Not All SOCs Are Created Equal

Not all SOCs are Created Equal

As the command center for IT and cybersecurity teams, an organization’s security operations center (SOC) plays a linchpin role in minimizing enterprise risk and maintaining strong cyber-protections. Yet many companies don’t fully understand how much variation there can be in a SOC’s structure and effectiveness – variations that can make or break the integrity of the entire cybersecurity operation.

Let’s take a closer look at how not all SOCs are created equal, and how the right strategy and partnerships for maintaining a proactive and effective SOC operation can protect against unnecessary risks and ensure stronger security across the enterprise.

A Poorly Functioning SOC Creates Enterprise Risk
A previous post highlighted the mounting cyber threats against the financial services sector, and that’s placing more pressure than ever on companies operating in the industry to have proactive and comprehensive cybersecurity in place. Much of the strategy and alignment required for this happens at the level of the SOC. Whether maintained in house or (more realistically) with the help of the right MSP, the SOC must coordinate a variety of mission-critical monitoring, detection, investigation and response functions to secure systems and assets across the IT estate.

That’s easier said than done when you consider the round-the-clock mandate to monitor and protect everything from business servers and third party integrations, to intellectual property, personnel data, financial systems and more. While most businesses understand the importance of having the SOC as a central collaboration hub to achieve these objectives, selecting the right approach can be a challenge in a crowded marketplace for SOC tools and services that’s filled with no small amount of hype.

For instance, some SIEM platforms deluge clients with alerts as a way of making the solution appear busy and valuable in uncovering threats. But in reality, inundating clients with alerts that aren’t aggregated or contextualized simply creates noise – resulting in alert fatigue that can lead teams to overlook truly important threats as they sift through a mountain of piecemeal and often redundant notifications. Other red flags include SOC solutions that don’t have clear response procedures or escalation paths, and partners with insufficient industry credentials or who don’t specialize in the most advanced Securit Incident and Event Management (SIEM) tools and systems.

Building a Better SOC
As financial sector companies better educate themselves on SOC priorities and options, they can build more effective SOC strategies and partnerships. Here are a few priorities for each:

  • Strategic Priorities – Your SOC should be founded on a proactive set of core cybersecurity principles and objectives. These include:


  • Avoiding alert fatigue – For instance, instead of sending the SOC team an alert each time a user account is locked out, send an alert when it’s happened 10 times to weed out routine lockouts and highlight the more troubling repeat patterns.


  • Choosing your battles – Maintain broad coverage, but refer to models like the MITRE ATT&CK framework and the latest threat intelligence feeds to prioritize the detection of tactics, techniques, and procedures (TTPs) primarily used by the advanced persistent threats targeting your industry sector, country, etc.


  • Partnership Priorities – The most effective SOC operations involve partnering with the right MSP. Here are some key attributes to look for in choosing such a partner:


  • Look for an MSP that has cross-disciplinary expertise beyond just cybersecurity to also include network architects, systems engineers and other specialists with deep knowledge of cloud, internet and managed services. 


  • Partner with an MSP that understands cybersecurity within the unique business context of the financial sector – including domain-specific regulatory factors, criticality of assets and risk mapping.


  • Look for Agile methods. For instance, the MSP should go beyond just periodic red and blue team exercises to also conduct “purple team” exercises – where senior blue and red team officials meet in a frequent cycle to continually test and refine the security toolset through performing adversary emulation exercises.

These are just some of the considerations financial services organizations can use to shape better SOC strategies and partnerships. Throughout, transparency and cross-collaboration are key. The SIEM tool and SOC operation shouldn’t be a black box to the rest of the organization, but rather an accessible, searchable and dashboard-intensive platform. This will allow all stakeholders to easily collaborate around SOC protections that are powerful and highly tailored to the unique requirements of financial sector security.

How Can ECI help you?
Contact Us today!