Imagine the following scenario:
The latest threat report comes out on a group that targets your vertical. The SOC quickly disseminates the report and starts to search for tactics, techniques and procedures (TTPs). Everything’s clear, no results are found. Two months later the same attacker blackmails your company with stolen data.
What happened? The SOC searched for the TTPs and nothing was found. Simply, the SOC made a lot of assumptions about the environment which they are supposed to protect and the data they had to work with.
In 2025, the role of security teams must evolve due to both increased security demands and the increased complexity of modern IT environments. Security teams need to be both proactive and effective in defending their organizations. The following four areas are essential but often forgotten about. Instead of shaking the Magic 8 Ball and assuming their Security Information and Event Management (SIEM) is reporting reliable insights, security teams need to get back to security strategy fundamentals.
Reclaim the Home Field Advantage
Often SOCs have taken the stance of only dealing with the alerts and data they receive. What’s forgotten about is creating an environment that is hostile to the adversary. It’s not just about deception, but about basic configuration changes that can be made to either limit an attacker’s ability to gain a foothold, expand access, or force them to do an activity that gets logged. This goes beyond the hosts but also extends to the network. This isn’t about configuring the Endpoint Detection and Response (EDR) or security tools but working with the IT team to configure and secure the operating system and application. While the items aren’t owned by the SOC, they have a direct impact on the security of the company and the quality of data that the SOC receives. Service accounts usually have elevated privileges. Do you know what systems those accounts should be used on or what activities are in the scope of that account? Working with the owners of those accounts to understand their use (systems, times of day, days of week, etc.) will help write detections for misuse of those accounts.
Prioritize Data Hygiene
Knowing what assets exist, where they exist, and what type of data they can produce to help in investigations is paramount. Understanding what they can produce versus what they currently produce to see if there is a visibility gap will help with investigations and analytics. Once you understand what logs are supposed to be coming in, document the configuration. This will help with when the log flow stops or changes. It will also help with any type of regulatory compliance requirements or audits.
Once you understand what is coming in and from what devices, you can search for the data and expect the results to be accurate. For example, if you’re not collecting process-related data you know that those detections and searches for process names won’t be useful.
Verify that the volume of data from the devices hasn’t drastically changed. This could be due to a change in the log settings, an upgrade, troubleshooting, or just a mistake in the configuration. It’s not only about not getting enough data, while that is an issue, getting too much data has its own drawbacks. The biggest one is that most SIEM architectures are built based on a specific amount of data being ingested. Specifically, the storage requirements to meet any compliance requirements or use cases are built based on that assumption. If the data volume increases, but the storage size doesn’t increase, then the time range of the data will be shortened.
Invest in Cybersecurity Education
IT, in general, has a high rate of change. New technologies, different architecture methodologies, and software are changing how companies solve business problems. Keeping up with how attackers are abusing those new capabilities and how to properly defend against them requires constant education. Not having a budget for the SOC to take technical courses, not just certifications, and not having a hands-on learning environment will hurt the SOC’s ability to function effectively. Analysts also need access to a lab environment where they can learn how to set things up and break things without fear. They should have a lab environment that has the same technologies that the business uses so they can better understand how those technologies work and how to help defend them.
Breakdown Internal Department Silos
With more people working remotely, it’s hard to get to know others, even in your own team. This gets even harder when you try to build relationships with external (to IT) teams and business units. Many times, an incident will affect many parts of the company and having existing, positive, relationships with those groups will make the incident response process faster and smoother. You’re not going to be able to build that relationship and trust in the middle of the incident. When the SOC contacts anyone outside of their immediate team, that team should know who you are, and what you’re going to be doing to help remediate the situation.
While the threats are evolving, attackers don’t have to do sophisticated attacks most of the time. It’s the simple things that get them in and allow them to move around. Make their life harder. By reclaiming the home field advantage, prioritizing data hygiene, investing in education and breaking internal department silos, practitioners can slow down the attackers and increase the cost for them to operate. While the fundamentals may be overlooked, mastering them is the key to detecting and limiting the blast radius of cyber threats before they cause significant harm.
__
About Neil Desai
With 25 years of experience in cybersecurity, Neil has dedicated his career to defending organizations against evolving threats. He spent his first 11 years securing U.S. financial institutions, designing resilient, monitorable security architectures. Transitioning into consulting, Neil guided numerous organizations in building and optimizing Security Operations Centers (SOCs) and Security Information and Event Management (SIEM) systems. Over the past seven years, he has focused on the product side, shaping solutions that empower customers to enhance their security posture. His expertise spans the entire defensive spectrum, from configuration and architecture to continuous monitoring.
Ad
