Security Operation Centers (or SOCs) are the heart of cyber security strategy and planning. But, on the ground, when we do investigations, we see a lot of SOCs failing.
Why does this happen? Some points I can think of.
(1) Attitude towards cybersecurity is still reactive and not strategic.
Historically, cybersecurity teams and SOCs have been a bottom-up “bunch of small IT projects”, rather than a top-down approach with buy-in from senior management, integrated with business/corporate strategy, and embedded into everything the organization does.
I hear things like: "This is the IT team’s problem", "Cybersecurity is a necessary evil”, "Don't fix what isn’t broke" and "We haven't been hacked".
(2) When this attitude problem is solved, SOC teams face resistance and politics, even from other IT teams. Swift action is delayed because the SOC and other IT teams are not under one leader.
(3) Now that we have management buy-in and common leadership in place, we encounter the problem of visibility, i.e. what is significant to protect, and worthy of allocating a human to review?
What are my assets, how is my network and data mapped, where are my crown jewels - this data is vital for building, effective functioning and success of the SOC.
(4) Alert fatigue is real and needs automated approaches (e.g. SOAR) combined with threat intelligence, to solve them. On top of that, we observe a "fire-up and forget" approach towards tools like SIEM, IPS, IDS, DLP, etc. - which just adds to "White Noise" and increases the number of false positives.
Remember the "The Boy Who Cried Wolf", from Aesop's Fables?
(5) Most important is the people angle. 1 good resource is worth 10 operational ones. On top of not having quality resources, not enough training and simulation exercises for existing teams produces a freeze response - when SOC and IT teams should be gearing up for a fight, during an actual incident!
(6) If SOC and backup infrastructure are not isolated from general IT infra, they both get compromised during an attack, reducing speed of response and remediation.
(7) Get into the hackers shoes. We see too few VAPT and Red Teaming exercises, that can continually check SOC (defense) effectiveness and close identified gaps.
What do you think?