What You Need to Run a Remote SOC


A Few Things CISOs Need to Consider Now That We are All Remote (or Going Remote) for the Pandemic

In the midst of all the recent turmoil, many CISOs and SOC leaders are balancing the risks of physically distancing their team virus versus keeping SecOps up and running. Because of the way they operate today, for many SOCs, being physically present in the SOC feels like the only way to keep up.

Our new normal must allow for teleworking. Whether it is the need to reduce traffic in major cities, help the environment, or make it possible to slow the spread of a deadly virus, there are truly impactful risks to our health, safety, AND security coming from outside the SOC that demand we think about how we approach it. There is a way, but are we ready to evolve?

And not just for a pandemic. We need to evolve to make remote SecOps possible to solve a host of issues like the ones I gave above. Heck, how about just making it easier to recruit amazing security analysts because you can look for talent everywhere?

We Can Go Remote and Have Better Outcomes

We can empower every SOC to be interconnected yet remote, we CAN have better outcomes without having everyone in the same room. First and foremost, every member of your team has to be willing to not be the hero analyst. This is a team and all analysts at all levels must work in concert to prevent gaps in your security posture. It is an orchestra and everyone has an important part to play in order to make beautiful music. In this case it is to be proactive, putting the team first. And, by team, I mean your coworkers and society at large.

Based on our experience helping clients do this in the past, here’s a few steps to think about to get you started on the path to enable remote SecOps or a fully Remote SOC:

  • Start from the same set of music – everything comes from the same data, organized data.  Threat Intel, Content, Workflow, Reporting, and Executive Dashboards should all be real-time based on what you collect, use, and how you use it.
Giving the CISO visibility into team activities and outcomes in the W@tchTower Executive Dashboard is one of the many ways we keep everyone working in concert. Dashboards available to the analysts help them prioritize their efforts.
  • Provide a secure cloud application with MFA to ensure each analyst can reach the dashboard from home.  In most situations, this should be multi-tenant as many enterprises host multiple agencies and/or child companies.
  • Connect all the right tooling, automation and orchestration in one platform. The right set is the set that reduces the analyst work – auto-generate the ticket, auto-populate it with the alert, and do the first drill down for more information. Then give the analyst the raw data and parse it into trackable fields. 
  • Provide the “Standard Operation Procedure” (SOP) in the form of a workflow – for each role: Analyst, SOC Lead/Floor Manager, and CISO.  This enables the appropriate interactions through each day to continue to be a team while in a telework situation. This also allows for management to monitor analysts, the tools usage on each shift to ensure everyone is moving things through the process and making decisions swiftly and accurately. All of this becomes yet another set of data to report from.  What is our security posture, what tools are we using, not using, how long does this detection take on average, do we need more training, do we need more analysts?
  • Have a quick and measurable way to drive the right investigations for the senior analysts in order to measure the impact and alignment to the core business operations.  Can you look at the graph on the dashboard and tell if something is happening in a high value area of the business? Is the patching effective? Are the security changes you paid millions for (for example MFA or new firewalls) making a difference in phishing or data exfiltration?
Giving your analysts interactive tools inside your security operations management platform gives them the tools they need for fast, thorough investigations, keeps them working in the platform, and ultimately makes them more effective.

The SOP or the way we perform the SOC duties is most vital to make the it all work and create a reliable process.  If the process is reliable, the SOC is more secure which should be the goal. This ensures it will perform consistently over a period of time, without failure from anywhere.

Remote SOCs or really any SOC can work with organized data, workflow, and ways to bring all the data together to make it meaningful visually. And, in doing so, can get a good handle on their security posture, see where the risk to the organization lies, and address it.

Transform Your Siloed Security Operations into a Holistic Security Operations Program

Get in Touch Group