… To think about how investments in technology and staff will work together in your organization’s Security Operation Center (SOC). When we introduced RSA Security Operations Management (SecOps), our intent is to help customers to really think about what framework and orchestration of people, process and technology are required to build out their SOC capabilities.
As such, the key value propositions of SecOps are as follows:
- Business Context – Provide up to date business context of assets to security analysts so they can prioritize incidents that pose the biggest risk to their organization.
- Incident Response – Provide a framework to collaborate and effectively investigate security incidents that is aligned with industry standards.
- Breach Response – Provide a framework so when an incident leads to a data breach, the organization is prepared ahead of time to respond to the breach.
- SOC Program Management – Enable SOC teams to run the overall incident and breach response process as a consistent and predictable business process.
As I started talking to customers about SecOps, I have found that the SOC maturity levels differed across the board. The mature SOC customers who are in “Defined” Stage or above of the CMMI Maturity Level immediately see the benefits of SecOps, the ability to automate their overall SOC processes, drive efficiencies, drive consistency and prove the overall effectiveness of the team.
But early stage customers that are in the “Initial” or “Managed” stage of their SOC implementation would pose the question back to me, “We are in EARLY stage of building out our incident response team and SecOps has a lot of functionality, where do I start?”.
You are never too early to take advantage of SecOps functionality. You are investing in technology and staffing your team --- how do you get full return on your investments? SecOps can be implemented in stages and more functionality can be introduced as your team matures. For starters, if you are in the early stages of SOC implementation, here are 3-items that you should think about at this stage:
- Alert aggregation into SecOps – Analysts will have one place to go look at new incidents and manage the queue.
- Prioritize incidents against business context – Start getting your IT asset information into SecOps / Enterprise Management and assess the risk of those assets. Analysts will be able to prioritize the incidents that pose the biggest risk to the organization.
- Leverage OOTB Incident Response Procedures - SecOps has OOTB response procedures that were authored by our RSA Advanced Cyber Defense Team. You can build on these response procedures and create your own.
The above 3-items will immediately improve your analyst effectiveness. From here, you can continue leveraging additional SecOps functionality for Breach preparedness and overall SOC program management. So, my answer back to the early stage customers --- You are never too early to leverage SecOps, it can bring immediate benefits to your SOC team.
SecOps has been available for our customers for exactly a year. I continue to learn from RSA customers and let’s continue fighting the good fight against the bad guys! Watch Bob Cheong, CISO of Los Angeles World Airports talk about how he built his SOC capabilities from scratch.