State of Security Operations Report for 2018

Summary:

This text provides an overview of managing and improving Security Operations Centers (SOCs) in the context of hybrid environments, emphasizing techniques such as threat intelligence, automation, and continuous improvement. Here are some key points from the text that relate to organizational documentation, document control, and management practices within a SOC: 1. **Organizational Documentation**: The importance of maintaining up-to-date organizational documentation is stressed, which includes processes for sharing images, video captures, scripts, and other operational materials across the team. This ensures that all team members have access to relevant information necessary for their roles. 2. **Document Control**: To ensure that document control remains relevant and fresh, it is crucial to review and update these documents regularly. This involves a process of continuous improvement where outdated or incorrect information should be identified and corrected promptly. 3. **Role Definition**: Clear definition of roles and responsibilities is essential to avoid mishandling incidents in hybrid environments. This includes insourced and outsourced functions, ensuring that shift turnover information is effectively communicated between groups. 4. **Compliance Integration**: Compliance with relevant regulations and standards should be integrated into the SOC's operations. This ensures that all processes are aligned with legal requirements, which can impact decision-making about technology changes and data collection methods. 5. **Technology within a SOC**: The role of technology in supporting, enforcing, and measuring processes within the SOC is highlighted. This includes using tools like SIEM for correlation across different technologies and deploying application security monitoring use cases to identify potential breaches. 6. **Data Collection Optimization**: To make better technological investments, data collection should be optimized. This involves assessing all aspects of operations, including data visualization through tools like dashboards and reporting, which help monitor health and availability. 7. **Continuous Improvement**: The SOC should continuously assess and improve its processes based on performance metrics such as KPIs related to analysts' tasks. This includes rotating key performance indicators (KPIs) analysts through different project-based tasks like communications, research, special projects, and unstructured analysis. 8. **Automation in Breach Handling**: Automation is used not only for routine tasks but also during the initial stages of a breach to minimize its impact. Proper rotation of duties among analysts helps maintain high performance levels and reduces attrition. 9. **Threat Detection and Remediation**: Effective threat detection should be based on robust data aggregation and risk remediation through technology solutions that push incident identification closer to analysts, ultimately saving time and resources. 10. **Technology Alignment with Business Requirements**: Technology within the SOC should align with business requirements, ensuring that it supports, enforces, and measures the processes being executed in the SOC. This includes assessing architecture, architectural process, documentation, technology coverage, data collection methodology, and consolidation of data quality use cases. 11. **Leadership and Governance**: Organizations must consider various factors such as leadership, processes, technology, and infrastructure before implementing changes to avoid reduced operation maturity during new system ramp-ups. This includes ensuring that the relevancy of collected data is maintained and that decisions about technology changes are based on current information. In summary, this text outlines a comprehensive approach to managing an effective SOC by emphasizing both human resource management (with specific tasks for analysts) as well as technological integration and alignment with organizational goals and processes. It highlights the importance of maintaining up-to-date documentation, clear role definitions, technology that supports operational processes, continuous improvement through automation, and leadership in decision-making about changes to data collection methods and technology within the SOC.

