Security Operations Centers are Only as Good as a Company’s Culture

by Nate Hicks 0 Comments

The Watch Commander’s Log is a series that provides a direct view into the threats Agio’s Managed Detection and Response (MDR) team handles for our clients. If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.  

If you work in a Security Operations Center (SOC) or are a client of the Agio SOC, the following ideas demonstrate some of the steps we take to be effective and productive. 

Core Values  

Culture and values are paramount to how a SOC functions. Breeding an open, candid, and honest workplace provides analysts a space to ask questions, collaborate, and make mistakes while improving. 

“Agio’s culture is a blend of who we are and what we aspire toward, which is to empower our clients with secure, reliable, and resilient information systems. We invest in our culture to help us attract the best people, do our best work, and be our best selves. This living, breathing culture is deliberate, and it’s also our expectation guide for success.”  

Learn more from our CEO, Bart McDonough in his talk on culture.  

These are the core values of Agio and how they impact our SOC: 

  • Master the Fundamentals
    The fundamentals are the building blocks of analysis. Analysis methods are shared across the team as they are developed, and regular training is conducted to make sure standard skills are at their peak.  
  • Communicate Fearlessly to Build Trust
    Our SOC analysts and engineers are in constant communication with our clients to provide insight into potential cybersecurity incidents and solutions for troubleshooting and regular break-fix issues. 
  • Speak Up
    Agio SOCs can identify service and security issues in networks without the fear of reprisal. This openness provides an environment where problems are approached cautiously, yet solutions are developed fast as everyone has access to information.  
  • Be Bigger than Your Job
    SOCs can contribute to other skillsets and departments. The benefit is a cohesive team as they work toward common communal goals and provide operational and security value.  
  • Evolve
    The iterative process of being better than you were yesterday really is the motto of a security operations center. Reducing false positive rates and the cadence of tuning and detection lends itself to evolving the analytical skillset over time.  

Autonomy

An analyst’s time is best spent analyzing high-fidelity issues while providing insight. This impacts an organization’s security posture as the recommended actions secure the network based on trend and baseline analyses. Conversely, time spent repeatedly triaging false positive alarms created due to operational data/general IT issues is the bane of working in security operations.  

The solution is to allow the SOC autonomy to filter, suppress, and create detection capability via an outlined process. We take processes from other technology sectors, specifically change management, to ensure rule and detection changes apply to our clients.  

Rule generation and creation process: 

  1. An analyst creates the rule in AlienVault based on a hypothesis of a potential infection vector applicable to the client.  
  2. The analyst requests peer review from an analyst or engineering teammate.  
  3. Once approved, the rule is put in place for the client in AlienVault and is tested over the course of weeks to determine its detection value.  

This entire process allows the SOC to eliminate false positives and write rules to find new potential infection vectors. The outcome is control of the detection capability and development of a standard of quality through peer review. The SOC’s main output is its detection capability and subsequent response.  

Automation

How does detection capability and response play out at Agio? We use multiple tools to automate the analysis process and test actual security controls.  

Currently, two facets of automation at Agio are Open Source Intelligence (OSINT) Gathering and Purple Team Security Control Testing. 

OSINT Gathering 

Using open-source tools such as Sherlock, Intel Owl, and the Open Threat Exchange (OTX), the analysis team speeds up the collection of OSINT artifacts related to indicators of compromise (IOCs) and automates the investigation process. 

We end up with this: 

  1. IP address is associated with an alarm  
  2. Input IP address into central API tool to gather related information 
  3. Conduct analysis 

Instead of this: 

  1. IP address is associated with an alarm 
  2. Manually input IP into website tools 
  3. Collect data from tools and place in central location for analysis 
  4. Conduct analysis 

The collection of this information quickly gives the Agio SOC the ability to conduct analysis expediently. Time is of the essence when dealing with security issues/incidents.  

Purple Team Security Control Testing 

The Agio SOC uses an automated adversary emulation platform to directly test the security controls of endpoint/network defense products. This platform allows the SOC to automate adversary actions in client environments to directly test security controls and detection capability of the SIEM (security information and event management). 

This type of testing is usually manual and requires more manpower and time to gather valuable and actionable data. Automating this activity empowers defenders in testing and configuring detections for new attack types and objectives.  

These automation procedures provide the SOC the ability to conduct repetitive work without causing fatigue. 

Metrics (Quality vs. Quantity) 

Which is better for security—quality or quantity? 

At the Agio SOC, quality is valued over quantity due to the availability of automated detection tool suites. This data is provided via metrics visualized by dashboards in our reporting tools. Metrics in the SOC provide valuable insight and data that is not located in other places. Some examples of the questions that can be answered are:

  1. How many alerts did we send to the client last month? 
  2. How many alerts will we send to the client next month? 
  3. What day of the week has the largest vector of attack? 
  4. When do we get more alerts? 

The answers to these questions provide SOC management the ability to allocate resources and budget to the correct locations. This data is immensely important in maintaining the balance between new tools and human resources. 

Metric reporting using time series analysis shows the patterns and trends of security issues. These data points allow analysts to gain valuable knowledge about client networks. 

In Conclusion

The SOC analysis process and the methods of autonomy, automation, and metrics foster better functionality and increase triage speed. Together, these components—along with Agio’s strong core values—increase the SOC team’s flexibility and are paramount as technology changes continue. Cybersecurity is much more than an IT topic; the human element is essential—and is the central focus of the Agio SOC operations.  

If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.