Security Operations Advisory

Modern organisations need to combine preventative security controls with effective and efficient detection and response to protect against cyber security threats. These services are delivered by Security Operations Centres (SOCs). Cydea’s SOC advisory services help clients to make strategic decisions about their security operations.

"I need to validate our SOC strategy and understand how effective and efficient our MSSP is."

SOCs are an important source of situational awareness and operational capability for organisations. They need to be built on a foundation of clear mission, skilled people, robust processes, and technology fed with the right data, in order to deliver maximum return on investment.

However many organisations struggle to satisfy management questions:

  • Do we have the right capabilities?
  • Are they covering the correct things?
  • Is the operation effective and efficient?

We’ll use data and expert judgement, from our experienced and independently certified cyber security practitioners, to help analyse and evaluate the performance of your SOC. We use open, and recognised guidelines and standards so our results are portable and comparable.

Our ‘3C’ approach

We primarily use a desktop-based approach, incorporating people, process and technology, to help minimise the disruption to your operations. We seek to understand and assess your SOC in three dimensions:

  1. Capabilities - What capabilities does your SOC have, and are these reflective of the cyber threats that you wish to detect
  2. Coverage - do these capabilities align with the areas of greatest cyber risk to your organisation?
  3. Competence - how mature and robust are your operation of these capabilities?

From simple logging and alerting on a Monday-Friday ‘9 to 5’ basis through to large teams operating complex arrays of platforms around the clock, SOCs can vary hugely from organisation to organisation.

In this stage we look at the capabilities that your SOC has, who they are operated by, and if there are any functional gaps between what is in place and what is expected by the organisation to deliver the SOCs mission.

Our standard Security Operations Framework includes 20 functional areas.

In our experience it is common for each of the capabilities above to have coverages of different scopes. For example, a SIEM platform may be configured to receive logs from different environments than those configured within a vulnerability scanning platform.

In order for your SOC to deliver value the capabilities and coverage must align to the requirements of the organisation. In this stage we will establish the coverage provided by each of your capabilities and call out where there are differences between expectation and reality.

Having the right capabilities, with the correct coverage, still requires competent operation in order to robustly detect and respond to cyber threats.

In this stage we will review your SOC policy, incident management process and playbooks. We will step through a cyber risk event in order to ascertain how your SOC would detect and respond to a simulated cyber threat. We will select scenarios that are representative of both your most frequent cases, and those that may be of significant consequence to your organisation.

Additional, technical validation (sometimes called ‘purple team’ testing) can be scoped and provided to augment our assessment and test your SOC team against real world scenarios.

SOC Improvement

This ‘3C’ framework lends itself to a variety of business use cases from SOC strategy and buy/build (in-source/out-source) decisions, through MDR investment cases, to broader (MSSP) audit and performance assessment.

Our pragmatic, actionable recommendations will help to improve the effectiveness and efficiency of your SOC and improve your return on investment.