Every enterprise security team, regardless of size, scope, or sector, knows the value of having a capable and well-trained Security Operations Center (SOC) team addressing their cyber threats. Larger companies often have the budget to recruit and employ their own SOC team, whereas others will tend to hire an externally-managed SOC team, often through a managed security service provider (MSSP). Both are acceptable options.
Training SOC teams to be prepared and ready is thus an important consideration in the overall cyber security ecosystem. One approach to this training is to allow SOC teams to sharpen their skills through live operations. An obvious drawback to this somewhat passive approach is that day-to-day incidents tend to follow a familiar progression. Response to truly unusual situations might never be encountered until they actually happen.
To address this weakness, commercial offerings are now available to train SOC teams using realistic simulations in a contained environment. These offerings are comparable to flight simulators for pilots, but with emphasis on combining group training to mimic actual team functions and decision-making. The goal is to practice detection, investigation, and response, with each step tracked and measured against a SOC team’s playbook.
Such live simulations utilize a segregated enterprise environment that is safely accessed through a private network. The simulations include the actual licensed products and tools used in the customer’s SOC environment. This can include the SIEM, firewall platforms, and hunt tools deployed in the SOC. The goal is to mirror the actual environment into a live range atmosphere so that it looks and feels as realistic as possible to the team being trained.
Attack scenarios can range in complexity, from ransomware to more complex attacks, and can be fine-tuned to match the issues found in the SOC environment. The training creates muscle memory and skill development by reinforcing a multitude of threat types. The participants can also increase their confidence with low risk, resulting in increased job satisfaction levels by being challenged in a safe environment.
SOC Training Survey
The TAG Cyber team worked recently with the team from Cloud Range Cyber, led by CEO Debbie Gordon, to investigate how such advanced training fits into the current and future plans for SOC teams. As analysts, we were interested in understanding the frequency with which a typical SOC team would choose to have their teams experience such training, given the multitude of attack scenarios that can be simulated.
To that end, we asked a dozen experts to offer their best view of how they’d optimize the frequency of such training for their team. If they happened to contract out their SOC function to an MSSP, then we asked that they share what they think would be a reasonable cadence for the team supporting their account. We expected their views on frequency to serve as a good proxy for how experts value this type of simulation for a SOC team.
To make things simple, we offered a simple numeric scale for estimating the frequency of training. A score of 1 would correspond to no SOC training at all, a score of 2 would represent training every other year, a score of 3 corresponded to once-per-year training, a score of 4 would represent a twice-per-year cadence, and a score of 5 would correspond to monthly training for the SOC team.
Seven of the dozen experts we solicited received approval to respond to our survey (with no public attribution) offering answers from 1 through 5 that best estimated their views. We said it would be fine to use a decimal if necessary, but only one felt the need. While we cannot share names of the responders, we can say that participants represented included the health care, finance, telecom, real estate, and private equity industries.
The average result from the survey turned out to be 4.042 with little variance in the answers. This average corresponds to roughly twice-per-year (leaning slightly toward monthly). The result suggested to us that operations teams really do value meaningful training on a reasonably frequent cadence. So, if you manage a SOC team, or if you contract for SOC support from a third-party, then you might take note of this result.
One caveat to any survey is that responders might offer what they believe should be done, as opposed to what they actually do. When asked about frequency, it is possible that some responders might have offered what seemed an acceptable response, in much the same way that people might recommend eating lots of vegetables. Casual follow-up with some of the responders, however, suggested that this was not the case – at least for their responses.
Hopefully, the results of this survey will help you with your own SOC training plans. We’d like to thanks our non-attributed experts for participating in this survey effort. We’d also like to thank Debbie Gordon and the team at Cloud Range for their kind assistance. Their willingness to share the details of training and simulation helped us bring this guidance to the many enterprise security teams around the world trying to optimize their SOC function.