY Global Information Security Survey 2021 (GISS)revealed that less than half 47%) of cybersecurity leaders say their organization understand and can anticipate the strategies attackers use. An organization cannot fine tune its security operations to the attacker’s techniques and tactics if they can not anticipate them. This finding reflects what we see in practice: many organizations are prevention-oriented with a compliance driven investment in monitoring and response capabilities. In this article, we reflect on the significant potential for improvement in how SOCs are designed and delivered.

SOC Maturity

Starting with the status quo, we can say that financial institutions often invest heavily in tools and technology for the SOC, but spend less time, money and effort defining how to use them efficiently. A SOC’s maturity can be assessed in five domains Business, People, Process, Technology, and Services domains. 

We see higher maturity levels in process and technology than people, business and services in general. Lower maturity in subdomains usually is correlated with a cause and effect relation. Here are some examples with the pitfalls we see in general

Correlation rules

An organization may have a maturity level of “defined” when it comes to use case management process. What often happens: they build rules that are triggered against generic rules and signatures such as antivirus, end point detection and response (EDR) and intrusion detection systems rather than building correlation rules for specific attack patterns than are used against the organization. This is often correlated with a lower maturity level in Services sub-domains such as Threat Intelligence integration into SOC processes. We note that most companies copy their SOC use cases from best practice material. While this can be a good start, offering a useful baseline, best practice material is hardly confidential. When everyone – including attackers – knows your defenses inside out, they’re no longer suitable for serious cyber protection. Cross-organizational case management collaboration and automation is still a lacking feature even for a well-established SOC organization.

Automation

As important it is to have sound detection rules, the activities following to respond to a triggered alert is often manually intensive and takes a lot of time to sort and validate whether the incident is real or not. Often with a high percentage of false positives these take up the majority of a SOC analyst’s time. It often means team resources are not used effectively: highly qualified security analysts end up responding to potential incidents based on repetitive, checklist-based tasks. 

Clearing the SOC dashboard to focus only on real threats is beneficial for the organization and team alike.

Automation in investigation and mitigation workflow is a key stone in maturing SOC capabilities. What we often see is that the talk of automation in a less mature SOC makes the SOC engineers and managers quite nervous. The fear of mistakes in automation causing business disruption or the impact on their reputation often blocks the advancements in this area. Automation in threat response however is not a standalone task but should be very carefully constructed in collaboration with other corporate functions.

With more time and resources available, the SOC team can also turn their attention to proactive threat hunting. All too often, this important endeavor exists essentially in name only.  At the same time, team turnover falls dramatically when people have more rewarding work to do than mundane tasks in daily workloads, which is good for organizations not only in terms of costs saved in recruitment and onboarding, but also the knowledge and experience retained in this key function.

As can be seen, automation would improve the maturity level in various aspects across the domains people, process, technology and services.

Next Generation SOC

We believe the future of SOC is one that leverages the full potential of people, technology and processes, and considers all business drivers to deliver a suite of services that truly protect the organization. The next generation of SOC will be about using technological advances at scale to support seamless connections between these different touchpoints.

To continue meeting security needs, we believe next generation SOCs should also incorporate:

  • Big data platforms and machine learning and advanced behavioral analytics, threat hunting, integrated incident response and SOC automation
  • Network traffic analysis and application performance monitoring tools
  • Endpoint detection and response, which helps detect and mitigate suspicious activity on hosts and user devices

User and entity behavior analytics, which uses machine learning to identify suspicious behavior patterns.

How EY can help

Next generation security operations and response

Our Next generation security operations and response services along with a deep portfolio of consulting, implementation and managed services, can help organizations build a transformation strategy and roadmap to implement the next generation of security operations.

Read more

  • Taking SOC forward

    To move from status quo to state of the art, SOC teams can benefit from a hands-on red-team assessment.

    EY Red Team Assessment two pager

    Please fill the form to download.

    Download

    A highly effective way to assess performance is to invite an external (“red”) team of hackers to challenge your security defenses. Their attempts to penetrate your security infrastructure at the people, systems or network level will reveal how you’re doing – and where you need to improve. Did your SOC-internal “blue” team detect the threat? If so, how quickly? And were they able to avert it?

    Most financial organizations are receptive to assessments of this kind. Indeed, they can offer reassurance that defenses are in place. Or highlight a need to improve. But what happens next? In our experience, too little in many cases.

    We encourage financial institutions to invest a little extra time and money in what we call a “purple” exercise. This is where the red team sits together with the blue team after the exercise to look in detail at the result. Working hand in hand, they come up with strategies to improve detection and response. This intensive and incident-specific exchange inspires an agile, future-oriented SOC approach.

Summary

The SOC is a vital player in protecting your organization from a growing range of cyber threats. As technology advances and companies struggle to recruit qualified staff, a sophisticated, tech-enabled SOC will help you remain agile and robust in hunting and responding to threats. Key to this is reducing the noise of false positives, empowering the team to focus on strategic work and using tools and technology intelligently to realize the true potential of the SOC.

About this article

Tom Schmidt
By Tom Schmidt

Partner, Financial Services Cybersecurity Competency Leader | EMEIA, Cybersecurity Leader, Financial Services | EY Switzerland

Focusing on all aspects of Information Security, Cybersecurity, and IT risk management. Passionate about traveling the world and engaging in various sports.

Related topics Cybersecurity Financial Services
Upvote