Details:

This white paper provides a comprehensive analysis of the capabilities and maturity levels in cyber defense operations across various organizations worldwide. It covers key aspects such as people, processes, and technology used for incident detection and response to safeguard critical assets including intellectual property and customer information. The report, which is the fifth installment, examines how these elements vary significantly among different companies and industries. The white paper begins with an introduction highlighting the importance of advanced security programs in safeguarding crucial technological assets across organizations globally. It then moves on to present various findings from previous years' reports, including a summary of observations and findings for 2017. The research delves into the maturity levels of security operations by industry, providing insights into how different sectors are managing their cyber defense capabilities. Key topics covered include:

• Median Security Operations Maturity year over year

• Trends in Security Operations Maturity around the globe

• Industry medians and trends in Security Operations Maturity

• 2017 Summary of Observations and Findings

The white paper concludes with a conclusion section where it summarizes the key takeaways from previous sections, providing a broader understanding of how cyber defense capabilities are evolving within different organizations. The document also includes an appendix that contains additional information to support the findings presented in the main body of the report. This comprehensive analysis serves as valuable guidance for cybersecurity professionals and executives aiming to enhance their organization's security operations maturity. The State of Security Operations report by Micro Focus® Cyber Security Services annually evaluates and compares security operations across global organizations. Since 2015, this report has assessed over 140 SOCs in various sectors such as public, private, enterprise, and managed service providers globally spread across six continents and 33 countries. The research identifies best practices that drive success in cyber defense programs and helps organizations benchmark their capabilities against others within the same industry vertical or region. Micro Focus has been involved with advanced security programs for over a decade, working with top global cyber defense teams, making it uniquely qualified to publish this report. The Micro Focus Security Operations Maturity Model (SOMM) is an updated methodology for assessing cyber defense capabilities. It evaluates business alignment, people, process, and technology aspects of organizations' security operations to score them against best practices. SOMM has seen improvements in maturity levels since its inception, with a median reaching 1.42 across industries last year. Over the past five years, 25% of assessed organizations have met business goals or are working towards achieving recommended maturity levels, showing an improvement of 7% over the previous year and 12% compared to the first assessment. The State of Security Operations report by Micro Focus SIOC highlights significant improvements in cyber defense capabilities over the last five years. According to the report, 20 percent of assessed cyber defense organizations failed to achieve a Security Operations Maturity Model (SOMM) level 1 during this period. These underperforming organizations continue to operate with ad-hoc processes and significant security gaps. Despite this, there has been an overall improvement in operational sophistication across the industry. Cyber defenses are rapidly shifting towards co-managed operations with vendors and niche providers to tackle the global shortage of cyber security talent. Organizations are also adopting Security Orchestration, Automation, and Response (SOAR) solutions to improve efficiency in handling high-fidelity alerts. Furthermore, there is a systematic investment in developing Security Fusion Centers that span multiple operational domains including data security & compliance, monitoring for insider threats and privileged access through behavior analytics, correlating physical and cyber security data, and improving consolidated operations and incident response. These developments suggest an overall improvement in the sophistication of cyber defense capabilities over the last five years, with a focus on addressing the global shortage of skilled professionals and enhancing efficiency in handling alerts and incidents. The article discusses the findings from Micro Focus Security Intelligence and Operations Consulting (SIOC) report on the "State of Security Operations" in various companies and public sector organizations worldwide. It highlights that, across all areas measured, the median score for cyber defense programs remains between 1 and 2, indicating a basic level of capability. However, SIOC observes that lack of repeatability, metrics, and continuous improvement result in unpredictable effectiveness and sustainability of these programs. The ideal composite maturity score for a modern enterprise cyber defense team is considered to be at level 3 (defined), which involves having both high agility for certain processes and high maturity for others. SIOC has noted that achieving scores above level 3 can be costly and are more suited for protecting specific subsets of applications, data, systems, or users. For the third year in a row, the business SOMM area had the strongest median score of 1.57 over a five-year assessment period, reflecting the increasing importance of security within organizations. This suggests that while there has been improvement overall, gaps still exist in terms of repeatability and continuous improvement across different companies and sectors. Over the past few years, there has been a growing awareness among businesses, including executives and board members, of the significant impact cyber threats can have on their operations. This broader understanding is leading to increased visibility and better articulation of cyber security requirements across various departments within organizations. As a result, many companies are adopting more mature products from established vendors in their cybersecurity solutions, fostering stronger business-level relationships with these providers. In the People aspect of the maturity model, there was a significant