If you're a SOC manager, life can be gruesome. You're responsible for the security posture of an entire organization. In centuries past, army generals defended against invaders and hunted for potentially exploitable weaknesses within the barriers of the citadel. In our digital landscape, SOC managers are the army generals. They anticipate threats, defend against them, and also hunt for the enemy who may be lurking within.

A SOC team consists of multiple roles, such as analysts (different tiers), detection engineers, and red teamers, and they report to the SOC manager. The SOC manager in turn reports to the CISO. Tier 1 analysts are people at the front line who deal with real-time alerts and weed out false positives. Tier 2 analysts investigate each legitimate alert and perform a root cause analysis. They also assess the scope of a potential threat. Tier 3 analysts, or threat hunters, proactively hunt for threats and conduct advanced forensic analysis. They also strategize on how to improve the organization's monitoring capabilities. In many companies, you will also find detection engineers who work on perfecting detection rules. They keep an eye on the latest threats the organization could fall victim to, and program their SIEM solution accordingly. A red team is tasked with mimicking an attack and finding weak points within a network. A SOC manager is responsible for managing all these individuals and attaining the goal of impeccable security.

This article will encapsulate three main areas that SOC managers should focus on to improve the efficiency and effectiveness of their team.

You'll also find a SOC readiness quiz toward the end of this blog that will help you measure your team's readiness in the above-mentioned areas.

Cyber awareness

As a SOC manager, you must ensure your team is aware of all the major cyberattacks across the world. This awareness can help identify recently publicized vulnerabilities. Furthermore, it will also enable analysts to gain knowledge about general adversarial behavior. The following two processes can help your team become more prepared for upcoming threats.

  • Table-top exercises where the team gathers information, brainstorms about relevant attacks, and exchanges views on incident response is a crucial aspect to the functioning of any SOC team. This practice can unleash new perspectives and challenge the mindsets of your team members.
  • Documenting experiences, strategies, and thoughts about previously dealt-with attacks, allowing analysts to refer to and continuously update new inputs, is a key component to boosting them through their learning curve. Documentation will reduce both the MTTD and MTTR parameters of the team as it reduces effort redundancy.

Network hygiene

Personal hygiene is a clear indicator of the proficiency, maintenance, and consciousness of individuals, and network hygiene reflects the same characteristics of a SOC team. The following are a few ways you can achieve good network hygiene:

  • Correcting duplex mismatches, disabling unused ports, root bridge placement, password policy enforcement, and many more activities fall within the scope of network hygiene. Make sure your analysts don't wait for a network blockage to happen. Having a clean network can help avoid having to deal with multiple problems during a crisis.
  • Every enterprise has critical assets which if infected can have detrimental effects. Data centers with employee and client PII, intellectual property, web servers, and industrial control systems will all fall under this classification for an organization. Be certain that your analysts have identified, segregated, and labeled these assets as critical, and provide ancillary surveillance. Attackers know that getting access to critical infrastructure directly has minuscule possibilities. They normally target employee workstations or weakly secured servers. Then, they conduct lateral movement, privilege escalations, and other measures to reach their destination and execute attacks or exfiltrate data. This highlights the importance of constant network hygiene checkups.
  • Pen testing and vulnerability scanning are methods by which you can assess the vulnerability levels of the network and discover new gateways for entry. It is recommended that pen testing is done at least once a year, and vulnerability scanning should be done to external-facing infrastructure on a monthly basis. The time taken between discovery and patching should also be minimal.

SIEM maturity

Most organizations with a SIEM solution fail to utilize it to its complete potential. As a SOC manager, you need to measure the effectiveness of your SIEM solution and how efficiently it is being utilized. The steps below are a few ways that can help you improve the maturity level of the SIEM solution concerning both capabilities and implementation.

