Last week, I went to KraftCERT Norway, held at the Norwegian Museum of Science and Technology, to talk about the processes of our agile Security Operational Centre (SOC). It was the perfect setting for a bunch of tech workers who want to get together and discuss our challenges.
The presentation I delivered at KraftCERT, without delving too much into specifics, was about the People, Processes, and Technology principle. Not only from an SOC perspective, but also from cybercriminals’ perspective.
Empowering SOC responders and analysts
I strongly believe that everything related to SOC is connected to people, processes, and technology. Together, these three things make the core principle of Visma’s SOC – with the people component being the most impactful. You can have the best technology and perfect processes, but without the right people you won’t succeed. This is something I’ve had to learn during my years working as a System Administrator, Developer, Pentester, Information Security Officer, Security Researcher, and now, an SOC Manager.
Incident Responders and Security Analysts play some of the most crucial roles when it comes to fighting cybercrime. They are the guardians of your company, and should therefore be involved in all processes, at all times. So, how do you keep them involved? As a colleague, I recognise the importance of nurturing their growth, actively listening to their perspectives, and collaborating closely with them.
I understand that we need to break the silos between teams and work side by side to develop and improve our SOC. That means that everyone can contribute in different activities and initiatives that fulfil the cybersecurity experience. Today you can be a Threat hunter, tomorrow you can be part of the Security Research team, and the next day you can be part of the Purple Team. Having a diversified process inside the SOC helps your colleagues to improve themselves and never get bored.
Fostering a culture of support and care
To be able to respond to security incidents properly, the main requirements are creative thinking, problem solving, and analysing and responding to complex and dynamic situations. All of these requirements can make the job of an Incident Responder and Cyber Security Analyst both challenging and fulfilling. Therefore, they need to stay up-to-date on the latest security threats and technologies, adapt to new risks and attack vectors, and continuously improve their skills and knowledge. How can they achieve all of this if they’re buried under tedious and repetitive tasks?
Looking at it from another perspective, a substantial part of the cybersecurity community sees humans as the weakest link in the chain. What we have discovered over time is the fact that people are the main target for cybercriminals. Dealing with people is not always easy, and dealing with stressed people is even harder. Taking care of your colleagues will translate into more accurate responses in the case of an incident. People need to know that you’re there to help them rather than pointing fingers when they fall victim to cyber attacks.
Agility in an SOC is achieved through continuous processes. Those processes need to improve three things: prevention, detection, and response. These three improvements require structured learning from the incidents we experience – especially attacker tactics, techniques, and procedures. But also future technologies like artificial intelligence and machine learning, and their potential impact – whether it’s positive or negative.
What’s the best way to do that? I don’t have the answer. But, I firmly believe that the involvement and caretaking of people is a key aspect of generating the best incident responses.