Five tips for building a more efficient SOC
What is a security operations center?
A Security Operations Center (SOC) is a team that monitors and protects an organization's information systems. They analyze and defend networks and data from cyber threats. The SOC team usually includes security analysts, engineers, and incident responders. They use advanced tools for threat detection, investigation, and incident response to mitigate security threats.
The modern SOC
Security Operations Centers (SOCs) have been around since the 1970s. Back then, the focus was on defense against lower-impact malicious code. Today’s defenders are up against a constantly expanding attack surface and sophisticated threat landscape: more threats, more attack surfaces, more tools, more alerts, more siloes, more devices…you get the idea.
Research by the SANS Institute found that 80% of SOCs are running 24/7, staffed by 2-10 people. In this environment, anything you can do to maximize the performance of the tools you have while minimizing the pressure will likely carry a big payoff. Leveraging tools like AI and automation can help streamline operations and augment human capabilities. But where do you start?
Here are our top five tips for enhancing SOC performance.
Tip #1: Invest in threat intelligence
H3: Cyber Threat Intelligence drives the SOC
Cyber Threat Intelligence (CTI) gives organizations the insights and context they need to understand the nature of the attacks they face: who’s attacking, the motivation behind it, what their capabilities are and what indicators of compromise (IoC) in your systems could look like. Experts categorize CTI into four key areas: strategic, tactical, technical, and operational.
Among other things, it gives SOC defenders the insights they need to identify, prioritize and mitigate the gaps and weaknesses in their software supply chain. According to SANS, 75% of defenders are using CTI for threat hunting, and 75% for incident response.
Benefits:
- Threat Intelligence helps SOCs to adopt a proactive security strategy, such as threat hunting for threats that are unidentified or not yet remediated in their networks.
- Provide insights into vulnerability and patch prioritization, including CISA’s Known Exploited Vulnerabilities (KEV) catalogue.
- Drive compliance with evolving global regulations, audit requirements and standards, including ISO 27001.
Drawbacks:
- Vulnerability reports can run to dozens, or even hundreds, of pages. When the list of ‘critical’ vulnerabilities is long, prioritization can be a significant challenge for SOC teams.
- The prioritization dilemma extends beyond the actual vulnerability and into the wider IT estate: if you have 100 servers all with the same critical vulnerability, which one should you patch first? Developing the local context that enriches threat intelligence can be a challenge for many organizations.
Example use cases for Cyber Threat Intelligence in the SOC:
- Many organizations subscribe to aggregated threat intelligence feeds that combine multiple, high quality intelligence sources, giving them comprehensive data they could not otherwise gather using in-house resources.
- Threat intelligence helps many organizations to adopt a proactive approach to vulnerability prioritization.
- Threat intelligence data can be integrated with, and enrich, other security tools, such as security information and event management (SIEM), threat management systems and vulnerability management.
Tip #2: Tool consolidation
Visibility is critical in the SOC
A lot has been written about the importance of communication and collaboration in strengthening cybersecurity. When it comes to SOC efficiency, that concept cascades beyond humans and into the tool stack: visibility is critical, and investing in a consolidated tools stack or single platform can help with this. In fact, 88% of defenders prefer a platform approach over individual point products:
Benefits of tool consolidation in the SOC:
- Tool consolidation reduces the need to switch between multiple platforms and consoles. Without the distraction of switching between multiple information sources, defenders can respond to threats more quickly, leading to faster Mean Time to Detect (MTTD) and Mean Time resolution (MTTR).
- Reducing tool sprawl often translates into lower costs. By taking redundant tools out of the equation, teams can streamline functionality as well as reduce licensing and maintenance costs.
- Enhanced visibility and collaboration. As described above, consolidated toolsets give teams the kind of end-to-end visibility that eliminates silos to deliver more effective detection and response.
Drawbacks:
- For organizations with complex IT infrastructure, or hybrid cloud/on-premise/container-based systems, finding a single tool that can integrate with and/or manage everything can be difficult.
- Employee resistance: everyone has their favorite methods and tools. In an environment where teams are used to specific tools, transition (and the associated training costs) can be a challenge.
Example use cases for tool consolidation in the SOC:
- Consolidating multiple SIEM (security information and event management), IDS (intrusion detection systems) and EDR (endpoint detection and response) into a single platform enables SOC analysts to correlate events from multiple data sources, which can help with complex threat detection and also drive faster response times.
- Streamlining vulnerability management tools into a consolidated platform to help prioritize vulnerabilities and track remediation.
Tip #3: Regularly update and patch systems
Proactive security drives SOC efficiency
In a world where 91% of organizations experienced at least one software supply chain security incident in 2023, identifying and patching critical vulnerabilities and weaknesses in code is crucial. Verizon’s Data Breach Investigations Report (DBIR) 2024 reported a 180% increase in attacks involving the exploitation of vulnerabilities, almost triple the previous year’s number.
