By Dr Nishakant Ojha
The security operations centre (SOC) is a command centre facility for a team of information technology professionals with expertise in information security (infosec) who monitor, analyze and protect an organization from cyber-attacks and vulnerabilities. Nowadays a lot of buzz about the establishing a SOC Eco-System is prevailing in all the Critical Infrastructure & Defence Forces. But this SOC environment also has a lot of gaps which need to be addressed carefully while getting it deployed.
In layman language the SOC provides a platform of internet traffic, networks, desktops, servers, endpoint devices, databases, applications and other systems that are continuously examined for signs of a security incident.
But there are several issues which need to be flagged and are observed in Security Operations Centre (SOC) projects, and which are strongly believed to pose a National risk and result in the wastage of taxpayer’s money. It is crucial to address these issues promptly to ensure the effectiveness and efficiency of our cybersecurity infrastructure.
Following are concerns in a structured manner for clarity:
Complex Product Specifications: The Request for Proposals (RFPs) for SOC projects often include complex product specifications. However, post-implementation, it has been observed that many of the specified features are not effectively implemented. This leads to a significant gap between expectations and delivered capabilities.
Lack of Design Blueprint and Proof of Concept: The absence of a comprehensive SOC design blueprint and proof of concept in most RFPs hinders the ability to assess the feasibility and effectiveness of proposed solutions. This oversight can lead to suboptimal design choices and result in inadequate threat detection capabilities.
Incomplete Log Source Integration: Many crucial log sources are not adequately connected to the SOC infrastructure. This gap limits the visibility into critical systems and hampers the ability to detect and respond to potential threats effectively.
Executive Key Performance Indicators (KPIs): The planning, implementation, and delivery of executive KPIs to higher authorities are often overlooked. This lack of focus on measuring and reporting on SOC performance makes it difficult for decision-makers to gauge the effectiveness and value of cyber security investments.
Limited and Faulty Threat Detection Rules: The set of threat detection rules deployed in the SOC is often inadequate and flawed. This limitation restricts the ability to identify and respond to emerging threats promptly, potentially exposing critical systems and infrastructure to risks.
Missing Threat Hunting Function: The absence of a dedicated threat hunting function in the SOC further reduces the proactive identification of potential threats. This gap results in a reactive approach, leaving the SOC ill-prepared to address advanced and persistent threats.
Blind Trust in Unverified Threat Intelligence: The SOC often relies heavily on threat intelligence generated by public open-source sources and foreign companies without propercuration. Blindly trusting this intelligence introduces risks, as it may not be reliable or tailored to our specific national context.
Incomplete Integration Between SOC Technologies: Integration between different SOC technologies is frequently not adequately implemented, resulting in data silos and reduced operational efficiency. This hampers the ability to correlate and analyze data from various sources effectively.
Inadequate Processing of Threat Alerts: The handling of threat alerts within the SOC is often subpar, leading to delays, missed detections, and ineffective incident response. Streamlining the alert processing workflow is crucial to ensure timely and accurate threat mitigation.
Manual and Faulty Incident Response Process: The incident response process in the SOC is typically manual, lacking automation and well-defined procedures. This limitation impedes swift and effective response actions, leaving critical systems exposed for extended periods.
Limited Automation in Investigation and Response: Despite the inclusion of automation requirements in RFPs, SOC investigations and response efforts lack sufficient automation. Automation capabilities must be enhanced to improve efficiency, reduce human errors, and alleviate the workload on analysts.
Insufficiently Skilled SOC Analysts: SOC analysts often lack a sound security background and struggle to effectively analyze alerts. This deficiency can hinder the accurate identification and classification of potential incidents, impeding effective threat detection and response.
Lack of Integration between Vulnerability Management and SOAR: Failure to integrate vulnerability management with Security Orchestration, Automation, and Response (SOAR) platforms results in missed opportunities for prioritizing and automating response actions based on identified vulnerabilities.
High False Positive Alert Rates: SOC systems frequently generate a significant number of false positive alerts, overwhelming analysts and diverting their focus from genuine incidents.
This excessive noise compromises the efficiency and effectiveness of threat detection efforts, leading to wasted time and resources.
Lack of Stakeholder Collaboration: Collaboration among stakeholders, such as IT teams,management, and external partners, is often lacking in SOC projects. This deficiency hampers effective communication, coordination, and knowledge sharing, limiting the ability to detect and respond to threats holistically.
Neglecting Business Requirements: Many SOC projects fail to adequately map and align with the specific business requirements of the organization. This oversight results in a disconnect between cyber-security objectives and the overall organizational strategy, potentially exposing critical assets to threats.
Ineffective Playbooks and Workbooks: The planning, integration, and functioning of playbooks and workbooks within the SOC are often overlooked or poorly executed. These resources are essential for guiding incident response actions, standardizing procedures, and ensuring consistent and effective handling of security incidents.
Poor SOC Governance: SOC governance, including the establishment of clear roles, responsibilities, and decision-making frameworks, is frequently lacking. Inadequate governance structures can lead to mismanagement, inefficiencies, and conflicting priorities, ultimately undermining the effectiveness of the SOC.
Undefined SOC KPIs: Key Performance Indicators (KPIs) specific to the SOC’s objectives are often not properly defined or measured. This lack of measurable goals and metrics makes it challenging to assess the performance, impact, and return on investment of the SOC, hindering effective decision-making.
Absence of Root Cause Analysis: Conducting root cause analysis for security incidents is crucial to identify underlying vulnerabilities and weaknesses in the system. However, this practice is often neglected, preventing the organization from addressing systemic issues and mitigating future threats effectively.
Undefined or Undelivered Service Level Agreements (SLAs): In many cases, SLAs are either not defined or, if defined, not adequately delivered. This lack of clarity and accountability affects the quality, timeliness, and reliability of SOC services, potentially leaving critical systems exposed for extended periods.
Seeing the above scenario the government authority should take these points in consideration while deploying it to the different establishments of Strategic Non-Strategic Nature andparallelshould design some roadmap to mitigate the emerging national risks and ensure optimal utilization of taxpayer’s money. By focusing on these areas, the effectiveness, efficiency, and value of SOC projects can be significantly enhanced, bolstering our national cyber security posture.
The author is Advisor- Cyber & Aerospace Security & Eminent Expert- Counter Terrorism (West Asia & Middle East)
Disclaimer: Views expressed are personal and do not reflect the official position or policy of Financial Express Online. Reproducing this content without permission is prohibited.