The Microsoft Cyber Defense Operations Center (CDOC) fields trillions of security signals every day. How do we identify and respond to the right threats? One thing that won’t surprise you: we leverage artificial intelligence (AI), machine learning, and automation to narrow the focus. But technology is not enough. Our people, culture, and process are just as critical.
You may not have trillions of signals to manage, but I bet you will still get a lot of value from a behind-the-scenes look at the CDOC. Even the small companies that I’ve worked with have improved the effectiveness of their security operations centers (SOCs) based on learnings from Microsoft.
Watch the operations episode of the CISO Spotlight Series—The people behind the cloud to get my take and a sneak peek at our team in action. In the video, I walk you through four principles:
- It starts with assessment.
- Invest in the right technology.
- Hire a diverse group of people.
- Foster an innovative culture.
It starts with assessment
Before you make any changes, it helps to identify the gaps in your current security system. Take a look at your most recent attacks to see if you have the right detections in place. Offense should drive your defenses. For example:
- Has your organization been victim to password spray attacks?
- Have there been brute force attacks against endpoints exposed to the internet?
- Have you uncovered advanced persistent threats?
Understanding where your organization is vulnerable will help you determine what technology you need. If you need further help, I would suggest using the MITRE ATT&CK Framework.
Invest in the right technology
As you evaluate technology solutions, think of your security operations as a funnel. At the very top are countless threat signals. There is no way your team can address all of them. This leads to employee burnout and puts the organization at risk. Aim for automation to handle 20-25 percent of incoming events. AI and machine learning can correlate signals, enrich them with other data, and resolve known incidents.
Invest in good endpoint detection, network telemetry, a flexible security incident and event management system (SIEM) like Azure Sentinel, and cloud workload protection solutions. The right technology will reduce the volume of signals that filter down to your people, empowering them to focus on the problems that machines can’t solve.
Hire a diverse group of people
The people you hire matter. I attribute much of our success to the fact that we hire people who love to solve problems. You can model this approach in your SOC. Look for computer scientists, security professionals, and data scientists—but also try to find people with nontraditional backgrounds like military intelligence, law enforcement, and liberal arts. People with a different perspective can introduce creative ways of looking at a problem. For example, Microsoft has had a lot of success with veterans from the military.
I also recommend organizing your SOC into specialized, tiered teams. It gives employees a growth path and allows them to focus on areas of expertise. Microsoft uses a three-tiered approach:
- Tier 1 analysts—These analysts are the front line. They manage the alerts generated by our SIEM and focus on high-speed remediation over a large number of events.
- Tier 2 analysts—This team tackles alerts that require a deeper level of analysis. Many of these events have been escalated up from Tier 1, but Tier 2 analysts also monitor alerts to identify and triage the complex cases.
- Tier 3 analysts—These are the threat hunters. They use sophisticated tools to proactively uncover advanced threats and hidden adversaries.
For a more detailed look at how Microsoft has structured our team, read Lessons learned from the Microsoft SOC—Part 2a: Organizing people
Foster an innovative culture
Culture influences SOC performance by guiding how people treat each other and approach their work. Well-defined career paths and roles are one way to influence your culture. People want to know how their work matters and contributes to the organization. As you build your processes and team, consider how you can encourage innovation, diversity, and teamwork.
Read how the CDOC creates culture in Lessons learned from the Microsoft SOC—Part 1.
Learn more
To learn more about how to run an effective SOC: