With more and more organizations establishing internal Security Operations Centres (SOCs) it’s time we started discussing how best to measure not just their success but their capability. More specifically, how their capability decays over time.
Enhancing our understanding of this facet can assist with determining good maintenance practices for the SOC, as well as uncover wider aspects of organizational culture that can potentially lead to poor security decisions.
In this post, I will outline four prevalent decay modes that are worth measuring.
I loosely define capability decay as things that happen when security teams go backwards, and the specific ways — the decay modes — in which this may happen (this is my inner physicist speaking).
The main reason why these decay modes are important, I believe, is that many of them may feel like progress to the people implementing them. A strong focus on audits, for example, may feel like the team is increasing accountability and visibility, up to the point where passing the audit is all that matters. At that point, what had started as a strong capability may have dissolved into a monitor eyeballing exercise with some standard regular reporting — hardly the activities that reduce the dwell time or impact of breaches.
The following decay modes are, I think, the most prevalent among today’s SOCs
A SOC team that makes enemies anywhere in a business is a SOC team that has no basis and, therefore, is unsuccessful in the long term. Enemies are easily made by a SOC team that is weak in diplomatic and leadership skills.
Making enemies may feel like progress: surfacing vulnerabilities and a lack of patches on servers, endpoints and network equipment; relentless reporting and raising the profile of the issues; knocking back requests for administrative access and certificates; and insisting on encryption anywhere.
What is wrong here is the strategic vision on the battles worth fighting. Many of the ‘victories’ above inflict a devastating toll internally and lose sight of the larger picture, namely reducing dwell time and the impact of an attacker. Clearly, the capability to develop further is strategy and diplomacy.
Three monkeys decay
In a previous post, I referred to the ‘operations dilemma‘ in cybersecurity, where doing cybersecurity operations right is hard (and somewhat expensive) and doing them wrong leads to risk.
The ‘three monkeys decay’ relates to the risks that operations teams take when it comes to basic cybersecurity hygiene, including a combination of not looking, not listening, and not saying anything (at least until it is too late) about risks they are well aware of. Often this is accompanied by the deployment of some shiny-light tool that, in the case of a real incident, is ineffective.
This may look like progress because on a measure of expended effort, laziness is effective. A SOC displaying three monkeys decay may over time have high employee satisfaction, flexible working hours, lower staffing costs and excellent reporting, that is until an incident happens.
SOC teams do not function without trust. Teams based on competition, or where rules are regularly broken, will lose trust over time and not be effective in combating intruders. Internal competition may, again, feel like progress.
A SOC team cannot shy away from meaningful (and impactful) discussions about performance, attitude, and preferred tasks and areas of work — if it does and papers over internal trust cracks, it will shatter when an incident occurs.
Security leadership is a fraught topic. Like many of these type of questions, the dimension of security leadership is best explored on a scale with two extremes.
On one extreme you have security leaders whose sole focus is to pass audits, cover their backsides, and be safely somewhere else when disaster strikes. These leaders fail on three of the five dimensions of trust: competence, reliability and identification (these type of leaders tend to work for their own ends). They are not worth working for, and they will not be able to build and sustain a successful SOC.
At the other extreme, you have security leaders who continually strive to make their organizations better, more innovative and more effective; constantly keep on top of threats; have skin in the game; take responsibility; and put in a strong presence during incidents / times of crisis.
As is usual, most of us fall somewhere in between these two extremes.
Leadership decay means that over time, organizations may gravitate to the first type of security leader, meet the audit requirements, bring in ‘greater accountability’ and are perhaps more ‘business savvy’. Again, at the time, this will feel like progress. Ultimately, however, the trend is to go backwards in the things that really matter: attacker dwell time, visibility of breaches, the impact of breaches, and the consequences of breaches.
Even worse, this situation may engender a position where it is better not to know about breaches, which is the ultimate point at which a SOC will be better off not existing at all.
SOCs are hard work
If, as a result of this, you think maintaining and operating a SOC is hard work, you are right.
The key to success lies in a clear definition of mission and purpose for the SOC, continuous maintenance of a strong security posture (that is, knowing and prioritizing what is important), and constant drive to improve practices and make a difference to the business.
Adapted from original post which appeared on LinkedIn.
Hinne Hettema is the Tactical Cybersecurity Operations Leader at Ports of Auckland.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.