Robust Security Operations Teams

Securing our businesses from invisible invaders is imperative, requiring orchestration of defence akin to a symphony, with each resource playing its part to perfection. The challenges of implementing robust security operations include scarcity of skilled personnel, insufficient resources, a reactive approach to threats, and over-reliance on tools to fill gaps, the failure of which can lead to catastrophic financial, reputational, and regulatory consequences.

The key lies in utilising the right resources effectively: skilled professionals, cutting-edge technology, robust processes, and strategic insights, all guided by the MITRE ATT&CK framework. This globally-accessible knowledge base of adversary tactics allows us to predict threats, prioritise resources, and build dynamic defences.

Setting the Stage: The Current State of Security Operations

Let’s begin by understanding our battleground. Many organisations face a myriad of challenges when it comes to implementing security operations correctly. These range from a lack of skilled personnel and inadequate resources to a reactive instead of a proactive approach towards threats. There is also the old age problem in cybersecurity of just adding another tool to provide coverage of a gap.

Picture this: it’s a bit like trying to play cricket with a tennis racket, isn’t it? You could give it a good try, but you’re not likely to hit a six anytime soon.

The Consequences of Inadequate Security Operations

Here’s the stark reality – the consequences of not getting security operations right can be catastrophic. We’re talking about potential financial losses, damage to brand reputation, and regulatory penalties. Imagine watching your castle crumble because you didn’t quite manage to get the right guards in place, didn’t have anyone watching attempts to attack or you forgot to repair that crack in the wall.

The Right Resources: The Cornerstone of Robust Security Operations

Let’s turn our attention to getting the ‘right resources’. By this, I mean skilled professionals, cutting-edge technology, robust processes, and strategic insights. And I must stress, it’s not just about having these resources, but about using them effectively.

Think of it as directing an orchestra. You could have the best musicians with the finest instruments, but without a skilled conductor to lead them, the result would be a cacophony rather than a symphony.

Guiding the Symphony: The Role of MITRE ATT&CK

Speaking of guidance, let me introduce you to a veritable maestro in our world, if you are not already familiar – MITRE ATT&CK. It’s a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Imagine it as sheet music, guiding our orchestra of security operations.

By using MITRE ATT&CK, we can lead a threat-led strategy, understanding the enemy’s playbook, predicting their moves, and proactively preparing our defences. It’s a bit like knowing where the bowler is going to pitch before you take your swing. Rather advantageous, wouldn’t you say?

MITRE ATT&CK helps us prioritise our resources, focusing on the most pertinent threats and the most vulnerable areas. It enables us to build a defence that is as dynamic and adaptable as the threats we face.

Implementing Effective Security Operations

So, where do we go from here? The path forward is clear. We need to invest in the right resources, make strategic use of tools like MITRE ATT&CK, and foster a proactive, threat-led approach to security operations.

We need to ensure that our security teams are not just well-equipped but well-led, with a clear understanding of the threat landscape and a strategic plan to navigate it. We need to foster continuous learning and improvement, keeping pace with the ever-evolving digital threats.

Why start with a MITRE ATT&CK SOC Assessment?

Last year I studied the course material in conducting SOC assessments

using MITRE ATT&CK and successfully gained the certification. Think of a MITRE ATT&CK SOC (Security Operations Centre) assessment as the process of tuning your orchestra before the grand symphony. You wouldn’t want your violins to be out of sync with your cellos, would you? Similarly, a SOC assessment ensures that all your security operations are harmonised and primed for action.

A MITRE ATT&CK SOC assessment provides a comprehensive evaluation of your security operations against the ATT&CK knowledge base. It helps you understand your strengths, identify areas of weakness, and gives you a clear roadmap for improvement.

Understand the ATT&CK Framework:

Before you start the assessment, it’s crucial to familiarise yourself with the ATT&CK framework. It’s a bit like understanding the sheet music before you start playing. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It’s a curated knowledge base and model for cyber adversary behaviour, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.

Evaluate Your Current Security Posture:

The next step is to evaluate your current security posture against the ATT&CK framework. This involves mapping your current security operations, including the tools, processes, and resources you have in place, against the tactics and techniques outlined in the ATT&CK framework. This will help you identify which areas you are well-prepared for and where you might be vulnerable.

Conduct a Gap Analysis:

Once you have a clear picture of your current security posture, the next step is to conduct a gap analysis. This involves identifying any areas where you lack the necessary resources or processes to effectively respond to the tactics and techniques outlined in the ATT&CK framework.

Develop a Roadmap for Improvement:

The final step in the assessment process is to develop a roadmap for improvement based on the results of your gap analysis. This roadmap should outline the steps you need to take to bolster your security operations, prioritising areas where you are most vulnerable.

Continuous Evaluation and Improvement:

Keep in mind, a SOC assessment is not a one-time event. Just as the digital threat landscape is constantly evolving, so too should your security operations. Train your team to conduct regular assessments ensuring you stay one step ahead of potential threats.

Threat Intelligence: Knowing Your Adversaries

Threat intelligence, as we discovered in my previous article, is a bit like your intelligence agency in the cybersecurity world. It involves collecting, analysing, and interpreting information about potential threats, including the tactics, techniques, and procedures (TTPs) used by threat actors.

MITRE ATT&CK: A Knowledge Base of Adversary Behaviour

While threat intelligence gives us a glimpse of the enemy’s plans, the MITRE ATT&CK framework provides us with a comprehensive playbook of their strategies. ATT&CK, is a curated knowledge base that outlines the different phases of an adversary’s attack lifecycle and the platforms they are known to target.

Identifying Threat Actors:

Utilising threat intelligence and the MITRE ATT&CK framework, we can identify potential threat actors that may target our organisation. This involves analysing the TTPs used by various threat actors and comparing them with our threat intelligence data.

By doing this, we can identify which threat actors are most likely to target our organisation based on factors like our industry, geographical location, and the nature of our digital assets. It’s a bit like knowing which pirates are likely to target our ship based on our cargo and sailing route.

Prioritising our Strategy: A Threat-Led Approach

You get the idea, you now know following this process some threat actors who typically target your business industry. You now know how they typically target similar businesses to yours.

So, once we

’ve identified some potential threat actors, the next step is to prioritise our strategy. This involves analysing the tactics and techniques used by these threat actors and identifying which of our systems or processes are most vulnerable to these methods of attack.

This threat-led approach to prioritising what to tackle first, ensures that we focus our resources where they are most needed, addressing the most critical vulnerabilities first. It’s like reinforcing the weakest parts of our fortress walls before the enemy’s battering ram arrives.

By understanding our adversaries and their strategies, we can prepare our defences and prioritise our fixes effectively, ensuring that our organisation remains resilient in the face of digital threats. It’s all about knowing the lay of the land, understanding the enemy, and strategically fortifying our defences. After all, the best offence is a good defence.

In a future article I will dive into how to build out an effective security operations team, how do you start from one person and build out a world class team that is capable of providing security operations for multiple cloud bank platforms at the sametime. Until then enjoy exploring MITRE ATT&CK.