*personal opinion warning!There is a type of image that floats around on social media. I have seen a bunch of things like this, especially on LinkedIn.
If you are reading this you likely know the images I am talking about. There is a picture with an image of something small handling something massive and insurmountable.
I have seen a variety of these pictures with a Cyber Security theme.
For the most part, these are cute. What annoys me the most is the background that precedes when the "picture" would occur.
Take the picture above, we have a SOC Analyst dealing with a massive malware event.
So yes, a SOC Analyst would deal with this. However in all of these pictures the incident has happened...the damage is done.
Also these pictures imply that the SOC is the only professional that will respond to this event. It is implied that the primary responsibility to handle the incident is the SOC, which shouldn't be the case.
Honestly I wouldn't be surprised if there are some teams that exist like this. Do you want to work on a team like that?
The primary item that these pictures ignore is the fact that there is so much work that should have happened before the incident.
Why did it take a massive incident for the SOC to be called on?
Were there no policies or procedures to catch this incident from coming to pass?
Why are we being reactive and not proactive?
This wouldn't be a very impactful image I guess. Probably wouldn't be shared much.
So.... I created my own image. It's less exciting but I think more accurately demonstrates what at SOC should be doing.
Let's dissect my picture a bit.
Here we have a castle surrounded by water. The water has the label of Malware. Scary I know!
Malware in this case can stand for anything that is an external threat, the list can be long.
The primary castle is protected by a fortified wall labeled ITSM (Information Technology Security Management). Now this one is loaded and there is a lot that goes into ITSM
"ITSM consists of processes to enable organizational structure and technology to protect an organization's IT operations and assets against internal and external threats, intentional or otherwise. These processes are developed to ensure confidentiality, integrity and availability of IT systems."
There is so much to unpack here in relation to ITSM. But all that being said I believe this is where the first image fails. If proper processes were in place and the security was managed, would that "malware event" have occurred? Anything is possible. However if ITSM is done correctly I believe you can mitigate a lot of risk.
Lastly, the SOC analyst is on the tower, dutifully watching the surrounding castle perimeter. They are taking notes observing the constant flow of activities around the castle, in the castle, coming into the castle going out of the castle. From their vantage they can see advancing armies(cyber trends, nation states, business competition). They are a valuable member of the team to be sure.
Like any successful team, the SOC in this scenario is built up to be on the tower with the ability to monitor everything. If the tower were missing and they were standing in the central court yard, how effective would be they be at watching the perimeter. If the SOC is only standing outside the castle are they fully aware of the wagon on the inside carrying out all the King/Queen's gold?
See where I am going?
An effective security team needs all the players and you need solid foundation that supports all members.