© Gorodenkoff/Shutterstock.com

Key Points

  • Security operations centers face increasingly sophisticated threats, but still struggle with inefficiencies that weaken defenses.
  • Lean Six Sigma principles can strengthen workflows, reduce false positives, and maximize the overall efficiency of any SOC.
  • Continuous improvement, supported by automation and cross-functional collaboration, is essential for making a resilient, effective, and secure organization.

Security operations centers (SOC) are under a great deal of pressure. Threats continue to evolve and change, with attacks growing more sophisticated, and bad actors getting more refined in their deployment of such attacks. Despite the prevalence of cutting-edge tools and skilled, trained analysts, many security operations centers will struggle with dealing with inefficient practices and waste that will compromise their overall security posture.

By borrowing principles and tools from Lean Six Sigma, organizations can effectively identify and eliminate wastes to streamline operations, bolster incident response, and improve their overall security posture. Today, we’re looking at some practical strategies to get your security operations center back on track.

Understanding Waste in Security

msi

©Gorodenkoff/Shutterstock.com

Waste in the greater context of SOCs can be a bit nebulous to define. Going by Lean, we can define it as an activity that consumes resources without adding value for the customer. For an SOC, the customer is going to be the organization or end user relying on a secure system for daily operations.

Common wastes are going to be close to what you expect from manufacturing, but with a bit of a twist on it. For example, overprocessing in this case is going to be analysts taking too much or performing redundant investigations. Defects might be something like false positives or misclassified alerts.

These are just a few examples of what waste is going to look like when considering any security operations center.

Apply Lean Principles to Security Operations Centers

Reducing waste is best handled by something like Lean, which is going to focuses on the reduction of non-value-added activities. As we mentioned in the previous point, a non-value-added activity is something that doesn’t add value to the end product given to a customer. There are a few different ways to achieve better operational excellence while reducing waste. Further, we can reduce these non-value-added activities substantially with a few different Lean tools.

For starters, you should use Value Stream Mapping for all steps in your alert handling. From detection to resolution, every step along the way needs to be mapped to pinpoint where any sort of bottlenecks are occurring. Visualization tools like Value Stream Mapping can reveal inefficiencies in short order.

Next up, you should work to standardize all steps in your playbook. Common alerts should have standard operating procedures to minimize variation and reduce cognitive load. Further, you should have consistent triage criteria before remediation. Additionally, there should be clear indicators of when to escalate problems to the next stage.

Finally, you’ll want to make use of automation. Collecting logs, dismissing known false positives, and giving more detail for alerts is a fantastic way of decreasing your security operations center’s mental fatigue while reducing the Mean Time to Respond for a given crisis.

Six Sigma to Reduce Defects

Now that you’ve curbed the waste, it’s time to make use of Six Sigma to reduce your defects. The Six Sigma side of Lean Six Sigma is geared toward precision and reducing variation. In a security operations center, defects are going to appear as false positives, missed incidents, or inconsistent responses. To maintain a strong security posture, you want to curtail that yesterday, but today is a fine time to start.

Tools like Root Cause Analysis (RCA) are a massive benefit for looking at how your team is responding to incidents. If false positives are frequent, RCA helps to get to the underlying problem of how these are being reported, rather than simply trying to treat the symptoms.

Statistical Process Control (SPC) is going to be fantastic for the data gathering side of things, with continuous monitoring of alerts, triage remediation times, and incident resolution metrics. This helps your team to identify anomalies early and react proactively.

Finally, any process improvement cycle would benefit from the use of DMAIC. This structured approach makes sure that all improvements are measurable, sustainable, and enacted through the use of actionable, empirical proof. For any SOC looking to reduce waste and bolster consistency, focused DMAIC projects around your detection process are going to see massive gains across the board.

Reducing Waste Through Cross-Functional Collaboration

Any waste and defects found in your security operations center are going to be heavily compounded by siloed operations. Often, organizations silo security away as a necessary evil, rather than making it an integral part of operations. Lean principles encourage cross-functional collaboration, which is going to serve to improve communication and accountability while reducing unnecessary handoffs.

You might make use of consolidated dashboards that collate alerts, logs, and other pertinent data points into a single interface that easily communicates what your SOC is doing. Regular standup meetings also allow teams to align priorities, share progress, and address bottlenecks before getting to work for the day.

Finally, you’ll want to integrate feedback loops, with analysts, security personnel, and frontline technicians chiming in. You want to know how your standardized work measures and automation are working, and this further helps to build institutional knowledge. Further, these sorts of initiatives can and should be utilized to encourage collaboration between departments. Making security an integral part of any operations is slowly becoming the norm for any organization, and laying the foundation for it now is going to save headaches down the line.

Quantifying Success

Eliminating waste is well and good, but it is only half of the equation. If you don’t have quantifiable proof, then justifying your actions is going to be incredibly difficult. Thankfully, there are a few key metrics that most teams are going to gather in their security operations centers, which are as follows:

  • MTTR (Mean Time to Respond): Faster resolution times indicate a noted reduction in waste.
  • False Positive Rate: Lower rates show improved accuracy and reduced overprocessing.
  • Alert Throughput: Higher throughput without the use of additional resources indicates increased efficiency.
  • Analyst Utilization: Tracking time based on work done on high-value and low-value tasks can show where talent is being underutilized.

Regular monitoring of these metrics ensures that process improvements stick and helps to provide ROI to your stakeholders.

Continuous Improvement as a Mindset

Successful implementation of what we’ve discussed today isn’t done merely through the implementation of tools and principles. Continuous improvement can seem like a popular buzzword, but if your organization isn’t committed to the notion of continuous improvement, everything we’ve discussed today is for naught. Continuous improvement is a cultural undertaking, with organizations big and small adopting it as a core, guiding principle rather than just a one-off project.

Other Useful Tools and Concepts

Ready to start the work week right? You might want to take a closer look at how Kaizen only serves to enhance customer feedback systems. Kaizen is the practice of continuous improvement, and a central tenet for Lean, learning how to leverage it to make the most of your customer feedback is going to strengthen your relationship with customers in the long run.

Additionally, you might want to take a closer look at how BPR can help you break through performance plateaus. Over time, processes will reach their natural limits. When incremental improvements aren’t doing the job, you’ll want to start anew from a clean slate. That’s where BPR comes in, and it is one of the most powerful approaches you’ll find for starting a process from scratch.

Conclusion

Committing to continuous improvement to reduce waste in your security operations center isn’t simply a matter of tweaking response playbooks, hammering in particulars for false positive recognition, or automating the tedious things one time. That said, a SOC that implements the strategies and tools we’ve discussed today is guaranteeing that it is prepared to handle emerging threats, even as they grow more complex and sophisticated.

About the Author

Liam Frady

Liam was first introduced to Six Sigma when entering into the tech industry. With experience in project management, team leading, network security, and network architecture, he understands just how important the methodology is when applied to any industry. Since leaving the tech sector, Liam has pivoted to putting this experience to good use, writing for businesses and consumers alike.