The Invisible N | Netenrich Blog

How to Improve cross-functional Collaboration Between SOC and IT?

Written by John Pirc | Wed, Nov 16, 2022 @ 02:15 PM

As MITRE points out in strategy 9 of its 11 Strategies of a World-class Cybersecurity Operations Center, cross-functional communication is key to a SOC’s success.

To support workflow processes, tools must integrate (refer to MITRE strategy 8), and SOC teams must communicate and collaborate — not only among themselves, but also with the entire organization. Sounds simple enough, but it’s surprisingly difficult to do effectively. Any failure to communicate can mean a failure to adequately secure the business.

 

MITRE Strategy 9: Communicate clearly, collaborate often, share generously

CHALLENGE: No matter how well-funded or well-staffed a SOC is, SOC teams can never know everything about the cyber threats and vulnerabilities the organization faces. Collaboration — both internal and external — can provide valuable insight.

Collaboration across functional areas may seem obvious, but traditionally, SOCs and IT departments have worked separately from one another. While SOCs focused on detecting, investigating, and responding to threats, IT focused on meeting the daily operational needs of the business. And rarely the twain did meet … but it is critical that they do, now more than ever.

As stated in MITRE’s first strategy, security analysts must know what they are protecting and why. By understanding their organization’s mission and how the organization works to achieve it, they can better understand which assets and data are most critical to the business.

And how does this happen? By working across functions, collaborating with the IT operations team and other relevant parties to develop situational awareness to better coordinate actions and base decisions on what the business is telling them.

 

A single pane of glass to manage cybersecurity

As stated in my blog on MITRE strategy 4, machines can automate certain tasks, but we need humans to solve the tough problems, to account for subtleties, situations, and business drivers. Another reason to focus on collaboration: If one mind is great, think about the power of brainstorming across departments.

With Resolution Intelligence Cloud, SOC and IT teams can collaborate within a single pane of glass to manage cybersecurity as a business risk and reduce exposure to harm.

 

EXAMPLE OF COMMUNICATING, COLLABORATING, AND SHARING WITH DIFFERENT GROUPS

 
Inform and be informed
Collaborate
Share
Within the SOC
Pass information from one shift to another. Bring together incident responders and the CTI team to create a new analytic. Mentor a colleague.
With Stakeholders and Constituents
Provide risk summaries and recommendations to stakeholders and executives. Pre-plan with constituents how to respond to incidents and jointly publish guidance. Hold a lunch and learn about the latest cyber threats and how they might impact the business.
With Broader Cyber Community
Provide incident TTPs, IOCs, detection tactics to other SOCs, and receive some back. Compare best practices, chosen joint activities such as hunt. Hold cross training with other SOCs; incorporate and hold lessons learned sessions.

 

Source: “11 Strategies of a World-class Cybersecurity Operations Center,” MITRE, 2022.

  • Within the SOC: The Resolution Intelligence Cloud platform promotes and supports communication with what we call ActOns — a correlated set of events, user, and asset data that contains contextual information you need to determine that there is an incident and/or resolve one or more related incidents.

    Further, ActOns are scored by business risk based on impact, likelihood, and confidence. War rooms (more below) enable secure collaboration among colleagues at any time to resolve ActOns, making it easy to bring together incident responders and the CTI team to share analytics and other information, even across shifts.

  • With stakeholders and constituents: Resolution Intelligence Cloud dashboards can provide good data for stakeholders and executives, for example, identifying areas of vulnerability as assets go on and offline that can be proactively addressed.

  • With the broader cyber community: Resolution Intelligence Cloud includes Netenrich's first-source and third-party curated threat intelligence. Additionally, Netenrich provides Threat Hunting Services tailored to customers’ needs.

 

Remember, there’s no fighting in war rooms

Security analysts can instantly create a war room from the ActOn console. Here, they can pull in the right experts and stakeholders — other SOC analysts, constituents from across the business, heads of business units, and/or third parties — to share insights and discuss appropriate actions for a swift resolution to the most critical, confirmed issues. For example, SOC teams and IT managers may need to collaborate to weigh the pros and cons of shutting down at-risk devices, then document what actions they take.

Moreover, if a breach occurs, the stakeholder teams can also invite individuals from legal, human resources, whatever business unit may be invested in the investigation and outcomes.

All in all, this shared situational awareness is good for security and good for the business.

 

Resolution Intelligence Cloud: Where people, tools, and processes converge

Resolution Intelligence Cloud is valuable for employee shift changes.

When a team member starts his or her shift, Resolution Intelligence Cloud makes the handover easy with all case notes, conversations, and actions documented in one place. Incoming analysts can quickly get the lay of the land and know what to address first. At the same time, parting analysts can rest easy, no longer needing to worry if they’ve forgotten to share some vital piece of information.

In short, it’s a seamless, stress-free transfer of information — on a need-to-know basis.