As MITRE points out in strategy 9 of its 11 Strategies of a World-class Cybersecurity Operations Center, cross-functional communication is key to a SOC’s success.
To support workflow processes, tools must integrate (refer to MITRE strategy 8), and SOC teams must communicate and collaborate — not only among themselves, but also with the entire organization. Sounds simple enough, but it’s surprisingly difficult to do effectively. Any failure to communicate can mean a failure to adequately secure the business.
CHALLENGE: No matter how well-funded or well-staffed a SOC is, SOC teams can never know everything about the cyber threats and vulnerabilities the organization faces. Collaboration — both internal and external — can provide valuable insight.
Collaboration across functional areas may seem obvious, but traditionally, SOCs and IT departments have worked separately from one another. While SOCs focused on detecting, investigating, and responding to threats, IT focused on meeting the daily operational needs of the business. And rarely the twain did meet … but it is critical that they do, now more than ever.
As stated in MITRE’s first strategy, security analysts must know what they are protecting and why. By understanding their organization’s mission and how the organization works to achieve it, they can better understand which assets and data are most critical to the business.
And how does this happen? By working across functions, collaborating with the IT operations team and other relevant parties to develop situational awareness to better coordinate actions and base decisions on what the business is telling them.
As stated in my blog on MITRE strategy 4, machines can automate certain tasks, but we need humans to solve the tough problems, to account for subtleties, situations, and business drivers. Another reason to focus on collaboration: If one mind is great, think about the power of brainstorming across departments.
With Resolution Intelligence Cloud, SOC and IT teams can collaborate within a single pane of glass to manage cybersecurity as a business risk and reduce exposure to harm.
Inform and be informed
|
Collaborate
|
Share
|
|
Within the SOC
|
Pass information from one shift to another. | Bring together incident responders and the CTI team to create a new analytic. | Mentor a colleague. |
With Stakeholders and Constituents
|
Provide risk summaries and recommendations to stakeholders and executives. | Pre-plan with constituents how to respond to incidents and jointly publish guidance. | Hold a lunch and learn about the latest cyber threats and how they might impact the business. |
With Broader Cyber Community
|
Provide incident TTPs, IOCs, detection tactics to other SOCs, and receive some back. | Compare best practices, chosen joint activities such as hunt. | Hold cross training with other SOCs; incorporate and hold lessons learned sessions. |
Source: “11 Strategies of a World-class Cybersecurity Operations Center,” MITRE, 2022.
Security analysts can instantly create a war room from the ActOn console. Here, they can pull in the right experts and stakeholders — other SOC analysts, constituents from across the business, heads of business units, and/or third parties — to share insights and discuss appropriate actions for a swift resolution to the most critical, confirmed issues. For example, SOC teams and IT managers may need to collaborate to weigh the pros and cons of shutting down at-risk devices, then document what actions they take.
Moreover, if a breach occurs, the stakeholder teams can also invite individuals from legal, human resources, whatever business unit may be invested in the investigation and outcomes.
All in all, this shared situational awareness is good for security and good for the business.
Resolution Intelligence Cloud is valuable for employee shift changes.
When a team member starts his or her shift, Resolution Intelligence Cloud makes the handover easy with all case notes, conversations, and actions documented in one place. Incoming analysts can quickly get the lay of the land and know what to address first. At the same time, parting analysts can rest easy, no longer needing to worry if they’ve forgotten to share some vital piece of information.
In short, it’s a seamless, stress-free transfer of information — on a need-to-know basis.