The many types of cyber threats and the weight of regulations constantly remind us that the time has come for cyber surveillance. The cyber surveillance tool at the heart of the debate is the SOC (Security Operation Centre).
The point at issue: we regularly hear that SOCs are ineffective.
State of Security Operation 2015 report tells us this through measurements of the maturity of 87 SOCs. It briefly mentions their effectiveness, and the ultimate indicator is given in the report's conclusions: "capability to effectively and diligently reduce risk in your organization over time".
We all agree that concluding that an effective SOC is one that detects attacks doesn't really move the debate forward.
- How do we ensure that detection is reliable and exhaustive?
- How do we detect attacks we're not familiar with?
Food for thought: since we cannot measure things we can't detect, effectiveness can only be measured indirectly.
Initiatives in the right direction
A number of initiatives in France are placing the debate on another level.
- Through an ad hoc working group focussing on "How to successfully deploy a SOC", CLUSIF aims to put SOCs in optimal conditions right from the start of the project.
- ANSSI's work on qualifying SOC service provider qualification (PDIS reference, currently in version 0.9) aims to identify trustworthy service providers who specialise in the field, with guarantees on their skills and the quality of work they provide.
These initiatives are contributing to a virtuous approach to cyber surveillance, and should assist in improving the maturity of SOCS.
However, the question remains: is my cyber surveillance department effective?
The SOC client, stakeholder in its effectiveness
A revolution is underway in the field: what if SOCs can be effective only if their clients are? SOCs are too often considered a support function of the IS (which is itself a support function!), whereas the SOC is sometimes an influencer for the IS!
The SOC does not bear sole responsibility for that which it does not detect. There are two areas for consideration on the client side:
- Drafting specifications that make it possible to create detection scenarios with and for the BU: you don't "buy" an effective SOC, you build it
- Integrating the SOC in mature IT processes (e.g.: change management): it's important to remember that changes to the IS mean changes to the SOC
Obviously, we cannot ignore the SOC's own responsibility for its effectiveness.
Beyond the usual considerations (skills, quality processes, etc.), there are a few strategic aspects that contribute to continuous improvement:
- The vitality and relevance of R&D for detection (new tools, new patterns)
- The ability to open the SOC to prevention (business intelligence) and response (eliminating doubts)
The question remains: what if an SOC's effectiveness depended on its ability to improve continuously and tangibly? In any case, it can become more effective only by stepping outside of its comfort zone: reporting existing information and putting it into context. The discussion is open for the SOCs of the future.