If you are in process of buying a car – probably you’ll do self research, visit the showrooms, opt for self-drive, experience it and then make decision – whether or not to buy the product and services.
In cyber security – enterprise before making outsourcing decision on security operations and management will opt for SOC visits. The objective for them is now not to see marketing presentation in conference room by sales function, rather to experience the ‘day in a life’ of SOC personnel, process and technology
Understand your customer expectations
Its important to know the below and set expectations before the visits
- Who all are visiting? When?
- How long is the visit?
- What role they play in their organization?
- What technology background they are?
- Is there any specific use-case/ scenario deep-dive demonstration required?
- Know-how of their requirements
SOC environment are to be awesome
It require investment to build the SOC to use the term ‘world-class’ or ‘best in class’ SOC. The environment should have the below aspects for customer to get impressed
- Physical security (escort, bio-metric, mobile phone restrictions, man-trap, visitor entry log, etc.)
- Wall mounted screens, plasma TVs with Security Incident Ticket dashboards, Device Health Dashboards, News, Threat Intel Feeds, etc.
- Layered seating arrangements
- Major incident management desks
- SOC Management desks
- War rooms, Conference rooms
- Safe lockers to store documents
- Posters of Security incident response process,
- Handling Critical Incidents & escalation matrix.
- Hard copies of SOC Run books / IR Playbooks
- Shift Handover Tracker
People are heart of the business
Customer will get confidence only if your SOC team has credentials and experience in providing the services to other clients with proven track record of maintaining the confidentiality, integrity and availability. It’s important that you introduce the different roles (SOC Manager, Tier 1 SOC Analyst, Tier 2 SOC Engineer, Tier 3 SOC Consultant, Forensic Investigator, SOC Platform Engineer, etc.) exists in the SOC operating model. Allow each of them brief on their experience in SOC, expertise and certifications they hold and describe their ‘day in a life’ activities at very high level and tools and technologies they’ll be using to perform the duties.
For example, the SOC manager will have different goals such as to run security operations smoothly, reduce noise of alerts/ incidents for better productivity, handle high priority incidents, provide metrics and reports to customers, etc.
Provide overview for the customer to have better understanding on the operating model with below details
- Locations of operations (follow the sun)
- Shift handover
- Scale and complexity
- Volume of tickets per day/ per shift
- Major incident Management process
- Cross functional tower involvements
- Communication modes and methods
- Customer responsibilities
- Top 5 incident category trends
- Partnership with forums, advisories, vendors.
- Training and Certifications
Demonstrate with use-case/ scenario deep dive
Inform customer that ‘what you see is what you get’. Hence to articulate better; take example of any existing customer (mask appropriately and do not show confidential information) by providing details about technology landscape and scope of services.
It’s always easy to understand if you provide use-cases/ scenarios with
- How tier 1 SOC analyst will detect and triage the incident (proactive / reactive) with (source of truth) technology;
- How tier 2 security engineer will perform investigation, categorization and prioritization of incident.
- What all tools he/she will leverage to perform these tasks? how the standard operating procedures or run books or incident response playbooks will help to follow repeatable process and procedures.
- How will the team work with cross functional towers to containment, eradicate and recover
- What will the tier 3 security consultant perform in terms of mining IOCs, post incident analysis, perseverance of data/ OS image, etc.
- How the SOC Manager will report the chronology of incident, produce root cause analysis?
Show and tell the story and make it live and real with examples of opportunities that the team interacted with users/ customers/ vendors. Give evidence of how much time it took to detect, respond and recover. Few examples of use-cases / scenarios can be used are
- Spear phishing email attack
- DLP ex-filtration
- DDoS attack
- Insider Threat
Showcase the return of investment in Technology
Customers are keen to understand the value of maximizing the investments on the technology components and effectiveness of security configurations with features enabled. They are often wanting to have ‘machine first’ service delivery model such as incident response workflow automation and orchestration platforms. Hence its important to showcase the tools and technologies that are required to deliver the SOC services cross below phases
- Detection phase
- Analysis phase
- Categorization/ Prioritization phase
- Containment phase
- Eradication phase
- Recovery phase
- Post incident analysis phase
- Reporting phase
- Review and close phase
Put some facts with stats while showcasing the technology – example – during last three more than 40% of security incidents are related to phishing. Mention how your SOC has developed the incident response workflow automation using solutions such as ServiceNow SecOps.
Soft skills will give you extra bonus
Many times – the personnel who demonstrate the ability to perform are part of SOC. They need to have soft skills – if not it’s only an academic exercise. You need to remind your SOC team that they’re not doing appraisal discussion with customer, They’re showcasing the organisation capabilities. The checklists they need to be mindful are
- Dress well
- Listen to the queries
- Be honest in answers (don’t be afraid to say NO)
- Make it as interactive
- Don’t distract
- Make it relevance to customer’s expectation
- Articulate confidence
- Time check
Make SOC visit as experience
Remember, experience is all about sense of feel, taste, music to ears, seeing and believing. Hence do the best to make the SOC visit as experience with all the above stated to bring the ‘wow’ factor.
Finally take last few minutes to replay of what they’ve seen and action plan, if any.