improvement, with a notable 10% increase to reach a median score of 1.45 over five years. This progress is attributed to better alignment of security teams' reporting structures, consolidation of functions such as hunt, threat intelligence, and incident response, strategic partnerships with subject matter experts, and the recruitment, training, and retention of cybersecurity talent under capable leadership. However, the Process aspect of the maturity model remains less mature, scoring a median of 1.31 over five years, showing only a modest 6.5% improvement this year. This lag is due to the reliance on individual "tribal knowledge" rather than well-defined processes and procedures, which can lead to inconsistencies in performance and difficulties retaining skilled personnel. A strong foundation of robust processes is essential for predictable outcomes and effective cyber defense operations. Finally, there has been a moderate improvement in the Technology aspect of the maturity model, with a slight increase over the past few years. However, this area still lags behind others in terms of maturity due to ongoing challenges in implementing advanced technologies effectively and efficiently. The most effective global cybersecurity programs are characterized by repeatable processes, continuous improvement, and metrics that track their implementation. This document discusses a study about security operations maturity models (SOMM) in various global regions. SOMM is used to measure how well an organization's cyber defenses are performing. The data shows that Asia has the lowest median score of 1.37, while BeNeLux scores the highest at 1.79. Most organizations focus on technology solutions and tools for their cyber defense programs. In North America, there was a small improvement in SOMM levels (1%), but significant growth in energy sector teams willing to undergo external evaluations (34% increase). The UK experienced the most notable shift upward with an impressive 17% improvement due to preparations for GDPR compliance. This text talks about how Micro Focus SIOC noticed some changes in three extra regions when comparing with the main one (Europe). In Asia, companies started to do more things themselves for their own security because they wanted better protection against risks. In BeNeLux and South America, smaller specialist companies grew a lot, offering very custom services and even trying new ways to help people like "Hunt-as-a-Service". In Europe too, there were some rules coming up that made companies need more internal cyber defense programs or find partners who can handle things according to those rules. The text says that more countries in these extra regions will follow this trend soon as their governments enforce new standards. The text discusses the improvement in maturity and effectiveness of cybersecurity operations across various industries. It highlights that two-thirds of all industries experienced a double-digit growth in median maturity in 2017, with Telecom and Retail sectors showing particular success. Service providers play a crucial role in organizational success by providing robust process foundations for customers. Furthermore, the report reveals that while technology organizations generally performed well previously, their scores dropped by -12% due to strategic shifts in cyber defense operations and adoption of new tools and hybrid IT solutions which require time to mature. The median SOMM (Security Operations Maturity Model) score varies across industries; for example, Energy sectors focus on critical national infrastructures and industrial control systems, while Financial institutions are increasingly adopting Security Fusion Center approaches to combat specific types of cyber threats. The article discusses various sectors' trends in cybersecurity maturity, with a focus on Europe and Asia where both regional and country-specific regulations drive investments. In 2017, healthcare providers protecting sensitive patient data saw a 7% increase in SOMM maturity due to breaches targeting time-sensitive data within North American healthcare cyber defense teams. Manufacturing companies continued to face increased threats from production infrastructure attacks, maintaining steady SOMM capabilities. Retailers experienced an 11% shift in SOMM levels over the past five years, investing in expanded security operations with SOAR and hunt solutions, as well as GDPR compliance initiatives. Lastly, services organizations have demonstrated strong investment in aligning business missions with SOMM improvements across people and process dimensions, surpassing other sectors' growth. The article discusses a study conducted by Micro Focus Cyber Security Services analyzing the state of security operations across various industries including telecommunications, services, and technology companies. Key findings indicate that median performance in these sectors has improved with 12% drop in cyber defense organization data this year, likely due to hybrid IT solutions reducing visibility into risks. Telecommunications organizations have shown significant improvement globally over the past year, investing in new security operations programs to enhance their capabilities. Leaders of successful security operations attribute improvements to organizational alignment factors such as board-level support and clear mission definitions for cyber defense programs. In summary, co-managed operations are becoming a popular strategy for security operations leaders due to their ability to address the global shortage of cyber security talent by partnering directly with technology vendors or niche service providers. This approach allows them to focus on protecting specific assets while outsourcing routine tasks and technology integration through automation, leading to better end-to-end visibility and efficiency in operations. To enhance consistency and effectiveness, Security Operations Centers (SOCs) are increasingly adopting workflow and process automation tools due to a shortage of personnel. Adopting security orchestration, automation, and response (SOAR) solutions allows SOCs to improve the repeatability of handling high-fidelity alerts, leading to efficiencies and bandwidth for more mature activities like hunt and data enrichment or other advanced cyber defense operations. While some organizations are experiencing positive results from automating incident investigation