Somebody asked me this profound question that (a) I feel needs an answer and that (b) I’ve never answered in the past:
If you run a SOC (or an equivalent D&R team), what things should you require (demand, request, ask, beg … depending on the balance of corporate power) of other teams?
Think of this not as SOC FAQs, but SOC FMDs — Frequently Made Demands…
To frame this a but, this is not about executive sponsorship (you should always “request” executive support, otherwise some efforts are not even worth starting, frankly), or other SOC success “pre-requisites.” This is about the key ongoing “asks” SOC makes of other teams and departments so that it has a chance of being successful with its mission over time.
So when asked this question, my ex-analyst mind went and produced a 3 pillar framework:
- Assets information
- Useful signals delivery
- Triage partnership
Let’s review these three.
Assets Information
If a SOC is tasked with detection and response, they better know the lay of the land that they are defending. “Defender’s Advantage” and all that. If you don’t know the terrain better than the attacker, you already lost.
There is of course a lot of nuance to it, but at some basic level, there should be a way for a team deploying anything to report this to SOC for coverage, and for a SOC to ask a team for their list of assets to be monitored for threats. Assets here may mean servers (hey, the 1990s are NOT reality over, joking aside), cloud assets, SaaS services, applications, etc (it would also be handy for ZT efforts).
Summary: if your mission is to protect assets, ask for the list of assets (sorry, this came out very Capt Obvious, but this is in fact missed in some cases)
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Security Boulevard
Read the original article:
Read the original article: