Cyber collaboration and sharing, how to make SOC work more fluid

An effective cyber-team has members who collaborate. With thousands of alerts to process quickly, SOCs are no exception. Understanding important information and how alerts and exchanges work is key to improving the overall process.

Within a SOC, level 1 is in charge of filtering false positives from alerts raised by detection systems and dealing with known and simple incident cases. Levels 2 and 3 will then be in charge of analysing, understanding, and assessing threats. In smaller SOCs, these roles are not as distinct.

The information surrounding an alert must be correctly relayed during incident resolution to respond quickly and effectively. Conserving said information also opens the door to better prevention through the development of essential team knowledge.

Sharing-related difficulties within the team

In practice, each handover involves a loss of information, which causes misunderstandings and difficulties to build the overall picture. This loss has to do with the many types of information (source, affected machines, explored tracks, history, etc.) that need to be collected in different locations.

Managing experts’ workload is an additional issue: who should be contacted and how? How must we communicate while distributing the load among analysts? In the field, we sometimes find a top-down approach, where the manager directly distributes the work.

Inter-team sharing difficulties

Besides the difficulty inherent to the sharing of information within the team, such information sometimes needs to be shared with external entities.

For example, in the feedback received, we repeatedly identified a hybrid model of SOC organisation: levels 1 and 2 are dealt with by a given entity (which is sometimes a service provider) while level 3 is managed internally.

In a cyber version of the prisoner’s dilemma, sharing information with the outside world benefits everyone, but proves to be complicated given the sensitiveness of the information

(reputation, but sometimes also legal) and the culture of secrecy embedded in the field.

Key tools for sharing

In such situations, informal meetings based on human contact (sometimes around the coffee machine) are essential, but word of mouth distorts information and hinders the creation of team knowledge.

If we exclude the SOAR solution (which is still not widely implemented in practice), an expert can rely on a case management tool such as Jira for emails, documents, reports, instant messaging, telephone, etc.

“One might then think that the use of several protection solutions would help them in their task. But the truth is that tool multiplication also contributes to increased stress in everyday life. 79% of the managers surveyed feel that they have too many cyber security products or suppliers to manage. And a third of them consider that the alerts, which are designed to make their work easier, are in fact too numerous and too difficult to absorb.” ​Survey: IT security managers  overwhelmed by stress and pressure​ — ​clubic.com

To this we add tools whose interfaces are ill-adapted. These tools may have standards allowing communication with each other but are often not interoperable, which adds unnecessary complexity to properly report the situation. The feedback received highlights the simultaneous use of two tools to manage the files: one tool with highly structured fields, and another more free-form tool, to manage the addition of images and free text.

Another issue highlighted by our survey is access to information from remote networks. Alert raising and log access on these networks are more challenging.

Technology at the heart of the problem

To foster unification and collaboration within the teams, a new generation of tools must be designed according to users’ needs to support them rather than imposing ill-adapted and sometimes even more time-consuming automated processes.

These tools must adopt standards that provide teams with a common language and point of agreement. Data models such as ECS allow logs to be standardised, while approaches such as MITRE ATT&CK are being widely used to describe and share incidents.

While the tendency has been to train algorithms to recognise attacks on their own, these black boxes make it difficult to carry out the essential explanation step in the cyber security field. The best approach is to continue to focus on the expert analyst, better follow their journey, learn how to recognise their strategies, and anticipate their needs in order to support them.

This new approach, along with rich dataviz methods, allows to enrich and better understand and explain the context. The immediate results are better communication, more effective collaboration, and faster response to incidents.