What is in Your SOC?
Offensive or defensive culture for SecOps- becoming purple?
Organizations developing a Security operations center(SOC) should consider which strategy they should adopt based on available cybersecurity professional resources: offensive or defensive?
Both strategies organizations hope to become interchangeable; however, this idea rarely works out well. The decision to develop a SOC strategy should consider the following attributes:
- What is the makeup of the personnel in the organization? Are they experienced cyber warriors or recent additions to the cybersecurity field or resources moving over from traditional IT roles?
- What is the role and engagement with risk management to determine the business requirements for the SOC?
- Does the company leadership understand the importance and value of investing in their resources to align with the SOC culture?
- What is the organization’s approach to threat management?
Understanding offensive SOC culture
At the beginning of each fiscal year, corporate finance disburses the approved operating and capital budget for the following year. Except for a few “off-the-books” emergency budget requests to cover things cybersecurity insurance claims the provider did not pay, the CISO and CIO pretty much know how many “swords” they have to work with to support 24x7x365 security monitoring and operations.
As an organization, knowing you only have “ten swords” to deal with every possible cyber security threat in the coming year, how do you then deploy your resources?
Offensive strategy
Even if your organizational SOC culture is supposed to focus on risk reduction, do you deploy your “swords” in a defensive position as a 360-degree circle, or do you point all your “swords” in the same direction?
Being an offensive strategy-minded SOC focuses on a more proactive approach to security. This strategy has DevOps, SecOps, and NetSecOps security team members with experience in the following disciplines:
- Threat hunting and threat intelligence
- Threat modeling with expertise in adversary techniques
- AI & ML predictive scoring with advanced security analytics
- Extensive experience with offensive cyber tools for counter-attacking hackers
- Leverages honey pots and autonomic security operations
- Invests into XDR and with a centralized telemetry strategy
- Hires and retains several certified ethical hackers (CHE) resources in house.
- Investments in continuous vulnerability scanning
- Enabling the MITRE ATT&CK framework extensively and Lockheed kill chain
This strategy focuses on stopping, preventing, and being aggressive while being proactive in supporting government regulations, compliance requirements, and the overall impact of cyber-attacks. The team members should also have cross-sections, overlapping skills, and experiences to align with the offensive culture.
Defense Strategy
How would they deploy these resources with the identical “ten swords” to support a defensive strategy? How will the organization be protected if you’re deployed your swords in a 360-degree circle designed to “react and protect?”
What disciplines and experiences resources would you need?
- Incident response expertise inside of a security operations program
- SOAR automation expertise supporting an adaptive security architecture
- Crisis management expertise supporting agile response processes
- Domain-specific expertise — identity management, network security, application security
- Process-driven- results-oriented management experience
- Leveraging traditional SIEM technology for reporting, analyzing, and root-cause analysis
- Enabling tools, including MITRE ATT&CK framework
This strategy focuses on detecting, responding, and optimizing. Similar to the offensive strategy, hiring and retaining qualified resources is a considerable challenge for any organization.
The role of risk management in determining which strategy aligns with the organization.
Companies that choose the offensive or defensive strategy face similar risk implications — retaining qualified talent and having resources to respond to an increase in attacks against corporate assets while assisting in keeping cybersecurity insurance premiums lower.
What is the current overall risk composite of the organization? Is there a specific area of the enterprise that is more prone to risk? Which model will help reduce the risk without introducing new attack surfaces?
Risk of deploying an offensive strategy for a SOC
Being on offense has many advantages. Your limited amount of “swords” is focused on stopping an attack before the event happens. Leveraging threat modeling, pen testing, vulnerability scanning, and predictive analytics, this team is aggressive in investing in techniques and enabling a “counter-attack” culture against the cybercriminal.
With a limited of “swords” all pointing in the same direction, where is the exposure of risk to the organization?
What resources protect the scrum from behind or the side if all the “swords” are pointed in one direction? How will the offensive team respond? Will this cause a breakdown in offensive activities? Do offensive security engineers have the experience to deal with response, and reactive skills, while having patience with tedious tasks?
In the defensive strategy, what is the risk of having all the “swords” in a protective circle? This team is in reactionary mode. What is the chance for the organization for this strategy? Knowing that this team, similar to the offensive side, only has ten swords, thanks to the ever generous CFO and COO. In time, the ten swords become overwhelmed with the volume of attacks, and the circle breaks down. Like a brute force attack or a denial-of-service, once one “sword” is overcome, the entire defensive circle becomes exposed.
What is the role of an MSSP?
The role of a managed security service provider is essential for both strategies. If the organization is more “offensive,” leveraging managed services to become their detection and response team will help provide a much-needed balance with response capabilities. If the organization is more “defensive” in nature, what role could MSSP play?
MSSP augmenting an organization’s offensive security requirement also is very relevant. This dynamic helps promote an external “red team” against the internal “blue” competition. In the end, the organization achieves a “purple” culture. Both teams collaborate while maintaining the separation of duties. Purple has become has in many organizations as the new security operations model. Many organizations are slowly adopting a purple cyber security strategy. CFOs and CIOs realize the importance and value of the purple culture when dealing with cybersecurity while reducing risk and attack surfaces in the organization.
How does one choose between offensive or defensive?
Risk management, available resources, compliance mandates, and financial capital are critical in determining which strategy aligns with the organization. The offensive process required more experienced threat modeling engineers, experience dealing with real threats, ethical hacking, and AL & ML expertise. These resources need higher salaries and compensation plans to help cover their extensive credentials and certifications. Pairing up with an MSSP, the cost of outsourcing that portion of the strategy will be less compared to the defensive model.
By enabling the defensive model, the salaries and experience leverage will be less costly. Many engineers in the defensive model will be experienced in traditional security operations, rapid response, operational technology, and technology systems management. Many new people entering the cybersecurity field will mostly end up working in security operations. Outsourcing the “red team” will be more expensive than hiring a “blue team.”
Ultimately this decision comes down to the organization’s willingness to hire, retain, compensate, and invest in experienced cybersecurity warriors that can operate as “one.” Not as ten individual “swords” backed by outsourced, SLA-driven firm doing their best to help the organization do their best.
“Invest in your people; they, in turn, will invest in their organization.”
That is the secret to better cybersecurity!
People protect people!
All the best,
John