and management toolsets with deliberate implementation goals, adoption remains slow. The shift in responsibilities from analysts to developers during SOAR implementations can lead to misunderstandings about operational implications. Furthermore, knowledge gaps within organizations, such as those resulting from organic growth or M&A integrations, hinder the rate of SOAR adoption. Key points for SOCs looking to leverage SOAR include starting with automation in already operationally mature areas and gradually expanding its use. The trend of establishing Security Fusion Centers (SFCs) has been on the rise among various enterprise security operations. In 2017, Micro Focus Cyber Security Services assessed that private sector organizations are systematically investing in developing SFCs to bridge the operational overlap across multiple domains. Initially, these centers adopted a "One SOC to Rule Them All" approach, resulting in teams designed to view the complete risk and security picture from their existing SOC environments spread across different regions and lines of business. This model has been effective for decentralized organizations and those that have expanded through mergers and acquisitions (M&A). Over the past year, Micro Focus SIOC observed a shift towards more integrated fusion centers that combine multiple disciplines previously kept separate within organizations. These new forms of fusion centers are preparing to integrate data security monitoring, incident response, and compliance reporting in preparation for the General Data Protection Regulation (GDPR). Historically, data security teams have worked closely with application development teams to protect information close to where it is generated, processed, or stored. With the introduction of new regulations that require specific response and reporting timelines, organizations are now incorporating incident response expertise from IT teams into CoEs for data breach monitoring, which helps them meet regulatory requirements more effectively. These CoEs serve as a centralized cyber security hub for organizations aiming to enhance their program maturity by streamlining operations. Additionally, Micro Focus has been collaborating with organizations in 2017 to explore and invest in deception grid solutions. Understanding the adversary's tactics and techniques is crucial for effective cybersecurity defense. Deception grids are designed to mislead potential attackers, providing valuable information about how adversaries might attempt to penetrate an organization’s defenses. This approach helps enhance the defensive posture of organizations by making it harder for cyber threats to succeed. This document, from 2018, discusses the State of Security Operations (SOC) and how it has evolved over time. It notes that SOCs typically focus on preventing failure in most attacks but can still learn about an attack when one is successful due to their reactive nature. The report highlights that many organizations are currently at a "defined" maturity level 3, where they use real-time correlation and historical incident identification for response. However, few have advanced further by analyzing behavioral attributes of intelligence or developing internal programs for continuous curation and categorization. The document also introduces the concept of deception grids as an effective method to combat sophisticated attackers who are becoming more selective in resource allocation due to economic pressures. Deception grids involve deploying systems that misinform potential adversaries, allowing organizations to gather information about the attacker's tactics and reveal their inefficiencies when targeting the organization. This approach not only helps protect against attacks but also provides insights into the attacker's strategies and weaknesses, enhancing overall security operations maturity. In 2018, Micro Focus will continue to measure the impact of Cloud and Hybrid IT on Security Operations (SOC). A significant number of cyber defense organizations faced challenges in protecting hybrid IT infrastructure in 2017. These organizations experienced reduced costs due to IT spanning multiple platforms such as cloud, traditional data center, hosted space, SaaS, IaaS, and PaaS. However, security leaders expressed concerns about the migration of applications to the cloud expanding the attack surface and introducing new risks that are difficult to monitor and secure. For most Security Operations Centers (SOCs), a cloud strategy resulted in loss of visibility and increased initial risk since they now lack insight into the security of functions moved to the cloud, which affects their ability to report on these aspects. Last year's assessments revealed that most organizations' cloud strategies focused primarily on application functionality without adequately considering the necessary security, logging requirements, storage, and bandwidth for effective security monitoring. Many cloud providers have developed native security features, enabling deployment of security tools in the cloud and offering some visibility that can be integrated into legacy SOC operations. However, these plans did not always include following key assets to the cloud, leaving SOCs with limited visibility solely within the legacy data center space. Some organizations operating hybrid architectures have deployed solutions integrating both on-premise and cloud workloads for specific critical applications, data, systems, or users. These organizations are enhancing their protection by deploying a targeted SIEM within their cloud environment to enable detection through focused use cases tailored to the specific security requirements of applications in that environment. This text discusses how security operations centers (SOCs) are transitioning back to centralized systems that utilize big data and security analytics. SOCs are investing in developing or using quick corrective actions to communicate key performance indicators to executive leaders who are concerned with the bottom line and organizational risk. The author, referring to Micro Focus Cyber Security Services from 2015, notes that while these tools provide value in some organizations, their effectiveness varies greatly due to various factors. SOCs have continued to invest in data lakes and analytics tools over the past three years; however, for most organizations, such investments are still considered