2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Be aware of the SOC-trap

1*sHhtYhaCe2Uc3IU0IgKwIQ.pngBe aware of the SOC-trap>
Medium – Richard De Vries
TRAP 1 â The tool trap Every Security Operation Center will periodically call out that they need the latest and most fantastic tool to catch the adversary. Most of the time, they also request the most expensive tool. But do they absolutely require that tool?

Letâs examine this scenario. The core element of this scenario pivots around three questions: âWhich security threat poses the adversary?â, âHow likely is the chance the security threat materializes?â and âWhat is the impact when the security threat is materialized?â. In other words, the basic risk questions.

The next set of questions is a bit more technical. They pivot around the question âWhich data do you need to proof this security threat?â. TRAP 2 â The workload trap SOC analyst work is repetitive. Doesnât matter which level although level 1 is worse than level 3. I am not denying that but it doesnât have to be that way.

But the underlying issue is that the entire approach is flawed. And this is causing a disconnect between incident response and the security threat which is resulting among other things in analyst fatigue. TRAP 3 â The HR trap Most security firms are advertising the SOC is a great place to start your cybersecurity career. Well, it is not. TRAP 4 â The KPI trap Every manager learns at business school that you need KPI to run and optimize a department. No exception.

But security is too complex for the KPI model. And no, I donât have an alternative. Most of the time, KPIs are based on time. For example, you need to complete the first analysis 15 minutes after the alarm is raised. Talk about a stress factor.

Hmm, rush work vs quality. And the balance is often not in favor of security. TRAP 5 â The machine learning Trap The magic bullet. I call it simply commercial nonsense. Machine learning / Data science takes years to learn but implementing User Behavior analytics can be done in a few weeks. TRAP 6 â The maturity trap When you just started a Security Operation Center, it is okay to miss a few security incidents just because you are just started. Wrong. On day one the Security Operation Center should already be on its A-game.
Link: https://tales-from-a-security-professional.com/be-aware-of-the-soc-trap-6cdd8dd6f9ac

Categories:

Tags: