{"id":14133,"date":"2020-09-01T13:00:08","date_gmt":"2020-09-01T12:00:08","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=14133"},"modified":"2020-08-28T20:21:18","modified_gmt":"2020-08-28T19:21:18","slug":"the-soc-died-of-boredom-fatigue-and-poor-positioning-find-out-how-to-resuscitate-it","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2020\/09\/the-soc-died-of-boredom-fatigue-and-poor-positioning-find-out-how-to-resuscitate-it\/","title":{"rendered":"The SOC died of boredom, fatigue and poor positioning? Find out how to resuscitate it!"},"content":{"rendered":"

At a time when the internalized IS is no more than a distant memory giving way to a multiplication of external services hosting data, the SOC’s mission remains the same: to detect cybersecurity incidents in order to react as quickly as possible. But how do you detect in an information system where boundaries are no longer defined? Mission Impossible? Maybe not.<\/p>\n

 <\/p>\n

\"\"<\/figure>\n

 <\/p>\n

Fifteen years ago, when we first started working on SOC implementations for our clients, defining a roadmap was simple: set up a tool, then collect and analyze the logs of security equipment and critical\/exposed assets.<\/p>\n

However, new challenges linked to the IS decentralization, the evolution of an ever-evolving threat and the crisis we are going through (teleworking, reduction in cybersecurity budgets…) must make us realize that the SOC must reinvent itself.<\/p>\n

 <\/p>\n

Involve (really) everyone!<\/h2>\n

By rewriting the story from the beginning, the SOC is managed by the cybersecurity population, which has therefore set up monitoring mechanisms on cybersecurity equipment with cybersecurity use-cases. The result is mixed, it works quite well, and the figures from our CERT benchmark<\/a> are there to prove it: 167 days on average to detect an incident!<\/p>\n

The first detection strategies were obviously defined, challenged and validated by the cybersecurity industry. Their objective was to increasingly extend the surveillance perimeter by collecting more and more logs (firewalls, WAF, \u2026) and setting up new surveillance equipment (SIEM, probes, \u2026).<\/p>\n

This first observation was inevitably found in the majority of our SOC audit conclusions: objectives are poorly defined and not aligned with the expectations of SOC clients (CISOs, CIOs, business functions), leading to a loss of trust and credibility.<\/strong><\/p>\n

Striking examples can explain this feeling: lack of SLAs, poorly defined perimeter, too raw reporting that is too raw, non-contextualized and containing erroneous information.<\/p>\n

If you do not want to redefine your SOC strategy once again in a one-sided way, organizing a seminar is the right exercise to establish a new starting point. All the stakeholders must be present (cybersecurity teams, CIOs, SOC clients, …) and the goal is to address the main issues:<\/p>\n