  • Check whether your SIEM solution has been integrated to collect logs from other security tools like intrusion detection systems and endpoint security systems so that it is an active part of your cybersecurity strategy.
  • Utilize your SIEM solution's SOAR capabilities so that your analyst can prioritize incidents and orchestrate the rest.
  • Make sure your team has created effective alert profiles and correlation rules to unlock the full potential of your SIEM solution.
  • Leverage UEBA capabilities to seamlessly detect and mitigate insider sabotage attempts.

Although the above list is not exhaustive, it will help you gain useful insights about both your SIEM solution's and team's maturity levels.

Quiz time!

SOC readiness quiz

  • Now let's measure how your team scores for the above-mentioned areas.
  • Please choose the options wisely, as you cannot alter your answers.
  • The answer will be shown after selection, and you'll receive a percentage score at the end with your readiness level.
Start quiz

SOC readiness quiz

  • Cyber awareness
  • Network hygiene
  • SIEM maturity
  • 1 Are your analysts up to date on the latest cyber trends across the world?

    1. Yes, they're always on top of things
    2. No, why's that important?
     
    Next
  • 2 Do you train junior analysts for effective incident response and detection of false positives?

    1. Definitely.
    2. They'll learn it on the job.
     
    Next
  • 3 Do you conduct table-top exercises to increase the perspective bandwidth and plan validation level of your team?

    1. It's a core part of our agenda.
    2. It's a waste of time.
     
    Next
  • 4 Do you have documentation to account for various incidents and response measures which your analysts can both input into and refer to?

    1. Yes, It's essential to reduce detection and response times
    2. No, we don't have time for that.
     
    Next
  • 5 Have you identified the organization's critical business assets?

    1. Yes, that's the first priority!
    2. No; define critical...
     
    Next
  • 6 How often does your team conduct pen testing on the organization network?

    1. At least once a year
    2. Every 1-3 years
    3. Greater than every 3 years
    4. Never
     
    Next
  • 7 Do you collect the latest attack information and simulate it in your network to identify vulnerabilities?

    1. Yes, it's a critical practice.
    2. We weren't targeted yet, so it's fine.
     
    Next
  • 8 How long do you take to patch zero-day vulnerabilities once discovered?

    1. 10-30 days
    2. Less than two months
    3. Less than three months
    4. Less than one year
    5. More than one year
     
    Next
  • 9 Do you have a SIEM solution?

    1. Yes, it's a lifesaver.
    2. Don't need one...
     
    Next
  • 10 How many log sources can your SIEM solution collect and process logs from?

    1. More than 700
    2. 501-699
    3. 300-500
    4. Less than 300
     
    Next
  • 11 Does your SIEM solution collect and analyze logs from IoT devices and third-party applications that generate unique log formats?

    1. Yes, it saves so much time.
    2. Nah, we don't need it.
     
    Next
  • 12 Does your SIEM solution have SOAR capabilities?

    1. Yes, we can automate and orchestrate!
    2. We do everything manually.
     
    Next
  • 13 Can your SIEM solution detect insider threats?

    1. Yes, UEBA is unavoidable.
    2. No, that's useless.
     
    Next

Congrats you’ve finished the quiz,

let’s look at your score.

100%

Great! You can take on attackers!

Conclusion

Now that you've completed your quiz, we hope you've got valuable feedback and areas of improvement. Please note that this isn't an exhaustive list—there are many more areas where you can conduct such assessments. There's always room for improvement for both you and your team.

Your life as a SOC manager will be a continuous uphill battle against threat actors who exist both within and outside your organization. As the leader of such a vital team, you have to conduct regular maturity assessments to analyze progress. A SIEM solution is an inexorable purchase to the healthy functioning of the SOC team. Features such as SOAR, UEBA, and threat detection can assuage your overwhelmed analysts, not to mention drastically reduce your MTTD and MTTR. What are you waiting for? Sign up for a free demo of ManageEngine's SIEM solution, Log360!

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
  •  
  •  
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks

     
     

© 2022 Zoho Corporation Pvt. Ltd. All rights reserved.