11 Questions to Ask When Shifting Your SOC Strategy
No one feels the pain of ransomware and other disruptive and costly digital cybersecurity attacks more than the people managing the day-to-day in your SOC (Security Operations Center). At 13 attacks every second in 2023, cybercriminals, fraudsters and nation-state hacktivists are overwhelming SOC analysts.
Nearly two-thirds (63%) of SOC analysts report the size of the attack surface has increased. At the same time, CISOs and SOC managers are struggling to handle on-the-job analyst burnout and turnover. More attacks mean more SIEM alerts means a larger volume of ‘events’ for analysts to manage.
“SOC workers are reporting several areas that contribute to their job dissatisfaction,” says the SANS Institute in its analysis of SOC performance data. “Too much information, more work than they can handle, difficulty finding and keeping SOC experts, insufficient downtime, too many tools (and lack of tool integration), and too many alerts are the main sources of their pain.”
CISOs are being challenged here. They need to avoid analyst burnout and turnover and find economies of scale in cybersecurity tools. They need to simultaneously reduce the alert noise and fatigue it creates while managing an onslaught of extensive attack scenarios – in hard to pinpoint places.
Is it time to shift your SOC strategy?
Webinar: Better understand the depth of today’s attack surface directly from our VP of Research, Elisa Costante, as interviewed by Rik Ferguson, VP of Security Intelligence of Forescout Research – Vedere Labs.
Key Questions to Answer to Help Improve Your SOC Strategy
Simply increasing headcount doesn’t solve the dual problem of more attacks and security analyst burnout. Instead, you need a strategic approach to managing your SOC team and technologies. Having the right tools with seamless integration is crucial, but it’s not enough to thwart today’s hackers. Equally important are the right team and processes. Properly addressing resource issues is one of the biggest challenges.
Use these following 11 questions to evaluate your overall SOC strategy:
- Do you have the right people?
Assess whether your team has the appropriate skills and expertise.
- Can your team handle the volume of threats?
Ensure your team is equipped to manage the current threat landscape.
- Are they properly trained?
Continuous training is essential to keep up with evolving threats.
- Do you have the right processes in place?
Establish clear protocols for incident detection and response.
- Does the team know what to do in the event of a breach?
Ensure everyone is aware of their roles and responsibilities.
- What are your service level agreements (SLAs)?
Define the expectations for incident response times and performance.
- What is your incident response plan?
Develop a comprehensive plan that outlines steps to take during a security incident.
- Can you scale your team if needed?
Be prepared to expand your team to meet growing demands.
- Do you have access to threat intelligence feeds?
Threat intelligence feeds from outside companies can help you get ahead of new and emerging threats.
- Do you need to bring in outside help?
Evaluate whether external expertise can enhance your SOC capabilities.
- Do you need to outsource your SOC?
Some organizations find that outsourcing their SOC allows them to focus on strategic initiatives and core business functions.
Answering these questions are critical for determining the best approach for your organization based on business needs, budget and security goals. Each organization must assess its unique situation to decide whether to maintain an in-house SOC, outsource or adopt a hybrid approach. Outsourcing, for example, can free up internal resources, allowing your team to focus on more strategic tasks and overall business growth.
How We Reduced Our SOC Workloads by 75%
Throughout Forescout’s evolution, the company has used its own products to provide continuous, automated asset management and network access control across its environment, and to orchestrate asset remediation and incident response among its multi-vendor security products.
In the past, threat detection and response processes had been largely manual – with many issues. The SIEM system that the team had been using for almost two years was adequate for log storage, but actionable information was missing. The SIEM product generated too much noise and false positives — so analysts could not focus attention on high priority events.
Our team used to receive 100 to 300 alerts per day. Plus, the tool required special skills to build queries, alerts and reports. The third-party SIEM was almost completely unusable. Our CISO had to dedicate nearly two FTEs to its care between incident response, configuration and maintenance. And, the SecOps team had to keep hiring the vendor’s engineers to address even a small number of things they needed to get out of it.
Key metrics gained with Forescout Threat Detection and Response:
- 316 detections from 10 billion logs a month
- 17 escalations from 254 cases a month
- .5 FTE for response to actual threats instead of 2 FTE
See all the details in our SecOps case study.
A successful SOC strategy depends on choosing the right combination of technologies, the right people and the right processes. Your technologies should facilitate real-time threat detection, efficient incident response, comprehensive visibility, scalability and seamless automation and integration. By understanding these fundamental requirements and thoughtfully assessing essential technologies, organizations can effectively establish strong SecOps to defend against today’s advanced cyber threats.
Learn How to Improve Your SOC Strategy with Forrester and Forescout
If you’re struggling to navigate the flood of vulnerabilities, risks and threats you and your analyst teams face, you can learn to improve the collaboration between Vulnerability Risk Management (VRM) and SOC teams.
Our lineup includes Senior Forrester Analyst Erik Nost, alongside Forescout’s executives from Vedere Labs, Elisa Costante and Rik Ferguson, and Daniel Trivellato, our VP of OT solutions.
What You Will Learn:
- Integrating Vulnerability and Incident Context: Elevate SOC analyst experience by leveraging active attacks, exposed assets, and business asset criticality.
- Tools for Seamless Collaboration: Discover tools enabling critical context sharing, fostering informed decision-making and information exchange.
- Harnessing Security Analytics: Explore the benefits of leveraging security analytics platforms and TDR dashboards to manage incidents arising from specific vulnerabilities and streamline prioritization workflows for VRM teams.
Forescout is here to help. Whether it’s the technology or the people, we have cybersecurity solutions that can help you meet your security objectives. Forescout’s platform provides network security, risk exposure and management and threat detection and response across all asset types, giving you comprehensive visibility across your entire network.