Why measuring SOC-cess matters - Using metrics to enhance your security program

SANS recently released their 2018 SOC Survey and many of their findings were of no surprise to anyone who has been responsible for maintaining their organization’s security posture. Many respondents reported a continued breakdown in communication between NOC and SOC operations, lack of dynamic asset discovery procedures, and event correlation continues to be a manual process even though SOC staffing is being worn thin by the surmounting responsibilities they have to take on.

Why measuring SOC-cess matters?

Anyone who has been a part of a security team knows these issues are an everyday battle, but those “common” issues were not what caught me off guard. The most shocking statistic I gathered from this survey is that only 54% of respondents reported that they are actively using metrics to measure their SOC’s success! I was taken aback by this finding and couldn’t help but wonder if all the other reported SOC deficiencies could be directly related to this missing link?

I have been in the security industry for close to ten years, most of which was spent as a SOC analyst and SIEM engineer for a large MSSP. It was my responsibility to be an extension of my client’s security arm and those clients ranged from large Fortune 500 companies to small family-owned businesses. Each client was unique, what one found to be important, another thought of as noise. The diversity between each of these clients taught me early on how important it is to understand what their definition of success was so that I may help them to not only achieve their security goals but to assist them in staying ahead of today’s rapidly expanding threat landscape.

This diversity also taught me another valuable lesson: not all security programs are created equally. Naturally, my larger clients had a more mature security posture, they knew what they wanted and what it would take to get them there, and they had the funding to back it up. Unfortunately, some of my smaller clients were not as lucky. They were severely understaffed, their IT department was the Security department, they lacked adequate funding to stay ahead of the ever-growing security curve, and in many cases, the measurement of success resembled a game of whack a mole.

Does this sound familiar? If the answer is yes, you can rest assured that you are not alone. Even the most secure, highly-funded organizations have struggled with these obstacles. However, I believe one of the biggest differences between these organizations and the organizations striving to be like them isn't directly due to the lack of funds, but instead the metrics they are using to show value in what they are trying to accomplish.

Don't get me wrong, funding is and always will be an obstacle that organizations, large or small, will have to overcome when trying to build and maintain a security program. But the larger and more dangerous obstacle is the one we are creating for ourselves by not measuring and monitoring our security strengths and weaknesses through a strong security metrics program.

This type of security program will be as different as the organization it aims to define. To truly understand what success looks like for you there are a few recommended tasks that, when completed, will give you a greater understanding of your environment and a strong foundation for your security metrics program.

How to enhance your security program

• Conduct a risk assessment

A risk assessment is meant to help identify what an organization should be protecting and why. A successful assessment should highlight an organization's valuable assets and showcase how they may be attacked and what would be at stake if an attack is successful. Armed with the results of this assessment, organizations can not only begin to address their deficiencies but now have a solid set of metrics that they can use to measure their success as they move forward.

• Perform vulnerability assessments

Vulnerability assessments are another vital security tool that is designed to detect as many vulnerabilities as possible in an environment, and aid security teams in prioritizing and remediating the issues as they are uncovered. All organizations, regardless of maturity, will benefit from these types of assessments, but organizations with a low to medium security posture may benefit the most. The result of these assessments will help give a greater definition of what an organization’s metrics should consist of and what steps are necessary for continued success.

• Adopt a security framework

Even if you are not held to a compliance standard, adopt a security framework anyway. I understand that choosing a framework to model form does not guarantee an organization’s safety, but it is proven that those organizations who adopt a standard have a higher security maturity and are more likely to identify, contain, and recover from an incident faster than those who do not follow security program's best practices. These frameworks, in conjunction with the security assessments mentioned above, were built to give organizations a blueprint of how to best protect their environment and measure their successes.

I sincerely believe in the value of a rich metrics program and have seen first-hand what it can do for an organization. With the level of sophistication in today's cyber attacks and the environments they target, we can no longer afford to leave our security up to chance. It is my hope that when SANS publishes their SOC Survey for 2019, that we have taken the steps necessary to change this statistic because I know as an industry we can do better.