Tamer Odeh, Regional Director, SentinelOne Middle East, on why security operations centre (SOC) should optimise the incident response (IR) process.
How do you shoot down a missile before it hits its target? That’s the problem facing today’s incident response teams. As cyberattacks increase in volume and velocity, the security operations centre (SOC) handling incident response is the nexus for this challenge.
SOC teams are at the forefront of enterprise security as they unify people, processes and technology to protect organisations’ cyberhealth.
Recently, cyberattacks and cybersecurity have become important areas of concerns for organisations with about 74% of surveyed Middle East CEOs citing cyberthreats as obstacles to their growth in 2021, according to research by PwC.
The SOC must find new efficiencies in its bid to hold back the rising tide of cybersecurity threats. It can begin by rethinking its cultural makeup and its technical approach.
This is where optimising the incident response (IR) process becomes even more important. Businesses increasingly realise the benefits of IR as a key part of their cybersecurity toolkit. The 2020 Ponemon Cost of a Data Breach report reveals that data breaches cost US$3.29 million for companies with an IR team that regularly tests its IR plan. That’s US$2 million less than companies without an IR team, demonstrating the value of IR.
Challenges facing SOC teams
When facing shifting threats from different threat actors using a wide variety of techniques, many SOCs look for technologies to help them cope. A common response is to install a panoply of tools. However, SOCs don’t always do that strategically, teams tend to over-prepare with tools rather than ensuring that they can adapt when dealing with unknowns. Additionally, when teams install security tools on a piecemeal basis they can end up with a disjointed ‘frankenstack’ of security tools that don’t interoperate well. This can leave the SOC without a unified workflow. They lack automated remediation capabilities, which leaves SOCs relying too heavily on human interaction. People must fill in the technology gaps, but they cannot do so at speed. These weaknesses leave SOCs with a disjointed incident response process that is difficult to control and understand.
No wonder, then, that a Ponemon report found security system complexity to be the single most expensive factor when assessing the cost of a data breach. It increased the cost of a data breach by US$292,000 on average.
Optimising the IR process
Your SOC has the power to overcome these challenges. At the top of your list should be an assessment of your current incident response process. Begin that assessment with a focus on outcomes. Everything should be geared to achieving preset goals.
Those goals should be measurable by tying them to specific metrics and firms must evaluate the metrics they’re using to measure success.
At early stages in the incident response chain, those metrics should be geared toward prevention. How are you assessing the level of risk to various assets and its potential effect on the organisation? Are you taking a mathematical approach to triaging risk based on the resources available?
With appropriate measurement techniques at your disposal, you can work on building a seamless end-to-end incident response process with clear procedures and roles, so that no threat falls through the cracks.
Integrate your tool set to support this process. An ideal toolchain will support harmonised, data flows that reduce or eliminate the number of hand-offs and tool or platform changes. An integrated toolchain will provide a solid platform for automation.