From SOC to SOAR: Building a Strong Cyber Defence Function

What led to the need for an internal Cyber Defence function, and did you decide on full Internal or Hybrid function?

• The creation of a Cyber Defence function and wider Security team was borne out of the business suffering from a major Cyber breach around 7 months before I joined, initially as Senior SOC Manager. And therefore, at the time the business was still in somewhat of a tactical recovery mode, both reputationally and in terms of improving its Cyber Security posture. Following the breach, a decision was made to employ one of the big four audit firms to provide an assessment of the current state of the business’s Cyber Security maturity, with this assessment being based on the NIST Cyber Security Framework.

• At that time and during the Cyber breach, the business had utilised an MSSP to provide Security Monitoring and Incident Response. One of my first responsibilities when joining the business was to understand the specifics of the scope of the MSSP provision and to perform a gap analysis to determine next strategic steps for our SOC function, particularly regarding security monitoring of the network and assets within it. It became clear that there were indeed significant holes in the MSSP coverage and to fill these gaps, we would have to employ a strategy to significantly increase the scope of monitoring that was proving to be neither cost nor time effective. I therefore proposed the idea of bringing the SOC capability fully in house, with 24×7 coverage and building out both Security Incident Management and SIEM platform capabilities alongside this.

How did you get the Board/C-suite on board with the plan?

• The key objective provided within the recommendations of the auditor was to ensure that we adopted a Cyber Security Framework (with NIST being chosen) and that there was a theme of yearly Security posture improvement for the business, following the Cyber breach. I therefore mapped out a multi-year forecast for the costs of continuing with the MSSP with the current support cost model in addition to future asset onboarding costs and the time to onboard, compared to the OPEX costs of employing a team and taking on development capabilities in house, as well as the OPEX and CAPEX costs of standing up the Case Management and SIEM tooling.

• Certain aspects of this required a fair amount of explanation of technical concepts to non-Cyber aware Senior managers and therefore the commercial benefits and reduction of risk elements had to be very clearly detailed for their consumption. In doing so, I was able to justify that the scalability of employing a SOC team internally with appropriate, tools, process and situational awareness would be a much stronger, cost & time effective strategy for the business to adopt. Alongside this, other members of the Security Management team, focused on Security Architecture and Risk were also performing similar assessments and developing proposals to build out their respective functions, as the wider Security team started to take shape.

What was in place already and how did you prioritise where to begin?

• When I joined the business there were only a handful of Technology based full-time staff who had a Security responsibility as part of their roles, but not in a dedicated manner. Therefore, it was key that once we had business backing in terms of budgets, we then identified key roles, built out appropriate job descriptions, recruited in line with budget and then trained the team up to be able to perform their roles in a consistent manner. The key aim was to ensure that we had the right base level training and competency in place for the team, particularly as the members of the team were from different backgrounds and knowledge sets. This was successfully achieved by deploying a SOC Competency matrix to define and measure capability against key SOC team tasks as well as adopting usage of the Comptia Security certification path and supporting the team in achieving the related certifications.

• As above, from a technology perspective, one of the key aspects we prioritized was to get greater visibility of the critical assets within the network, such as firewalls, VPN, Load Balancers, Microsoft DCs etc, as quickly as possible and be able to respond to threats in an efficient and effective manner. Elsewhere, the findings of the wider audit were able to be populated into the newly formed Security Risk team’s risk register, which was able to highlight other aspects requiring attention, such as the fast-track onboarding of critical applications into the Web Application Firewall.

• As a Security Management team, we then focused on the further gap analysis within the auditors report for required tooling and began building out key standards and policies to cover our critical security areas, with the SOC being responsible for the Asset Logging and Monitoring strategy definition.

How did you decide on tooling and if necessary, which vendors to work with?

• Firstly, with a limited Security budget, we had to ensure that we were assessing the market for appropriate tools to cover the most concerning areas, where lack of capability presented the highest business risk combined with the highest likelihood of the risk being realized. This business risk vs likelihood framework also formed the backbone of our Security Prioritisation matrix used by the SOC and Risk teams to assess threats and risks to the business respectively.

• We also had to ensure that we had a clear understanding of prospective benefits of each tool, with there being so many competing vendors across all the varying Security control areas that we would need to focus on.

• Therefore, we approached each project and RFP process by mapping out our functional and non-functional requirements before prioritising them in a MOSCOW (must, could, should and won’t) type methodology, to ensure we could provide clarity to vendors during the RFP phase.

• We formed a great partnership with a reseller and found that they had several brilliant SMEs that helped us perform market assessments of various toolsets in an independent and well thought out manner. This enabled us to whittle down security control areas to a handful of vendors, or less, which then allowed a relatively quick and painless RFP process and appropriate POC assessments of the remaining products, which the Reseller also provided support with.

What were the main struggles when setting up the function that you could advise others to look out for?

• Recruitment for SOC Analysts and Security SMEs can be challenging in a very competitive market. There are often multiple SOCs being setup at the same time across the UK and it can be hard to find the right caliber of individual, who in the case of SOC analysts, may also need to work out of hours, which increases the challenge somewhat. I was able to recruit several key members of the team due to previous working relationships and together we developed a clear competency-based set of questions to ensure we recruited and expanded the team with the right self-motivated, capable and collaborative team members, enabling us to make great strides in the first year of my tenure.

