More than ever, organisations are looking to establish a Security Operations Centre (SOC) to protect their applications infrastructure. In this short blog, Robbie Steele, SOC Team Leader at Claranet, reviews some of the main considerations for a successful implementation.
The Claranet SOC provides our customers with different managed security services for various purposes:
- If your estate is a hybrid of cloud and on-prem, we triage and respond to incidents with Managed Detection & Response.
- If your goal is to protect your endpoints, we kill and quarantine threats with Endpoint Detection & Response.
- If you are predominantly based in AWS, we prioritise events and alert you with Managed Cloud Security.
- Incident Triage and Notification - this is a core responsibility for the SOC analysts. The team will analyse incidents that trigger in our service management platform. These incidents can originate from various security solutions depending on the service.
- Threat hunting and Threat Intelligence Research - the SOC consistently conduct threat intelligence research and threat hunting activities to uncover anomalous activity in client environments.
- Tuning - it is also essential to stay consistent with tuning customer environments and optimising the incidents that arrive into the service management platform. The SOC will work with the customer to better understand their environment and, in doing so, baseline certain events over time, allowing the team to whitelist activity and only raise credible incidents.
- Reporting - every month the team will create tailored reports for our clients. The data included in these reports are presented in various formats such as graphs, tables, and executive summaries.
- Projects and Service improvements - the SOC engage in various projects, service improvements and constantly review processes and procedures. The purpose of these activities is to improve the service progressively. Progression in the SOC means we can provide better services to our customer base.
- Investigations - these can be either customer or incident led. Customers may ask the SOC to run an investigation focussing on specific time frames, users, hosts etc. Analysts may be performing triage on an incident and feel like an investigation is needed as additional evidence.
Key Skills and Characteristics for SOC Analysts
- Analytical Skills - a security analyst will need to be comfortable investigating data from multiple sources and using their instincts and creativity to help draw conclusions and make decisions.
- Out of the box - mitigating threats needs the analyst to think like the attacker, and that means being able to anticipate what is going to happen based on the data feeds, intelligence, and trends and then make security recommendations.
- Understanding Security Frameworks - like Lockheed Martin Cyber Kill Chain and the Mitre Att&ck Framework is pivotal when analysing incidents. Knowing where the specific incident sits in each framework is useful when prioritising the severity of the event.
- Attention to detail - there is a common phrase used in Cyber “The attacker needs to get lucky once, the defender needs to get lucky every time”. Any missed alerts or investigations could lead to a potential breach; therefore, curiosity and a natural desire to investigate even the smallest detail is essential to mitigate every threat.
What Makes a Successful SOC Team?
- Variety - a successful team will possess various skillsets and subject matter experts, not unlike a successful sports team. Although there is overlap in our tasks a lot of the time, every analyst is wired differently. Occasionally this means we go to one or two people for assistance with certain subjects depending on their expertise, and we see the absence of knowledge in specific areas as opportunities to learn.
- Solid Work ethic - this is crucial because SOC tasks can be arduous enough without picking up the slack from team members who are lacking in this aspect.
- Positive Attitude - a positive mindset across the team combats negativity and enables conflict to be resolved amicably so that healthy compromises can be more easily reached.
What makes Claranet’s SOC different?
There is zero micro-management in the Claranet SOC. We empower our analysts and encourage them to set their own schedules and assist where needed. The team is fully aware of their core responsibilities, and those daily tasks always remain static but having the power to set yourself additional work inspires motivation, dedication, and creativity
The team has experience using various tooling and technology, which broadens their knowledge base, making them well-rounded Security Analysts.
The Claranet SOC has recognised the importance of implementing the ‘Hybrid Working Model’ as a long-term strategy for effective working.