Moderator Ricardo Lafosse and his group began the topic by discussing SOC automation, starting with overall SOC structure. Many teams have global SOCs while others have blended teams that split and share certain responsibilities. SOC teams come with a variety of skillsets, but the two that were most discussed were software development and tool management. One member at the table suggested that using the kill chain was an effective method for entering security operations because it prevents SOC members from going down rabbit holes and spending too much time on one ticketed incident. Lafosse shared with the group that his developers choose to engage with SOC activities because his enterprise has a program that allows them to try different tools and technologies. To use these tools and technologies effectively, however, developers are required to come in and out of the SOC to learn their processes and understand how the SOC is run. In exchange, this collaborative effort has helped the enterprise automate and improve overall SOC functions.
Nevertheless, participants agreed that the SOC’s biggest pain point is still noise. It’s difficult to watch every single alert that comes through a SOC, so the group discussed possible solutions, such as optimizing toolsets and augmenting a SOC using an MSSP. The group also covered the problem of SOC access management. SOC analysts have access to a variety of sensitive information within an enterprise, including live data that is both encrypted and unencrypted. To ensure accountability, the group found that change management workflows and firecall IDs were effective in checking who had access to what data and who gave permission for that access. Finally, not everything can be automated, but processes that perform well with automation are anti-phishing efforts, evidence collection blocking, and database mining. In contrast, automation does not work with automatically blocking IDS alerts due to a high false-positive rate or with other tools that require additional intervention. Overall, automation helps SOC workflow the most with noise reduction, allowing SOC analysts to pursue more valuable tasks.