a science experiment with an uncertain future. The text also highlights the challenges faced by organizations when adopting data lakes, particularly the complexity of maintaining home-grown systems that can handle vast amounts of data. The process of collecting unformatted machine logs and then processing them to meet analytics objectives becomes labor-intensive, which can negate some of the benefits initially gained from simplified collection processes. Additionally, there are challenges in meeting compliance objectives when using data lakes, as they often require significant time and effort for maintenance and post-processing. The article discusses the challenges faced by organizations when dealing with large data solutions that contain sensitive information. Many such solutions lack proper encryption and security measures, making them vulnerable to breaches. As deadlines for compliance regulations like GDPR approached, these organizations conducted Legitimate Interest Assessments to ensure they had adequate controls in place. This revealed some SOCs effectively using historical data to detect TTPs (Tactics, Techniques, and Procedures) and IoCs (Indicators of Compromise), leading to real-time detection and investigations. However, only a few organizations have invested in mature operational analytics processes for their data lake investments. Over the past five years, Micro Focus Cyber Security Services has observed that many cyber defense programs have struggled with maturity, sometimes opting for quick fixes or complete overhauls without achieving satisfactory results due to internal weaknesses and poor business alignment. This document discusses a trend in Micro Focus SIOC across various assessment areas. It emphasizes that the detection and response capability of organizations is continuously evolving but lacks a quick fix solution for comprehensive protection and awareness. Successful security operation programs require an evaluation of risk management, security, and compliance objectives along with active tuning of deployed solutions. The document highlights key points such as the importance of trustful relationships with vendor co-management, initial narrow scope for SOAR (Security Orchestration, Automation, and Response), and suitability of security fusion centers. Over five years, 200 assessments from 144 SOC organizations in 33 countries have been analyzed to provide insights into advanced cyber defense centers globally. The assessment methodology is based on Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI) and regularly updated to align with current security trends and threats. The importance of detecting malicious activity and effectively managing threats is crucial for mature cyber defense capabilities. An ideal composite maturity score for modern enterprises is level 3, where the capability is "defined." This involves balancing agility in some processes with high maturity in others. Achieving higher levels of maturity can be costly and lead to stagnation, rigidity, and reduced effectiveness if not balanced correctly. Micro Focus Cyber Security Services (now part of Micro Focus) formed the SIOC practice in 2007, focusing on defining SOC best practices and building enterprise-class SOCs. The team combined experience with SIEM implementations within SOCs since 2001 with experts who have led large organization SOCs. Since its inception, the SIOC team has iteratively improved their methodology, adopted by hundreds of organizations worldwide. The SOMM assessment helps clients align their SOC capabilities with industry best practices and specific goals, providing a methodical approach to close gaps in effectiveness and efficiency. The SEI-CMMI (Software Engineering Institute - Capability Maturity Model Integration) is a process improvement approach designed to enhance the effectiveness of information security processes within organizations. It encompasses various essential elements that guide and improve organizational functions, project divisions, or even entire companies in their quality enhancement journey. Micro Focus Cyber Security Services has adapted this model to create the Security Operations Maturity Model (SOMM), which assesses the maturity level of an organization's security operations capability using a five-point scale. This scale ranges from 0 for no capability at all, indicating a complete lack of any formal security measures, to 5 for highly effective and consistently improved security capabilities. Organizations with minimal or ad-hoc threat monitoring are typically rated between level 0 and level 1, whereas organizations with more structured teams focused on threat detection generally score between level 1 and level 2. Among these, the most advanced security operations centers often reach a rating between level 3 and level 4, although very few such entities exist currently. The SOMM serves as an essential tool for evaluating and enhancing the maturity of organizations' security operation capabilities in terms of people, process, technology, and supporting business functions. The historical category details & findings section highlights the growth in measuring business functions and capabilities over the years, with general trends including mission alignment, objective definition, and consistent understanding across businesses. Key findings include the importance of executive sponsorship and communication for sustainable capability. In the context of increasingly tight budgets, Special Operations Committees (SOCs) often function as cost centers. Those without strong executive sponsorship may face requests to do more with less. To mitigate this, it is crucial for SOC leaders to communicate their successes throughout the organization, including non-IT teams. Mature SOCs develop and report operational metrics and Key Performance Indicators (KPIs) to demonstrate value, measuring efficiency and effectiveness in security operations. Strong executive sponsorship from the business is vital; mature SOCs define a mission, retain such sponsorship, and communicate this mission clearly throughout the organization. This support helps maintain focus on sustainable business objectives and aligns organizational interests towards common goals. Effective communication of these objectives fosters better alignment with other departments within the company, enhances authority during incidents, and improves relationships with