ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > How SOC Brings Value to the Business

How SOC Brings Value to the Business

Manohar Ganshani, Associate Partner, IBM Security
| Posted at 3:10 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (3)

Most organisations, after being impacted by a cyber-attack, began looking at the design of their Security Operations Center (SOC) operating model – their existing engagement with the managed service provider or their in-house SOC program – to identify the missing link because business challenged their effectiveness. This is a reality.

Here is my perspective on how your SOC program can establish this effectiveness proactively and bring value to the business through a couple of measures, though these are not the only measures to strengthen the governance of your SOC program.

Under a well-defined structure, SOC gets initial visibility on the threats from the business, risk management and intelligence function. These (top) threats get translated to specific use cases. These specific use cases will map to business systems – both critical and non-critical relevant data sources.

Now let’s look at two different types of the threats to get a practical view, one of which dictates the availability of the system (DDoS attack), and the other that steals the sensitive information (malware/APT attack).

When the SOC monitors the threats, they should map these threats and their monitoring to kill chain, where these threats are intercepted using a specific KPI – stage of threats intercepted on kill chain. The outcome of this mapping helps SOC advise IT/security/business whether the preventive control in place is effective or not. For example, a malware caused by a spear phishing attack through a zero day exploit on the user browser, operating on a business critical system within retail banking, is passed through on stage 1 of kill chain. This scenario clearly indicates that either the advanced malware protection control on the end user machine did not detect it, or the local event manager did not raise an alert within Security Information and Event Management (SIEM), and hence these controls are not effective.

This type of advisory augments the role of SOC beyond just monitoring the security incidents. Also, the SOC teams have the knowledge of the underlying impacted systems. To that end, the SOC can provide a full visibility on threats, from use case scenario to kill chain stage to the underlying business system that is under attack. 

Another KPI is linked to response time to threat incidents. By conjugating these two KPIs, business gets visibility on how SOC is able to protect business systems, which is a primary goal of SOC program by intercepting the threat early and responding to the incident in an agreed time frame (KPI on response time will indicate if time to respond was more than the agreed timeframe). Finally, SOC should provide the estimated value of impact that was safeguarded by the SOC, taking into account the underlying asset value, though this exercise involves a bit subjectivity.

Sometimes business leaders demand that the SOC team should tell them the downtime of critical business systems during an attack, especially in the situations when the organization experiences DDoS attacks. This is a reason some SOC structures have allocated dedicated team to DDoS monitoring. Apart from the above approach, the SOC will use an established process which checks the heartbeat of the underlying data source/asset, which is mapped to the use case(s) in this category. In case of DDoS, when a critical business system is not available, an alert is generated based on this event. When a report is generated from the SOC, business gets visibility on the downtime of the system due to a DDoS type of attack. This report can be compared with one from the IT/business continuity function, which generates a report on non-availability of the system.

In summary, SOC programs are maturing to augment their role beyond serving just as an operational entity to bring in value to the business by implementing business KPIs and SOC processes. Mapping the use-case scenarios to kill chain is a crucial step in building this value by increasing the possibility of intercepting threats at an early stage.

Comments

Not sure I agree

Manohar,
While this is a good example, i am not certain that provides a business metric that is understood by the business, and therefore not conducive to show 'value' as it relates to the SOC.

A zero day by definition may not be detected by any control.
Where in the kill chain the process is effective, while good to know from an IT perspective, may not show value to the business.  They are looking for the risk to be mitigated. 

Manny002 at 2/15/2017 10:41 AM

Re: How SOC Brings Value to the Business

Good information, thank you
Chidi292 at 2/15/2017 11:24 AM

Alignment of SOC Goals to Business Needs

The need to align security operations to the needs of the organization is a critical one; a lot of organizations seem to be content with implementing blanket or standard security measures without due consideration of their unique need. Whereas standard security measures like antivirus software, firewalls and disaster recovery plans are important, a security strategy that responds to an organization's risk profile will support the success of the institution. It is good to note from the article that some organizations are making strides to marry security goals to business objectives and assigning business related KPIs; there is a need though to ensure that appropriate KPIs are assigned and monitored.
Christopher070 at 2/17/2017 3:53 AM
You must be logged in and a member to post a comment to this blog.
Email