Secrutiny Founder, Simon Crumplin Discusses SOC-as-a-Service at Securing the Law Firm 2019

1st October 2019

Last month we had the opportunity to be a part of Securing the Law Firm 2019 with an Education Seminar centred around best-practice for constructing SOC-as-a-Service (SOCaaS), so you know you can get value.

Representing Secrutiny, Founder Simon Crumplin, began the session with the statement: “I want to exaggerate that this is not something where you have to buy technology! This is an approach and a philosophy to achieve incident readiness and SOC and SIEM readiness so you can govern the quality.

Myths and Realities of SOCaaS

Organisations have become unnecessarily exposed to risk, over-reliant (locked-in) and their agility restricted by allowing their SOC and SIEM providers to directly ingest relevant log sources. To remove this reliance and lack of clarity, organisations need to decouple log aggregation from the service provider creating a tow-tier architecture.

Traditional SOC Architecture (click to zoom)

Secrutuny SOCaaS Education Seminar Slides

Two-Tier SOC Architecture (click to zoom)

Secrutuny SOCaaS Education Seminar Slides

By decoupling the log aggregation from downstream processing and analysis by the SIEM and SOC, a “System of Record” (SOR) is achieved. This SOR provides the business with the ability to conduct critical risk management activities by providing a central forensically sound capture of all relevant log sources for:

  • Compliance, assurance and audit requirements
  • The transfer of only relevant data for processing and analysis (the SIEM)
  • Provides Incident Response data set
  • Auditing the service provider
  • Ability to change provider or analytics platform at will
  • Archive data to any cloud or on-premise service
  • Deploy automation and response processes

Without this end-to-end record of all relevant activities, it is impossible to conduct an effective internal or external audit of your SOC or SIEM Service, let alone demonstrate process compliance with a regulator or cyber security insurance underwriter. It is important that security operations teams can easily access system records, meet process requirements, adhere to record retention policies, and generate reports without substantial manual effort.

Noisy SIEMs to Meaningful SOC Alets (Getting SOC Ready)

When discussing being SOC ready, it is essential to also consider being SIEM (Security Information and Event Management) ready as well. It is our experience that most organisations are not.

A SIEM is a powerful tool, but security process maturity can pose as a significant barrier, leaving organisations unable to make the most out of its true potential. In order to be SIEM-ready, the following considerations must be addressed:

  1. What are the questions that my stakeholders need answers to?
  2. Where is the data that, if processed, will answer these questions, and how will it be processed?
  3. How often does each question need to be answered?
  4. What scale of data needs to be addressed to answer these questions?
  5. Where does the data live, and where are its original sources for proof?
  6. Who needs access to the answers or the data, and how?
  7. Am I reducing risks or increasing risks with how I manage and present the data?

The System of Record is intended to provide a verifiable source of data in its original format. This is to enable auditors of the SIEM or related data systems to verify the accuracy and completeness of reporting, as well as to produce when required, the original logs in an appropriate forensic manner.  To be SIEM-ready, the system architecture must consider the questions noted above and be constructed to collect, process, and answer the questions efficiently.

The next step to getting SOC ready is to identify the information feeds you will input into your SOC. It depends on the kind of services you are running but should cover the full scope of the Mitre Attack Framework.

 

Log Sources for SOC

Secrutuny SOCaaS Education Seminar Slides

It’s important to tune your SOC to contextual business risk through KPIs. Why? Boards should take responsibility for IT resource in the same way they do costs, facilities and human resources etc. Therefore, simple metrics and KPI’s should be used to guide IT from the board level.

SOC reporting should be configured by business unit/function and risk category (Build, Services, Network, User and Data). Allowing devices, teams, departments and processes to be rationally assessed to establish not only the likelihood of being exploited but crucially what the impact to the business will be. It broadens the scope beyond cyber threat detection to help focus on cyber risks in business context.

Recommended SOC Process

Secrutuny SOCaaS Education Seminar Slides

Not all SOCaaS Offerings Are the Same (How to Evaluate SOCaaS Providers)

There are two types of Managed Security Service Provider’s (MSSPs) that offer SOCaaS. Many are just the messenger, passing on the alerts and leaving you to deal with them. Others provide an end-to-end service, managing the alerts with full investigation so that when the issue is raised, it already needs your attention.

There are three fundamental aspects to SOCaaS:

Intimacy

What is the baseline?
You don’t need fancy AI, just good posture and hygiene

Determin what is normal and what is visible
Who is allowed to do what, when and how?

Runbooks & Playbooks

Determine what you are responsible for:
Who does what when incidents occur?

Not all incidents require a technical response

Continuous Evolution

Most people stop at telemetry data and never get to rich data
System Access, Database Access, Data Access

“But even so, all SOCaaS solutions are different, from what degree they provide products, people and process to solve the problem, to the layers of defence within scope. How it is deployed and maintained, as well as how responsibilities are aligned between vendor and customer,” continued Simon.

SOCaaS Responsibilities

Secrutuny SOCaaS Education Seminar Slides

An effective and fully operational SOC will improve security incident detection and increase your cyber resiliency. Frequently verifying the SOCaaS, through such exercises as red teaming, breach and attack simulation, audit or internal penetration testing is a must.

Check Out Our Other Recent Posts >

London Breakfast Briefing – Achieving Prioritised Cyber Risk Management
London Breakfast Briefing – Achieving Prioritised Cyber Risk Management

Secrutiny is hosting an intimate breakfast briefing for cyber security leaders in London on Thursday, 28th November. Join us to discover how, with a bit of extension and instrumentation, the ecosystem of controls that you already have can form the basis of an evidential, prioritised cyber risk management programme. Learn more and register…