customers. Additionally, effective SOCs are often aligned with GRC or legal organizations to strengthen their role in regulatory compliance and response to attacks. Alignment with peer groups and customer relationships provides more authority for action during incidents, contributing significantly to overall effectiveness. The text discusses various aspects related to security operations centers (SOC) within organizations. It highlights that businesses need board-level and C-level visibility into security threats due to increased cybersecurity demands. A mature SOC should be able to deliver incident notifications, explanations of threats and incidents, and their impact on the business. Reports and artifacts, such as executive reports, should have a high degree of automation for data crunching and be provided with a regular cadence. The SOC should be perceived as a business enabler. Operational reports and vendor engagement are also important aspects to consider when setting up or managing a SOC. The type of support function can vary from 8am-5pm, extended hours (12x5, 18x7, 24x7), or a hybrid model combining in-sourcing and outsourcing. The cost-effectiveness of such models depends on various factors but organizations have decided that the risk-based decision to fully staff with their own people is not worth it due to lower capability levels between in-sourced and outsourced teams. Additionally, while MSS (Managed Security Service) providers may lack a deep understanding of an organization compared to internal teams, there remains value in utilizing MSS in various situations. Some companies are still developing and operating a 24/7 in-house capability, while others believe that highly skilled, business hours-centric, internal teams with effective tools can meet their objectives either independently or through the augmentation of managed services. The assessment of people capability and maturity in Security Operations Centers (SOCs) reveals several key challenges and issues. Chief among them is the difficulty in finding and retaining skilled personnel to staff these critical operations effectively. Typically, optimal staffing levels remain elusive due to various factors including market challenges for new organizations without a robust culture or processes. Another significant issue is high attrition rates resulting from 24x7 scheduling requirements, which many organizations still struggle with despite their operational demands. Training and funding are also major concerns in SOCs, as they face difficulties in acquiring the right skills through traditional means like classroom training and certifications. These methods often fail to adequately prepare professionals for the specific skills needed in cyber defense roles. As a result, some organizations have shifted towards development programs aimed at nurturing their analysts' skills. In terms of organizational structure, there is a preference among certain sectors for 8x5 teams over traditional 24x7 operations, utilizing high-fidelity correlation rules and automation during off-hours to manage security analysis and response efficiently while focusing on business hours. This approach not only addresses the staffing challenges but also enhances operational effectiveness through strategic use of technology and skilled personnel. In summary, effective management and assessment of people capability in SOCs are crucial for optimizing their overall performance and resilience against cyber threats. Addressing issues such as optimal staffing levels, training programs, and technological adaptation can significantly improve a SOC's ability to detect, respond to, and mitigate potential security breaches effectively. The complexity and challenges of a 24x7 environment in operations often require specialized teams with various skills to effectively respond to organizational needs. These teams, which include professionals such as network architects, database administrators, support staff, and more, are generally most effective when they can automate processes regularly and assess their skill set yearly to identify any gaps for future development. The role of a security operations analyst (SOC) presents both opportunities and challenges in the professional landscape. On one hand, those with experience from existing SOC teams may bring valuable experiences but also potential baggage that could lead to conflicts and inconsistencies within the team dynamic. Succession planning becomes complex when analysts seek career progression beyond level 1 roles, often preferring more advanced positions due to their expertise and experience. In contrast, organizations can develop new talent in various ways, such as from IT administration, system support, or external sectors like law enforcement, for instance. These development programs help ensure that the skills taught are directly applicable to the organization's specific operations. Organizations that invest in these types of programs tend to benefit from a more aligned skill set among their team members. Leadership within the SOC is also crucial, with effective management and leadership being essential for maintaining operational consistency and predictability. This ensures that the performance of the SOC remains high despite the ongoing challenges presented by 24x7 operations and cybersecurity threats. The success and effectiveness of a cyber defense team are significantly influenced by the leadership's ability to cultivate and maintain a supportive culture where individuals believe in their work and feel supported. This includes aligning organizational structures with daily activities, providing HR support across barriers for complex tasks, and balancing subject-matter knowledge with awareness of when external assistance is necessary. Organizational structure plays a profound role in the capability and maturity of a Security Operations Center (SOC). The most mature operations typically report up to a chief information security officer (CISO) or other high-level executives. SOC organizations within IT operations may face challenges due to conflicting priorities between availability, performance, and integrity at higher organizational levels. For a SOC to achieve high maturity, it is crucial to have robust, current, and relevant processes and procedures that guide the execution of critical tasks, define expectations, and set measurable outcomes. This foundation enables sustainable