#HowTo Launch a Remote SOC

Written by

At the beginning of 2020, some organizations will have had plans to launch a remote security operations center (SOC) at some point in the future, but the global pandemic has accelerated things.

Having SOC analysts work remotely during lockdown has shown that ‘going virtual’ is not only possible, but can actually offer many benefits. The flexibility in how a remote SOC can be designed and operated can better prepare enterprises for crises, and having analysts working from anywhere can help address the skills gap that plagues organizations; some 58 percent of businesses cite lack of skills as the top challenge facing their SOC team.

While remote SOCs are an attractive proposition, there are some important considerations to ensure analysts don’t feel cut off when they’re scattered across various locations. With the right data, tools and processes in place, organizations can be confident that their SOC team remains exactly that – an effective, functioning team.

Adapting SOC tools for remote work

Remote analysts face unchartered waters as they move to a decentralized SOC. The fact of the matter is some traditional security applications and technologies, such as firewalls or threat intelligence feeds and databases, were either built for or are typically hosted within a corporate environment and were not designed for long-term remote use.

Organizations launching a remote SOC must therefore ensure analysts have what they need to maintain the same levels of efficiency and productivity as they did when they were based in a central location.

This includes ensuring the computers they’re working from remotely can handle everything from detecting, investigating, and responding to threat alerts, to scanning and monitoring endpoints both on and off the network.

It’s also important to pick SOC tools that give remote analysts the same (or better) access to all the information they would usually have, enabling them to continue to perform fast root-cause analysis, prioritize threats, and ultimately stop bad actors.

Providing SOC analysts with faster and better context

When operating a remote SOC, speed of response and action is even more important. Analysts will not have the in-person collaboration and interface with the rest of the business that they would get in a centrally-located SOC. As a result, the business context for every asset, entity and endpoint on the network is made that-much-more critical to effective response.

The remote SOC analyst needs to have answers to questions such as “What is this? Who owns it? What does it have on it? Should I care about it?” even faster than before.

Also analysts shouldn’t have to feel like they’re drowning in data to get to these answers. Remote SOCs should make use of tools that help automate some of the analysis, such as applying user and entity behavior analytics (UEBA) to their user, network and endpoint data and correlating this information with threat intelligence. Machine learning can then automatically build models, learn from historical data, and can identify malicious or abnormal activity quickly.

Conducting effective incident response

Being able to identify malicious activity is only half the battle; SOC analysts will still need to effectively respond to security threats as a team, despite being based in different locations. This can be made more difficult as analysts may not be able to collaborate and discuss sensitive matters as easily.

Enterprises launching a remote SOC must therefore ensure all SOC documentation and playbooks are up to date and easy to access remotely. This way, analysts will be able to access information on how they should respond to an incident, and processes should be constantly updated in line with new threats that arise.

Whether working from a central or dispersed location, no SOC analyst is an island. Collaboration and knowledge sharing is critical for the SOC team to tackle new problems. One such example is the rise in working from home, which 91 percent of executives state has led to increased cyber-attacks. If a remote-working employee is not connected to the company VPN, analysts may be unable to track that user’s activity and ensure that everything is secure. In this scenario, if the relevant incident response playbook is up-to-date and insights are shared among the SOC team, remote analysts will still be able to respond quickly and effectively.

Why going remote should make virtually no difference

The SOC is the heart of an enterprise’s threat detection and response capabilities, so it’s not surprising many were nervous about ‘going remote’ when global lockdowns began earlier this year. However, the pandemic has shown many that it is a viable option – if it’s done with some consideration – and in fact, can help tackle some existing SOC challenges, such as addressing the cybersecurity skills gap.

What’s important is that those organizations that do decide to launch a remote SOC, do so with their SOC analysts in mind; making sure that they have the same – if not better – access to the information, tools and processes they need to keep the business safe. This will help them continue to function as an effective team, wherever they may be.

What’s hot on Infosecurity Magazine?