Training and Evaluating the Modern SOC

The modern detection and response analyst is faced with a variety of challenges. Adversaries are constantly developing and deploying new tactics, techniques, and procedures (TTPs). Organizations must continually adapt their environment to meet business challenges, often introducing new security solutions for detecting and responding to an attack. Security personnel are often placed in the position of monitoring and responding to a wide range of technologies from the firewall, EDR, identity and access management systems, and others. If organizations don’t have a process to update their capabilities in responding to real-world attacks, organizations can leave themselves wide open. 

Increasing the risk that the security personnel will be unable to deal with modern attacks is the way skills are developed by the individual contributor and the team at large. The traditional method for training security personnel and teams is through a combination of unidirectional training that imparts skills rather than improves and validates abilities. An example is a yearly budget for a boot camp where the instructors impart some definitive skill set to the analyst and then send them back to their day-to-day operations.

This approach often focuses on increasing technical skills such as detection triage or packet analysis while often leaving out the larger context. This type of delivery is akin to a baseball player’s batting practice. Batting is only one component of a baseball player’s skills. They also need to incorporate much more to develop their ability to play baseball. 

7 Elements of Incident Response

Going back to the detection and response realm, the abilities of detection and response personnel run across seven different elements that provide a complete capability to address cybersecurity incidents. These seven elements represent the areas where organizations should focus on improving and validating abilities:

1. Technical Proficiency: With the wide range of tools and telemetry that security personnel and managers look at every day, it is critical to know how well they understand the different tools in the environment. 

2. Detection: Analysts should be very familiar with detecting myriad cyber threats and be able to sort through the false positives. In addition, it’s critical to understand the attack and the impact on the system or systems to ensure that the appropriate response actions are taken.

3. Incident Response: Having trained and experienced security personnel is the important first human step to a well-executed incident response process. Even the slightest breakdown in labeling a threat’s severity or immediate isolation actions can have a significant impact on the organization.

4. Prevention/Mitigation: The speed of ransomware attacks has increased over the last several years. These attacks can now be measured in minutes. Executing the right prevention or mitigation techniques can be the deciding factor in the impact of such attacks. Identifying if an individual security analyst applied the right mitigation control to block or mitigate the attack is critical to decreasing the risk to the overall organization.

5. Communication: In the heat of an incident, clear and concise communication is critical. Incident responders, including security personnel, need to clearly communicate their findings to the incident commander and senior leadership.

6. Teamwork: Cybersecurity is a team activity. Large-scale incidents can involve multiple teams across various business units. Being able to work in a team environment is critical to overall incident response. 

7. Compliance: Organizations put time and energy into crafting incident response plans and playbooks that address risks associated with attacks. Determining if SOC analysts followed these plans — or if there is a gap — is critical to an organization’s readiness. 

These seven areas not only reflect what security personnel individually and a security operations team collectively should be able to execute, but they also serve to show improvement over time. For example, organizations that stand up a new security operations center (SOC) will often score low in areas such as teamwork, incident response, and compliance. This is not for a lack of technical skill or ability but rather a lack of repetition in the incident response process and working through the team dynamic. The cure for this is a continual process of realistic simulation exercises, followed by debriefings with the security leader where points of improvement are identified and incorporated into the SOC’s operational model. 

The reality is that a five-day boot camp or online course cannot address building ability in all seven of these areas at once. Filling that gap requires an ongoing training program that addresses increasing ability in all seven areas along with providing regular reports to leadership showing how the overall team is making improvements in their ability to detect and respond to a cyberattack.

Third-Party Cyber Range Programs 

One technology that has become increasingly useful in training security personnel and teams are cyber ranges. These interactive environments provide real-world exposure to attacks, enabling individuals and teams to build abilities across all seven areas, not just crafting a technical exercise but rather recreating the entire lifecycle of an incident. 

A third-party provider such as Cloud Range provides several distinct advantages. First, maintaining a cyber range and crafting scenarios can often be cost- and time-prohibitive. SOC personnel are already stretched thin and often lack time for the additional responsibilities of maintaining a cyber range and crafting real-world scenarios. A third-party provider can both maintain a realistic environment — including a suite of real, commonly used security tools — and execute up-to-date threats.

These simulated attacks can be highly sophisticated threats that take all of the necessary abilities into account. Expert evaluators can also provide unbiased feedback and recommendations for improvement for the team. Attackmasters at Cloud Range not only evaluate technical aspects but also extensively debrief the scenario players to ensure that every action, good or bad, is captured and that improvements can be made. 

Having access to a cyber range training environment can also provide a cross-training capability to team members without the additional cost of a five-day boot camp. Security personnel and teams can practice detecting and responding to a real-world attack, but in a controlled environment and without the stress of it really happening. They have the opportunity to improve their technical skills, as well as their communication and problem-solving skills. This allows individual members to build additional abilities and increase the team’s overall effectiveness. 

True improvements in a SOC’s overall effectiveness are through a continuous process of testing and evaluation – much like a modern fire department that conducts drills throughout the year. Cyber ranges in conjunction with expert facilitators provide the best option for year-round testing. Scheduling a cadence once a month can provide decision-makers with real insight into the team’s improvement and their ability to reduce risks.

The challenges that individuals and teams face every day require continual updating of their skills and abilities. Without constantly reinforcing existing skills and improving execution, SOCs may fall behind the attackers’ increasing capability. Reach out to info@cloudrangecyber.com or contact us through our site to hear more about how Cloud Range can help your SOC keep pace with today’s threats.