operation and facilitates compliance support when needed. Dependence on individual tribal knowledge can be detrimental if key personnel leave or are unavailable, potentially crippling the SOC's capability. Micro Focus assesses a SOC's process dimension by evaluating general practices, ensuring they contribute to successful task execution and organizational objectives. Successful Security Operations Centers (SOC) employ adaptable, portable, and operationally integrated knowledge management tools that facilitate a process and procedure-based knowledge management system. They utilize commercially available and open-source tools such as wikis to maintain up-to-date organizational documentation, ensuring document control remains relevant and fresh. These systems allow for the publication and sharing of images, video captures, scripts, and other operational materials across the team, with managers tracking and measuring contributions to documentation as a Key Performance Indicator (KPI). In assessing operational processes within hybrid environments, it is crucial that roles and responsibilities are clearly defined to avoid mishandling incidents. Utilizing hybrid staffing models can reduce the negative effects of attrition or skill acquisition while making overall recovery costs higher. Special attention should be given to scheduling and managing escalation and shift turnover between insourced and outsourced functions. Well-defined processes ensure that all relevant shift turnover information is passed between groups, facilitating better capability in identifying case management and isolating breaches. Successful cyber defense teams leverage threat intelligence, utilizing it through tools and people effectively defined for immediate action when needed. High maturity SOCs bring incident handling responsibilities closer to the frontline of operations teams, while others explore data to identify threats more efficiently. This text discusses several aspects related to managing and improving Security Operations Centers (SOCs), focusing on techniques such as hunt teams, advanced content information fusion, data flow management, user provisioning, access controls, configuration management, compliance integration, audit processes, and incident response. It highlights the importance of reducing costs, increasing return on investment (ROI), enhancing cyber threat intelligence, improving data quality, and implementing automated tools for effective prevention and handling of threats before they escalate into incidents. Additionally, it emphasizes the role of automation in orchestrating duties throughout a breach to minimize its impact, as well as the need for proper rotation of duties among analysts to maintain high performance levels and reduce attrition. The article describes how Security Operations Centers (SOCs) are structured and operated. It mentions that SOCs rotate key performance indicators (KPIs) analysts through on-shift monitoring periods that alternate with other project-based tasks such as communications, research, special projects, and unstructured analysis. However, it emphasizes the importance of not assigning administration tasks to analysts that do not align with the SOC mission, in order to maintain their effectiveness. The article also covers various aspects including compliance, continual improvement, knowledge management, business continuity (BC)/Disaster recovery (DR), technology within a SOC, and how data collection is optimized for better technological investments across the organization. It highlights that technology should support, enforce, and measure the processes being executed in the SOC. The assessment of technology includes architecture, architectural process, documentation, technology coverage aligned with business requirements, data collection methodology, and consolidation of data quality use cases. In summary, this article outlines a comprehensive approach to managing and operating an effective SOC by emphasizing both human resource management (with specific tasks for analysts) as well as technological integration and alignment with organizational goals and processes. The presentation focused on optimizing operations in Security Operations Centers (SOC) to enhance efficiency, reduce costs, and improve incident response times. Key points included the importance of broad log collection for effective monitoring and analysis, utilizing data visualization tools, and deploying SIEM technology for correlation across different technologies. The speaker highlighted that well-integrated organizations deploy application security monitoring use cases into their cyber defense centers, allowing them to identify potential breaches in production environments. They also discussed how successful SOCs should assess all aspects of their operations, including using data visualization tools like dashboards and reporting to monitor health and availability. Moreover, the presentation emphasized the need for proper correlation mechanisms such as automated alerting, multi-stage correlation, pattern detection, and more advanced use cases that require customizing SIEM with business context, asset details, identity information, and intelligent correlation to evaluate data for both short-term and long-term analytics. However, some entities still rely on default vendor detection profiles which only address basic use cases. The presentation concluded by advocating for robust data aggregation and risk remediation through effective threat detection and the utilization of technology solutions that push incident identification closer to analysts, ultimately saving money and time. Organizations must consider various factors such as leadership, processes, technology, and infrastructure before implementing drastic changes to avoid reduced operation maturity during new system ramp-ups. Failing endpoint management can result in ROI issues or threat mitigation failures leading to a rip-and-replace of systems, which often do not resolve original issues. It's crucial to ensure the relevancy of data collected and its currency when making decisions about technology changes. For more information on this topic, visit: 1. software.microfocus.com/en-us/services/security-operations-center 2. software.microfocus.com/en-us/services/enterprise-security-consulting-services Additional contact information and office locations can be found at: 1. www.microfocus.com 2. www.microfocus.com