The same report underlines the criticality of keeping up to date with patching – it currently takes around 55 days to remediate 50% of critical vulnerabilities once a patch becomes available. As the report states: “If it goes in the KEV, go fix it ASAP.”
Benefits of regular patching and updating in the SOC:
- Up-to-date patching reduces vulnerabilities and potential attack vectors.
- It takes a median 60 seconds for users to fall for a phishing email. Regular patching of systems helps organizations defend against user error in facilitating exploits.
- Help reduce security debt by eliminating common vulnerabilities such as cross-site scripting (XSS), command injection or sensitive data in log files.
Drawbacks:
- Without automation or AI assistance, updating and patching can be time consuming and cause temporary down time, which can be a problem for organizations where process / up time are critical.
- In operational environments where downtime is rarely an option, patching windows are tight. When it comes to securing these environments, finding the balance between speed, precision and criticality is crucial – and can be difficult.
Example use cases for regular patching and system updates in the SOC:
- Using AI to rapidly analyze large volumes of validated vulnerabilities and exploits to distil the most relevant to the organization.
- Continuous monitoring of attack surfaces for high-impact vulnerabilities, and scheduling regular maintenance windows for patching. Tools like Darktrace Proactive Exposure Management use AI-based scoring systems and attack path modeling to help organizations understand their unique risk profile – and prioritize the highest-risk, most impactful vulnerabilities in their organization.
Tip #4: Continuous training and development
Training and job satisfaction are key to an efficient SOC
With an estimated shortage of 4 million professionals, the cybersecurity skills gaps is well documented. Access to bespoke, context-rich incident response playbooks can go a long way towards alleviating workloads on teams where resources are tight – and can help fast-track new or less-experienced hired. In high-pressure environments like the SOC, job satisfaction and engagement are also key to retention. A SANS survey of SOC defenders found that average tenure in the SOC is increasing – in step with a sense of ‘meaningful work’ as a strong reason for staying.
Benefits of continuous training and development for SOC staff:
- Cyber threats and attack surfaces are evolving and expanding all the time. Teams that are facilitated in keeping skills up to date are best placed to be effective – and perform better.
- Cross-training brings clarity to roles and also helps elevate performance in specific roles.
- Training keeps staff motivated and interested in meaningful work, while enabling organizations to maximise the benefits of often complicated tools. Tools like Darktrace AI recovery and incident simulation not only uplifts and engages teams, but helps optimize incident response processes, enabling speedy recovery and the capacity to generate bespoke, realistic playbooks based on understanding each organization’s own data.
Drawbacks:
Training can be resource intensive, but the return on investment can be high.
Example use cases for continuous training and development for SOC staff:
- Promoting and positioning SOC teams as experts by encouraging achievement of industry-recognized courses and certifications.
- Promoting training and development opportunities as a tool for attracting and retaining talent.
- Maximize the ROI on tools and technologies by ensuring staff have the skills to derive the best insights and strategies.
Tip #5: Measure and optimize SOC performance
Finding the metrics that matter most in the SOC
Sixty-seven per cent of SOC defenders say they provide metrics to senior management to justify SOC resources, from alerting to threat hunting. Metrics are about more than justification, though: they help teams to define what success looks like, what’s important – and where they need to improve. From mean time to detection (MTTD, aka ‘dwell time’) to incident closure rates, false positives, threats missed and MITRE ATT&CK evaluations, measurement is the best route to optimizing processes, people and technologies.
Benefits of measuring and optimizing SOCs:
- Identify and prioritize areas for improvement or resource investment, while tracking progress on new initiatives.
- SOC metrics are valuable performance indicators for incident management and remediation.
- Support compliance with cybersecurity regulations – SOC metrics provide reports and evidence of the effectiveness of controls in place.
Drawbacks:
- Consistent monitoring and analysis can be draining on resources.
Example use cases for measuring and optimizing SOCs:
- Develop and implement key performance indicators (KPIs) for specific SOC goals, such as MTTD or response rates.
- There are good reasons why defenders talk about mean time to detection or incident closure rates, but they’re far from being the only metrics that matter in the SOC – you can learn more about the opportunities to expand scope here.
Building SOC efficiency with Darktrace
Today’s SOC teams are facing unprecedented challenges, from a constantly expanding attack surface to more sophisticated threat actors constantly probing for weakness. In this environment, anything defenders can do to cut through the noise of threats, tools, devices, alerts and siloes will help take some of the pressure off.
Darktrace helps SOC teams to streamline their workloads and processes, providing a single platform to help with:
- Proactive threat detection and response.
- Comprehensive visibility and correlation.
- Automation and reduction of manual workloads.
- Prioritization and efficiency gains.
- Incident readiness and training.
Learn more about how teams like McLaren use Darktrace’s self-learning AI to proactively detect and defend against threats in real time, check out our case study.