10 Advanced Strategies Used by Enterprises to Reduce SOC Complexity

1. Build a Security Roadmap to Assess Your Risk Levels
A good roadmap will account for three dimensions of security: risks, capabilities, and maturity. 

The best security leaders have a clear understanding of what their current risks are and what they would like it to be. What risks are you willing to accept for the moment, and what is impermissible? Knowing this means you have a clear goal to work toward.    

Next, assess your current capabilities to understand how well your current tools and practices align with your goals. Nail down specifically what constraints stand in the way of accomplishing them.  

Finally, assess your maturity levels. You have a finite amount of time, talent, resource and budget. A clear understanding of your organisational maturity will help you uncover the areas where you specifically need to spend the precious little you have. 

Bring all these three — risks, capabilities and maturity — together in a realistic and achievable plan. Accept that there is no one-size-fits-all solution, just trade-offs.  

2. Understand Your Attack Surface at the Granular Level
Outdated software, undetected malware, shadow IT, unsecured access points, and misconfigured systems among other things dramatically increase the area of your attack surface. Continuous monitoring is just one piece of the puzzle, as the security provider BitSight notes. But without contextual data, you cannot see the granular details of your attack surface and detect gaps.  

Security leaders are keenly aware of this. That’s why they’re investing in solutions that lets their team extract Work from Home-Remote Office IP addresses and continuously observe the attack surface in real time.    

3. Use Security Heat Maps in Tandem with Industry Benchmarks
Industry benchmarks are great. They give you an idea of what others in your sector are doing. But they can also be misleading and get you into a “let’s do it because others are doing it” mode. Security heat maps are a great way to counteract this urge.  

Heat maps not only show the place and kind of risks you face, but also their intensities. With this, security leaders are modelling the type and grade of control they require – and not necessarily what is done by others.  

Pro Tip:
A heat-map is a great visual aid in convincing the board about the need for investment, especially when an attitude of “whistling through the graveyard” prevails at the top echelon.

4. Build a Great Internal Team Culture
We briefly touched upon this theme in the first part of this series, but it is worth revisiting and expanding. Companies with great security have a great internal culture. But what does it look like? 

Simply put, a great culture complements the operations. It is one in which the greatest number of good decisions can be made without the least amount of hierarchy. We’re thinking of a fundamentally “horizontal” process-oriented (as opposed to “vertical” power-oriented) team.  

CISOs in such teams have a reporting structure that is not merely an appendage of IT. Whether consciously so or not, such teams also comply with the RASCI model (Responsible, Accountable, Supporting, Consulted and Informed). Team members feel psychologically safe, that is, they’re not afraid to make mistakes and admit them to each other. 

5. Get a Real-Time View of Your Security Posture
SOC leaders are no longer satisfied with just getting a historic view of their security performance. They’re looking for an in-depth, real-time view. Does your solution provide real-time ratings based on data collected from the end points? It will allow analysts to catch otherwise missed vulnerabilities such as a compromised or unpatched system, end points not integrated with the network, and much more.

6. Invest in Detection Engineering
This study by CardinalOps, a security solutions provider, found an eye-popping fact – “95% of all SIEM incidents came from just 15% of the rules.”

Here is why that should concern us. An overabundance of security logs coupled with poorly structured rules is a recipe for disaster. Security teams face a volley of poor-quality alerts, almost stripped bare of context, wasting precious manpower and delaying response. It also puts your SOC in a constant fire-fighting mode, which leads to staff burnout, poor engagement, and high turnover rates.

Security leaders are investing in detection engineering to counteract this. Detection engineers ensure that the most valuable logs are fed into the SIEM solution and the right rules fire.

7. Think about Extended Detection and Response (XDR)
While Endpoint Detection and Response (EDR) provides security and visibility into a particular device, security leaders want much more than that. They want a framework that will take a “panoramic” view of the entire ecosystem, bringing together the capabilities of all their solutions, and protecting all the global end points. XDR does exactly this. It provides additional telemetry and context-rich alerts, helping the SOC teams build the full attack story. Coupled with detection engineering, XDR can take you a long way.

But it is still an emerging framework. If your current vendor provides XDR, it might be worthwhile speaking to a consultant.

8. Vet Your Third-Party Vendors and Partners for Their Cybersecurity Arrangements
Your enterprise might be an impenetrable fortress, but if your third-party vendor or partner is compromised, it is as if there is an underground tunnel from outside that comes right into your fortress.  

One of Gartner’s top eight cybersecurity predictions is that, by 2025, 60% of organisations will use cybersecurity risks as a criterion to choose a third-party vendor or a partner. Have you instituted policy and procedures to check yours? Are you being exposed to local legislation? Considered using security rating schemes such as UpGuard, SecurityScorecard or BlackKite, which can give you a clear picture of partners’ cybersecurity levels.  

9. Ask the Right Questions to Your Vendors
This might seem like an obvious one. But many SOCs get locked-in with a vendor because they simply failed to ask the right questions. Asking these questions will give you a good idea of what you’re getting in the deal.

• Where does the application stand in the Gartner SIEM Magic Quadrant?
• What license models does the vendor suggest and why?
• Is SIEM the vendor’s core product/service offer?
• Is the support team present locally or internationally, and how will it affect language and time zones?
• What does the five-year forecast of the application look like?
• What type of training and knowledge transfer does the vendor offer, and are they covered by the licence?

10. Don’t Invest in Tools Alone. Create the Right Mindset
The days of attackers sitting in a basement somewhere and tapping away at a keyboard are over. Today, malicious actors work as legitimate business, often with paid employees. This means, they think and act like businesses. This is great news for you. With the right mindset, you can wage a psychological war against them.  

Attackers will go after assets that are least protected, most valuable, and have the longest shelf life. They want quick wins, in short. Here’s your chance to disrupt it. Increase the stake, heighten the cost, diminish the pay off, and reduce the longevity of the target. Most attackers return to try again because they feel there’s no cost for their failure. Show them that just attacking you has a real cost to them.