What makes a modern SOC modern? Updated tools seem like the most obvious step, but point solutions and software capabilities only hide the broader problem: clunky security operations. To maximize tool investment, a security operations center (SOC) team’s people and process should work in tandem.
Modern SOC model
Ascent’s modern SOC is divided into four cells or teams: Threat, Operations, Intelligence, and Enablement (also called Adversary, Current Ops, Intel, and Future Ops). The Threat team covers adversary emulation, the Ops team defends, the Intel team provides threat intelligence, and the Enablement team researches and develops new threat detections and automation.
Enablement team detection engineering calibrates security controls (technology and process) so the whole SOC team (people) can tackle the right threats the right way. If a SOC catches the right threats, a business spends its money on the right things and reduces overall cyber risk. In a modern SOC, process validation can impact the business’ bottom line.
So how should an enablement team (or the R&D software engineers) in a modern SOC create and test new security controls?
Detection engineering process
Research: Cyber threat intelligence
Do you know what you’re protecting against and why? Cyber threat intelligence should inform an organization’s threat profile, the evolving set of threats of direct relevance to it as defined by the infrastructure, processes, and policies required to accomplish its mission. Threat intelligence priorities are thereby determined by organizational risk appetite.
Understanding progress toward any related goal requires knowing the percentage of security controls that aren’t in place or are in place but can’t protect against 100% of potential threats. Risk frameworks like MITRE ATT&CK or MITRE ATLAS are the backbone of control rationale. ATT&CK maps threat actor TTPs, or techniques, tactics, and procedures, by industry, location, and firmographic data points. MITRE ATT&CK heatmaps allow security teams to narrow the scope of any potential threat to the threats most relevant to their business.
Development: Design and coding
After research and control scoping, Enablement asks What do I need to fill the control gaps I identified? Within a modern SOC, an R&D team often designs queries or automated shortcuts to make the blue and red teams’ jobs easier and more secure. Microsoft Sentinel, Ascent’s SIEM (security incident and event management) tool of choice, requires continuous fine-tuning to match threat detections with an ever-evolving threat landscape.
Validation: Accuracy and precision testing
Post-alert or detection design, the R&D team should test for two things: accuracy and precision. Alert accuracy answers the questions, Does my code do what it’s supposed to do? Does it flag the activity I intended it to? Alert precision answers the question How often does my code generate false positives or false negatives? If the detection fails either of those two tests, the R&D team should return to development for further testing.
Deployment: Targeting and tuning
Once a detection does respond to an event with an alert each time its triggered, the R&D team should deploy. Targeting and tuning a deployed alert asks two more questions: Does my query or detection logic stop the kill chain mid-incident? and Can I identify the incident sooner?
The goal of good detection engineering is to identify potentially malicious actions sooner. SOC teams shouldn’t be content with alerts signifying a brute force attempt to log in with an employee’s credentials. The alert is important, but part of threat prevention is tracing the brute force attempt back to the igniting event (perhaps credential theft or social engineering).
Optimization: Back to development
After deployment, SOC teams should test the alert, query, or detection logic rule with red team activities. Some automated attack simulations are valuable, but detection engineering often calls for targeted pen testing, adversary emulation, or scoped tabletop exercises. Note and test the entire process required to trigger the new detection: does each step hold against a red team? If not, what design elements should be improved?
Comprehensive threat protection
Continuous improvement isn’t just an operational goal for business. It’s a security imperative. Ascent’s modern SOC monitors and alerts against threats most relevant to your business. Our managed SOC scales to customer need, whether your business requires holistic support or just the services one cell provides. Reach out to email@example.com for more information.