• One consideration for companies who wish to mature their Security Posture but have not experienced a Cyber Breach or near miss and do not have a Cyber Security aware Board/C-suite, is that it will likely be much harder to convince that Board to part with large sums of money to invest in Security; something I’m sure many Cyber Security professionals have encountered in their careers. Therefore, I believe it is critical to perform at least one of the following activities to promote the need for such investment at Board/C-suite level:

1. Employ an independent and trustworthy audit firm to assess the company’s Security posture, to provide an independent view of the current status and highlight the key areas of investment required as well as potential costs to do so. The audit firm should also advise on an appropriate Cyber Security Framework e. NIST, NCSC CAF, SOC2 etc based on the size and location of your company and the services it provides. This independent view will be vital when justifying the required Security budget and multi-year plan to ensure Continuous Improvement of the company’s Security posture, but can be fairly expensive if the scope of the assessment is large and time-consuming.

2. Employ an independent pen testing team to provide a Red Team test of the company’s network. The focus of this test should be whether the company’s critical assets or services can be reached and potentially compromised by an external attacker. It is key that the scope of the test is clear and approved by the Board and when the Pen Testers should stop (and not take down services) are clearly identified. The Pen Testing team should provide a report of findings, which can be used as evidence to justify security investment. Again, if this activity is successful at identifying holes in the armory of the network it should help justify the need for investment, though it is worth saying that it will provide a more targeted and less holistic view than option A, though it may also be a cheaper option if there are serious Security concerns about certain environments that you may be struggling to get investment to resolve.

What were the timelines involved to get it into a fully functioning cyber defence function?

The whole process of SOC recruitment, and separation from the previous MSSP took around 18 months as follows:

• Around 9 months after I joined the business, we had gained budgetary approval to expand both people and tooling and reached ~50% recruitment completion, through a process of internal, external and referral-based recruiting. 

• In the same period, we had also completed the RFP process for and stood up our Security Incident Management platforms, allowing us to develop our Incident Response playbooks, but still utilising the MSSP for Security alerting requirements. 

• We stood up our SIEM platform 3 months later after completing a similar SIEM-based RFP process and began phasing the migration of Security monitoring alerting and log retention capabilities from the MSSP to our internal SIEM platform.

• We completed team recruitment a further 4 months later, and the following month moved to a full SOC 24×7 capability in September 2017.

• The last step of the initial SOC setup was to migrate away from the MSSP SOC, which we successfully completed 2 months later and allowed the MSSP contract to come to its end shortly after.

What has happened since the SOC and wider internal Security team was setup?

• The wider Security Programme and other Departments gained similar levels of maturity in the first couple of years, but this has continued with a multi-year approach, in which we have focused on various other areas, such as enhanced DDoS mitigation, Endpoint Detection and Response deployment, Web proxy, Vulnerability Management and Microsoft Security capabilities, to name a few.

• Alongside this, we perform regular process reviews, attend audits for various business compliance requirements such as ISO27001 and 9001, PCI, GDPR and Financial audits and always aim to develop and promote staff from internal positions, which is something we pride ourselves on the success of.

• Around 4 years after joining the business and due to a reorg, I was asked to amalgamate the Customer Security team with the SOC team resulting in the migration and maturity of all their necessary Scam prevention and response processes into our SOC Incident Response tooling. Then, a year later, I was promoted to the ‘Head of Security Operations and Response’ Dept. I joined the Security Leadership team who were responsible for a total of around 60 dedicated Security personnel and took on Direct management responsibility for the Security Response Level SMEs team, as well as the SOC team via the new SOC manager, who I promoted from within the SOC team.

• Again, this was an opportunity to focus and find solutions for some key challenges, with the SOC and SME teams previously facing collaboration and understanding challenges occurring between the two areas. We addressed this by encouraging in-office discussions, mentoring and training opportunities between Junior and Senior team members, opening the regular touchpoint meetings held between SMEs to the wider dept and enabling everyone to understand their place in the strategy and progress that we were making as a department, aided by personal strategy-based goal setting.

• During my tenure as HoD, we have also adopted and developed significant automation and orchestration capabilities for the team, massively reducing our Incident response time and admin fatigue on various repeatable incident types, such as Phishing, whilst ensuring the team have appropriate and effective capabilities in place to protect the business. We have migrated the SIEM platform to a SAAS provider, from the initial on-prem capability and made other wide ranging tooling improvements, allowing the team to run a number of very mature toolsets to a consistently high standard for the protection of the business. This is also reflected in the annual 3rd party run NIST maturity assessments, which consistently reflect well on our continual maturity steps, providing the justification for continued investment in Security in future by the business.

What benefits have you noticed from having a more robust internal cyber defence team?

• Over the proceeding years, our Security team, across what has become four departments, grew to around 60 members. There is an absolute desire to continually improve our capability, not just in my department, but right across the team, and this has led to real step changes in our ability to proactively assess threats before they happen, provision tooling to defend against attackers when they try to attack our assets and respond to any threats when they do.

• We have mitigated numerous threats, from Phishing campaigns to DDoS Attacks, through to attempts to breach critical Web applications through layer 7 based and Malware attacks. All these attacks have been prevented and/or responded to by our internally managed controls, many of which are operated within my dept and are configured to industry best practice standards and backed up by internally developed and robust incident response processes, based on the NIST Cyber Security Framework.

• We have been able to reduce other OPEX costs, by having the expertise to provision Security measures in IAAS environments, instead of having to rely on other separate tooling, including on-prem tools that requires additional upkeep. Cyber Insurance premiums have also been able to be reduced, and audits have been passed without Major findings each year, as a result of the People, Process, Technologies and Situational awareness capabilities that we have in place today.